Following the 2020 Hack, Twitter Security Keys Should Be Used By the Company’s Employees
The Enterprise Rolled Out Security Keys for Its Workforce.
As a response to the Twitter hack that happened last year, the American social networking service put in place the compulsoriness of the MFA (multi-factor authentication) use and also ensured the security keys roll out for all its employees.
Rolling Out Twitter Security Keys
Nick Fohs and Nupur Gholap, the first being Senior IT Product Manager at Twitter and the latter having the Senior Security Engineer position said in a report from Wednesday, October 27, the fact that the company managed to determine its workforce migrate from legacy 2FA to security keys and this was possible in less than 3 months.
Over the past year, we’ve accelerated efforts to increase the use of security keys to prevent phishing attacks. (…) We’ve also implemented security keys internally across our workforce to help prevent security incidents like the one Twitter suffered last year.
What Efforts Associated with 2FA and Security Keys Has Made Twitter Over Time?
As the years have passed by, Twitter directed its focus on two-factor authentication and security keys.
According to BleepingComputer publication, here is an overview of what security measures Twitter implemented:
- In 2018, security keys were implemented by Twitter representing one of the various 2FA web methods and support for its implementation appeared in 2020, after 2 years.
- Then the company upgraded the security key support to WebAuthn standard. This allows two things: safe web authentication and 2FA use without the need for a phone number.
- Then 2021 followed when for 2FA-enabled accounts the company enhanced the support with more security keys;
- And, as we also wrote about in July, you can disable all the other methods of logging in and just use security keys as the sole 2FA method.
- The single disadvantage here would be the low rate of the 2FA implementation by the users, as, according to statistics that refers to the timeframe between July and December 2020, only 2.3% of the active Twitter accounts seemed to use at least one 2FA.
- And, regarding the same period, out of the whole percent of users who did enable 2FA, just 5% made use of a security key.
Security keys use the FIDO and WebAuthn security standards to provide phishing-resistent two-factor authentication (2FA). Security keys can differentiate legitimate sites from malicious ones and block phishing attempts that SMS 2FA or one-time password (OTP) verification codes would not. To deploy security keys internally at Twitter, we migrated from a variety of phishable 2FA methods to using security keys as our only supported 2FA method on internal systems.
What Happened Last Year?
In 2020 Twitter was hacked and threat actors performed employees’ credentials theft, thus allowing them to get control over many high-profile accounts. And they did this via a phone spear-phishing attack.
According to the New York Times publication, Graham Clark pleaded guilty to this hacking operation after he managed to spread a crypto scam via enterprises, politicians, executives, and celebrities’ accounts. The threat actor was arrested after a joint operation.