Following a high-profile breach in 2020, Twitter is implementing mandatory multifactor authentication internally for its own employees. The way they are using 2FA is, according to a blog post on Twitter’s official page, requiring every Twitter employee to use security keys that combine YubiKey 5 NFC and 5C NFC keys. The reason for selecting these particular keys has to do with their ability to be used in USB on laptops and NFC for Android and iOS devices.
The keys were distributed to 5,500 employees worldwide through Yubico’s Enterprise Subscription and Delivery services. Additionally, Twitter had to adjust its internal network to allow employees to use the SSO (single sign-on) system with their keys. In all, the process, according to the post, took roughly three months to implement. Of interest in the post, at least from the cybersecurity angle, is how Twitter found areas to improve during the security key implementation.
Arguably the most intriguing portion of this realization comes in the following Twitter post excerpt:
While we’ve seen progress in systems adding support for security keys over the past several years, there are still systems where security keys do not work well. Desktop applications, for example, often leverage embedded web browsers to load web-based SSO login screens. Unfortunately, many of these embedded browser solutions lack support for the WebAuthn protocol, making it impossible to use security keys in these situations. Ideally, desktop applications would simply leverage the default system browser, all of which support security keys, for SSO login flows. This has additional benefits like ensuring password managers and existing SSO sessions can be leveraged as well.
This statement as well is worth highlighting:
The usability of WebAuthn interfaces is key to their wider adoption. Services that support security keys should provide basic features like the ability to rename keys to make it easier for users to differentiate them. We’ve also found it helpful when platforms allow users to specify their default 2FA method so that users don’t have to click around to use their security key on each login.
The most efficient security strategy for any organization is never to assume that they are fully secure. Constantly testing internal and external security, along with rolling out up-to-date cybersecurity protocols, is a necessity. To truly be secure, one must constantly adapt to the threat landscape. Threat actors are persistent and will always find a way to breach networks. It seems that Twitter is starting to understand this.
The best one can hope for is to simply impede the inevitable.
Featured image: Flickr/Garrett Heath