Twitter is planning a future update that will allow accounts enabled with two-factor authentication to use security keys as the only authentication method, the company said on Monday. At present, you can use a security key to sign in to your Twitter account, but you need to have another 2FA method — like an authenticator app or SMS codes — enabled as backup.
While authentication apps like Google Authenticator or Authy are more secure than using SMS codes for 2FA, security keys — physical keys that connect to your computer using USB or Bluetooth — are the most secure way to protect an account online. Users don’t have to type in a code that could be intercepted by a malicious third party.
You connect the key, your browser issues a challenge, then the key cryptographically signs the challenge and verifies your identity. Another benefit of using a security key: users don’t have to give Twitter any additional personal information, such as a telephone number, to be able to log in to their accounts.
Secure your account (and that alt) with multiple security keys. Now you can enroll and log in with more than one physical key on both mobile and web.
And coming soon: the option to add and use security keys as your only authentication method, without any other methods turned on.
— Twitter Support (@TwitterSupport) March 15, 2021
Twitter also said Monday it will allow multiple security keys on a single account; until today, it only allowed one key per account, in addition to the other 2FA methods. In December, Twitter announced it was adding support for security keys for 2FA-enabled accounts when users log in to its mobile apps.
A Twitter spokesperson said Monday there wasn’t a timeline for when security key-only 2FA would take effect.