Twitter, 2FA and WebAuthn

TLDR; Go enable 2FA with either a security key or Authentication App on twitter today!

Twitter's had 2FA for a while - both via SMS and via an Authentication App such as Google's Authenticator or Authy. The difference to today is that you used to need to add SMS 2FA to enable the authentication app 2FA and SMS isn't the best kind of 2FA in the world - meaning someone who was able to get past your SMS 2FA could still take control of your account.

For me, 2FA of any kind was better than nothing at all - your attacker would have to do quite a bit to get past your SMS auth and so having the extra layer of security was important whether it was SMS auth or not. From Last week you can now use a new form of 2FA that uses a web standard underneath it, WebAuthn. That means you can now use your hardware security key instead of an Authentication app too.

You can choose which forms you want turned on; all 3, only 2 like I have or only 1 hardware key if you don't trust the fact your phone won't get lost (if you're using Google Authenticator) or that your Authy account won't get compromised.

While I firmly believe that a hardware security key is indeed best, there are still scenarios where I can't use mine and I believe that my Authy account is well enough protected thanks to password managers (which are in turn protected by my security key). Hardware security keys also cost money. One thing I don't understand is that if Twitter are utilising WebAuthn, why are they only allowing me to use my hardware security key and not the fingerprint reader on my phone or my macbook pro as allowed for in WebAuthn? - maybe because I'd need to add multiple security keys for each device and they haven't allowed for that yet? It would be a brilliant way for everyone to suddenly get the strongest form of 2FA - yourself - your face, your fingerprint etc etc.

Well done Twitter for joining the likes of GitHub and Dropbox implementing WebAuthn

You can buy a hardware key from Yubico for USB-A and USB-C as well as NFC and lightning connections. Or you can also buy from Google's store who have a discount on Titan security keys on the date of publication. However, do know there are differences between the devices and what they support; if you want something that will work with everything, get the Yubico one - its $50 but it'll save you a tonne of hurt in the future.