Twitter switched 5,500 employees to physical security keys in three months

Twitter transitioned 5,500 employees to using physical security keys in less than three months. The company says it has moved away from legacy two-factor authentication internally after a major hack last year.

Twitter describes in a blog post how it undertook the operation. That process began in June and was completed in October. Within Twitter, employees used several types of two-factor authentication, including via SMS. The latter is generally less secure than 2fa via a one-time password or a physical key.

The company describes how it chose to provide all employees with a YubiKey 5 NFC. This required collaboration with maker Yubico to distribute the keys worldwide. Subsequently, WebAuthn had to be enabled on all internal systems without this being immediately mandatory. Later, employees were individually guided in setting up the systems. It was then communicated that all employees had to switch within a month, which, according to Twitter, was 90 percent successful.

Twitter says it has mainly had to learn to give a lot of support from systems management. The company also says that devices with built-in WebAuthn protocols such as Apple with FaceID and Windows with Hello are essential for everyday use. The main hurdles to overcome in the future, the company said, are the lack of WebAuthn support in embedded browsers on single sign-on models, and the rotation of security keys.

The operation was carried out after Twitter was hacked in the summer of last year. Attackers managed to get in through an employee account, then placed crypto scams on prominent users’ accounts. Twitter has made two-step verification with physical security keys possible for some time, although adoption is still very low with about three percent of users.