Conversation

In our Infosec circle we hear people talk about multi-factor authentication as if it's obvious but the reality is very different. Twitter released their numbers -- only *2.3%* of Twitter users had any MFA method enabled during this reporting period. transparency.twitter.com/en/reports/acc

491

945

Replying to

and

Twitter doesn't even allow you to use a security key if you don't have app-based 2FA. If you disable app-based 2FA, it disables your security key. They've historically pushed people to use SMS 2FA with TOTP as an additional step. They used to treat TOTP as they do security keys.

12:58 AM · Jul 22, 2021Twitter Web App

Replying to

and

Compare to how companies like Google or even Blizzard have deployed and promoted 2FA. Blizzard gives their users in-game incentives to enable it. Twitter has a mobile app and could make it act as a security key via the hardware keystore. No need for users to buy new hardware.

Replying to

and

Their choice to force users to buy specialized hardware to use security keys and to disallow using keys without enabling SMS or TOTP. Needing to input a code is a terrible user experience. It's less convenient in addition to being far less secure. SMS has availability issues too.

Show replies

Replying to

and

They do now; I have security key only 2FA on some accounts. They also finally allow registering more than one.