Twitter has a fascinating blog post describing transitioning all of their employees to YubiKey FIDO hardware keys for multi-factor authentication for internal systems. This is especially interesting because Twitter deprecated other 2FA systems for employees–the YubiKey devices are the only valid 2FA method deployed by the company.
Flipping the Switch. Our final step was to disable legacy 2FA methods and mandate the use of security keys across our internal systems. We set a cutover date, which was shared with the entire company a month in advance. We reached ~90% security key enrollment by the deadline and were able to hit 100% within a month of cutting over, as folks returned from vacation or leave.
Twitter also has some good observations about ways the current security key experience can be improved.
– Key Rotation/Replacement. Today, replacing a security key is a significant usability challenge, requiring users to keep track of every service they’ve registered a security key with and individually visit each service, remove the old key, and add the new key. At Twitter, we issued all employees two keys to start, one primary and one backup. This ensures a fallback option in the event that the primary key is lost. We also used SSO to minimize the number of systems on which a user needs to register their keys. But we wish there were better ways to help users add and remove security keys across services. While there are efforts underway to simplify registering backup security keys, it’s still difficult for users to track where they have registered a specific security key or to replace keys when necessary. This remains an open challenge.
– Security Key UX. The usability of WebAuthn interfaces is key to their wider adoption. Services that support security keys should provide basic features like the ability to rename keys to make it easier for users to differentiate them. We’ve also found it helpful when platforms allow users to specify their default 2FA method so that users don’t have to click around to use their security key on each login.