Social Networks

Twitter gets physical – with support for hardware security keys

Twitter has given millions of users a way of making their accounts even harder to hack, with the introduction of support for physical keys.

Most Twitter users protect their accounts in the traditional way: username and password. As with any other internet account, such security is vulnerable to a number of threats including phishing or a user unwisely choosing the same password that they use elsewhere on the internet.

This is the primary reason that so many Twitter accounts have been compromised by hackers over the years.

High profile victims have included FC Barcelona, CNN, Burger King, Google CEO Sundar Pichai, Wikipedia’s Jimmy Wales, and Mark Zuckerberg.

One of the most notorious hijackings of a Twitter account occurred in 2013, when the Syrian Electronic Army managed to gain control of Associated Press’s Twitter account and posted a message saying that there had been an explosion at the White House and Barack Obama had been injured.

That bogus report knocked 61 billion dollars (briefly) off the Dow Jones Index.

If you’re sensible you have taken better steps than just a password to protect your Twitter account, and enabled two-step verification in the form of “Login Verification”. That adds an extra hurdle to the login process by asking for a code generated by a third-party app such as Google Authenticator and Authy to be be entered.

For most people, this level of protection is probably enough.

But what if you want to go even further, and wish to ensure an even high level of physical security to your Twitter account?

If that’s you then you’ll be interested to read news buried inside a blog post detailing Twitter’s latest steps to combat spam and abuse on the site.

Twitter has revealed that you can now use a physical USB security key which supports the universal two-factor (U2F) standard when signing in for login verification.

The small keyfobs require the logging-in user to physically press a button to confirm the identity, and because it will only work on the real Twitter website it provides a high level of protection against phishing sites.

Other websites which support FIDO U2F hardware keys – which are the same size and shape as a typical USB thumb drive – include Google, Facebook, Dropbox, GitHub, and SalesForce.

The security solution isn’t, of course, appropriate for all Twitter accounts. For instance, if you have a Twitter account which is shared by multiple users then you’ll face an obvious challenge ensuring that they all have access to the same physical security key.

All the same, it’s good to see Twitter’s security infrastructure continuing to mature, and methods being provided to better protect those accounts which might be considered most at risk.

You can find more details on how to set up your Twitter account so it requires security key verification on Twitter’s website.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Add Comment

Click here to post a comment