Twitter Rolls Out FIDO Security Keys for All Employees

Twitter has a fascinating blog post describing transitioning all of their employees to YubiKey FIDO hardware keys for multi-factor authentication for internal systems. This is especially interesting because Twitter deprecated other 2FA systems for employees–the YubiKey devices are the only valid 2FA method deployed by the company.

Flipping the Switch. Our final step was to disable legacy 2FA methods and mandate the use of security keys across our internal systems. We set a cutover date, which was shared with the entire company a month in advance. We reached ~90% security key enrollment by the deadline and were able to hit 100% within a month of cutting over, as folks returned from vacation or leave.

Twitter also has some good observations about ways the current security key experience can be improved.

– Key Rotation/Replacement. Today, replacing a security key is a significant usability challenge, requiring users to keep track of every service they’ve registered a security key with and individually visit each service, remove the old key, and add the new key. At Twitter, we issued all employees two keys to start, one primary and one backup. This ensures a fallback option in the event that the primary key is lost. We also used SSO to minimize the number of systems on which a user needs to register their keys. But we wish there were better ways to help users add and remove security keys across services. While there are efforts underway to simplify registering backup security keys, it’s still difficult for users to track where they have registered a specific security key or to replace keys when necessary. This remains an open challenge.

– Security Key UX. The usability of WebAuthn interfaces is key to their wider adoption. Services that support security keys should provide basic features like the ability to rename keys to make it easier for users to differentiate them. We’ve also found it helpful when platforms allow users to specify their default 2FA method so that users don’t have to click around to use their security key on each login.

Few Twitter Users Enable 2FA; Those Who Do Overwhelmingly Stop at SMS

Twitter recently released a transparency report about its users’ adoption of two-factor authentication, and the report wasn’t exactly encouraging. Only 2.3 percent of Twitter account had at least one 2FA method enabled, and of those, 79.6 percent had SMS enabled, 30.9 percent had a TOTP application enabled, and 0.5 percent had a security key enabled.

Twitter can’t do much about its users’ apparent lack of interest in enabling 2FA, but it only has itself to blame for the fact that so many 2FA users rely on SMS.

The last time I created a new Twitter account for a specific project I was working on, one of the first things I wanted to do was enable 2FA.

However, it was impossible to enable 2FA without first enabling SMS 2FA. I have no interest in using SMS as a 2FA method, but Twitter insisted I do so anyway.

I suspect that Twitter did this so it could collect my phone number. I cannot imagine any other reason it would not simply let me set up a TOTP app for 2FA out of the gate.

Instead, I had to enable SMS 2FA and confirm that. Then, I was able to add my TOTP application to the account. Finally, I went in and removed the SMS 2FA from the account.

That was a ridiculous number of hoops to jump through and all too common of a 2FA onboarding process across many systems.

Fortunately, Twitter seems to have abandoned that practice, but it is ridiculous that anyone ever thought that an acceptable practice in the first place.