The company moved all of its employees from legacy 2FA using SMS or authentication apps to security keys in less than three months.
“Over the past year, we have accelerated efforts to increase the use of security keys to prevent phishing attacks,” the company said. We have also implemented security keys internally across our workforce. This is to help prevent security incidents like the one we experienced last year.
After the July 2020 hack, Twitter revealed that the attackers took control of dozens of high-profile accounts after stealing Twitter employee data after
The attack on July 15, 2020, targeted a small number of employees through a phone spear phishing attack. This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems.
— Twitter Support (@TwitterSupport) July 31, 2020
By phone on July 15, 2020.
Graham Clark, a 17-year-old who pleaded guilty to fraud charges after orchestrating the hack, sold access to those accounts.
He later used the platform’s trusted accounts of companies, politicians, CEOs and celebrities to run a cryptocurrency scam.
He was arrested after a joint operation coordinated by the FBI, the IRS and the Secret Service.
The platform has continued to upgrade and improve its 2FA support over the past few years. With a clear focus on security keys as the primary 2FA method.
It added security keys for the first time as one of several methods for 2FA on the web in 2018.
It included support for its use by accounts that support 2FA when logging into mobile apps two years later, in December 2020.
Twitter is trying to avoid a previous hack
Security key support was later upgraded to the WebAuthn standard. Which provides secure web-based authentication and makes it possible to use 2FA without a phone number.
In 2021, the platform added support for using multiple security keys across accounts that support 2FA.
As of July, security keys can be used as the only 2FA method with all other login methods disabled.
However, despite all its efforts, the company revealed a low adoption rate of 2FA. 2.3 percent of all active platform accounts have at least one 2FA enabled two-factor authentication method. This is between July and December 2020.
Moreover, among the 2.3 percent of all users who have enabled 2FA during this reporting period. 79.6 percent used an SMS-based app. and 30.9 percent applied MFA. and 0.5 percent security key.
Although some high-profile Twitter accounts were successfully hijacked last year despite enabling 2FA after attackers gained access to Twitter’s internal management systems, You should still switch to 2FA to protect against less complex hacking attempts using phishing or SIM swapping.
Twitter allows Twitter Blue subscribers to try out new features