Conversation

In our Infosec circle we hear people talk about multi-factor authentication as if it's obvious but the reality is very different. Twitter released their numbers -- only *2.3%* of Twitter users had any MFA method enabled during this reporting period. transparency.twitter.com/en/reports/acc

491

945

Replying to

and

Twitter doesn't even allow you to use a security key if you don't have app-based 2FA. If you disable app-based 2FA, it disables your security key. They've historically pushed people to use SMS 2FA with TOTP as an additional step. They used to treat TOTP as they do security keys.

Replying to

and

Compare to how companies like Google or even Blizzard have deployed and promoted 2FA. Blizzard gives their users in-game incentives to enable it. Twitter has a mobile app and could make it act as a security key via the hardware keystore. No need for users to buy new hardware.

Replying to

and

Their choice to force users to buy specialized hardware to use security keys and to disallow using keys without enabling SMS or TOTP. Needing to input a code is a terrible user experience. It's less convenient in addition to being far less secure. SMS has availability issues too.

1:13 AM · Jul 22, 2021Twitter Web App

Replying to

and

I use 2FA across a ton of sites and only a few like Google and OVH allow you to only use security keys. Google are the only ones allowing you to use the phone's TEE/HSM as a security key. Standard feature available to any app without any special privileges. Why not use it?

Replying to

and

Every modern Android phone and iPhone has a secure element and/or TEE with the necessary algorithms and physical confirmation support. Anyone with recent smartphones owns security keys already. A lot of people have multiple phones around usable as backup security keys too.