Infrastructure

WebAuthn: The future of device based 2FA at Twitter

By Brian Wong

We are always looking for ways to deliver a more secure login experience for the people who use Twitter. That is why we have long invested in offering a set of two factor authentication methods to increase the safety of the accounts on Twitter. From our 2FA options, security keys stand out as one of the strongest due to their low friction and phishing resistant capabilities. Although Twitter has supported security key-based 2FA for almost a year now, the prevailing standard (FIDO U2F) supported only a limited number of browsers and authenticators, restricting the potential for widespread adoption. As of today, we are replacing this with the FIDO2 WebAuthn protocol which allows support for more browsers and authenticators while also retaining all of the phishing resistant capabilities security key-based 2FA provides.

What is WebAuthn?

WebAuthn is a web authentication standard approved by the World Wide Web Consortium (W3C) and and has been adopted by other tech industry leaders. The WebAuthn API allows for strong browser-to-hardware-based authentication using devices such as security keys, mobile phones (NFC, BLE), and other built-in authenticators such as TouchId. The underlying operations of the WebAuthn standard authenticate users by exchanging user credentials using public key cryptography. Given its relative benefits, WebAuthn is supported by most modern browsers including Chrome, Edge, Firefox and enjoys better coverage when compared to the former U2F standard.

This Tweet is unavailable
This Tweet is unavailable.

What does this change mean for people who use 2FA on Twitter?

This change provides an up-to-date and secure authentication standard for security key 2FA, with support for more browsers and authenticators coming in the future. WebAuthn is enabled by default and follows the same process as before when registering your security key. As of today, Twitter only supports physical security key authenticators with WebAuthn, while we expect to add support for other options in the future. For instructions on how to enroll, see the help center article.

Resources

Web Authentication Spec by W3C

Web Authentication API Web Docs by Mozilla

Enabling Strong Authentication with WebAuthn by Google

 

This Tweet is unavailable
This Tweet is unavailable.
@bwongg_

Brian Wong

‎@bwongg_‎

Software Engineer

Only on Twitter