I’ve become increasingly paranoid about other people gaining access to my Twitter account and want to utilize a security ID key like I have at work for my account access. Is that possible with Twitter?
Twitter has quite a few different ways you can tighten the metaphorical hatches on your account, ways to increase your security and ensure that no-one can log in to your account even if they have your account name and password. Indeed, between malware, key sniffers, risky open wi-fi networks and phishing sites it’s surprising anyone relies on just a password as account security. Your timing is also very good because I’ve been testing out a FIDO2 / FIDO U2F security key from a company called GoTrust and your question motivated me to try the device with my own Twitter account.
A brief aside about security: You goal for securing an account is to make it very difficult for bad guys but not also impossible for you to log in successfully. Security revolves around what you know, who you are, where you are and what you have. What you know is exemplified by your password. Who you are is biometrics, so if Twitter could use a fingerprint or retina scan, that would be a solid option too, quite hard to fake. Where you are could automatically detect a login attempt from the other side of the world, say, and reject it. Finally, what you have are known as tokens or semaphores and the easiest example of that is your smartphone: The site sends you a security key via text message and you dutifully enter it on your computer. None of these are perfect, of course, but a combination of factors makes things considerably more difficult than any one factor by itself.
Here’s what the GoTrust Idem Security Key ($22 on Amazon) I’m using looks like:
It’s roughly the size of a house key, but without all the sharp edges. You can’t tell, but the circular portion is a sensor and the key is enabled by simply touching or gently pressing on the sensor after you’ve inserted it into a USB port on your computer. Once you have it all hooked up, that is. So let’s jump into Twitter and set it up!
When I go to log in to my FilmBuzz film industry news Twitter account, I already have it set up for text message confirmation on login, so after correctly entering my account and password, I see this:
What’s important is the link at the bottom: “Choose a different two-factor authentication method“. Of course you can’t change without being logged in first, so this time I’ll still need to use the SMS text security code as is normal. But once I’m logged in successfully, I’ll want to click on “More” from the left side menu (all of this is in a Web browser on a computer):
The “More” link opens up a completely different set of menu choices that are pretty darn important to your account security, setup, configuration, etc:
So many options, eh? You’ll want to click on “Settings and privacy” and, finally, you’ll see quite a few different options related to Twitter account access. Choose “Account” from the list on the left and you’ll get to the Login and security section:
Not sure your password is secure? You can click on “Password” to change it. But to add the Security Key, you’ll want to click on “Security” just below the Password link. This is also the path to adding sms text two-factor authentication as another security option if you want that instead (or in addition).
There are three options here, and you can select any – or all – of them as desired. Text message is easy; Twitter sends a six-digit one-time security code that you then enter before you can log in. No phone, no login. An Authentication app can be helpful if you are already using something like Google or Microsoft Authenticator for other secure sites. Finally, Security key is for a physical key like the GoTrust device. Click on the third box to enable Security key to proceed.
You’ll need to reaffirm you have legit access to the Twitter account:
Then you will finally be in the right area to set up your security key!
Important to note here is the phrase “supported web browser”. Turns out that while just about all of the modern browsers on major computer systems support security keys, if you use something a bit obscure you might want to check with the security key vendor to ensure compatibility. I have found the GoTrust key works fine with Safari on Mac and Microsoft Edge on Windows.
To proceed, click or tap on “Start” and, finally, you can enter your security key into a USB port and tap or push on the sensor to enable the key’s functionality:
Touch the sensor and it’ll flash a cool dark blue then communicate with the Web browser (and thereby Twitter) the needed data. It’s not a code or key, however, it’s the public encryption key of the Security Key itself. In fact, while the security key looks fairly simple, it’s actually an encryption micro-computer; every time you use it to verify identity it’ll be given a sequence of letters and digits, push that through your public and private key encryption data, and return a unique and always changing result. Public key encryption is pretty amazing, actually; learn more about it here: How does public key encryption work?
Assuming it does work – and it will! – you’ll then see this:
Awesome. You’re done! To test it out, log out and try to log in to your Twitter account again…
It all looks pretty normal, right? But this time when you click on “Log in” there’s a second prompt!
I have a lot of options set up, as you can see, but I’m going to use the GoTrust security key so I’ll click on “Security key“. The browser them prompts me to insert the key and enable it by touching the sensor:
A tap and I’m logged in. As, hopefully, you are too. Now just keep that security key on your keychain or clipped to your purse or backpack and even if someone has your password they won’t be able to successfully log in to your Twitter account. Pretty cool, eh?
Note: GoTrust sent me the Idem Key security key for testing purposes. It’s $22 on Amazon, however, so quite affordable, with no additional software needed on Mac or Windows.