Twitter employees required to use security keys after 2020 hack

Twitter employees required to use security keys after 2020 hack

Twitter rolled out security keys to its entire workforce and made two-factor authentication (2FA) mandatory for accessing internal systems following last year’s hack.

The company migrated all of its employees from legacy 2FA using SMS or authenticator apps to security keys in less than three months, according to Twitter’s Senior IT Product Manager Nick Fohs and Senior Security Engineer Nupur Gholap.

“Over the past year, we’ve accelerated efforts to increase the use of security keys to prevent phishing attacks,” they said.

“We’ve also implemented security keys internally across our workforce to help prevent security incidents like the one Twitter suffered last year.”

After the July 2020 hack, Twitter revealed that the attackers took control of dozens of high-profile accounts after stealing Twitter employees’ credentials following a phone spear-phishing attack on July 15, 2020.

Graham Clark, the 17-year-old who pleaded guilty to fraud charges after coordinating the hack, sold access to those accounts and, later, used verified Twitter accounts of companies, politicians, executives, and celebrities he took over to run a cryptocurrency scam.

He was arrested following a joint operation coordinated by the FBI, the IRS, and the Secret Service (court documents here).

Security keys and 2FA on Twitter

Twitter continuously upgraded and improved the platform’s 2FA support throughout the last few years, with a clear focus on security keys as the primary 2FA method.

It first added security keys as one of several 2FA methods on the web in 2018 and included support for using them by 2FA-enabled accounts when logging into mobile apps two years later, in December 2020.

Support for security key was later upgraded to the WebAuthn standard, which delivers secure authentication over the web and makes it possible to use 2FA without a phone number.

In 2021, Twitter added support for using multiple…