I think that many people use Twitter, both individuals, and corporations. But have you ever paid attention to the security of the Twitter account to prevent the account from being hijacked by leaking the password?
Twitter supports two-factor authentication, so by setting up two-factor authentication, you can take measures against unauthorized access such as hijacking.
If you haven't set it yet, we recommend that you should do so.
Table of Contents
About Twitter's two-factor authentication
Twitter's two-factor authentication supports the following three types:
・Text message (SMS)
・Application app (TOTP)
・Security key (FIDO)
As described on Twitter's help center page, of the three methods, if you set the "Security key", you don't need any other backup method. So, if you can use the security key, I recommend you set it up.
Note: If you add security keys to add extra protection to your two-factor authentication, you no longer need to use other backup methods to add extra protection. A security key can be used as the only authentication method, with other authentication methods turned off.
In this article, I will introduce how to set a "Security key" using "YubiKey 5 NFC".
How does it compare to other authentication methods?
A little extra on the benefits of choosing a security key.
Both text message (SMS) and authentication app (TOTP) are two-factor authentication methods for enhancing security, but both are for entering letters and numbers notified (or displayed in the app). So, it is challenging to prevent man-in-the-middle attacks such as phishing.
Even though you have set up two-factor authentication to improve security, it turns out that the security is not as high as you thought.
Security key uses the FIDO protocol, which prevents man-in-the-middle attacks such as phishing.
Therefore, you can get a high-security strength compared to other methods.
Also, entering the text from SMS and TOTP is quite troublesome...
If you set up a YubiKey, you will able to log in by touching the YubiKey without having to enter characters that are notified or displayed in the app each time.
About the device to use
This time, I wanted to use Twitter on both my PC and my smartphone, and I wanted to use NFC on my smartphone, so I used the "YubiKey 5 NFC", which has an NFC function.
You can insert it into a USB port when using it on a PC, and authenticate via NFC when using it on a smartphone.
Any FIDO-compatible key can be used as a security key, so if you have a FIDO device other than the YubiKey, you can try the same setting.
■ How to set up two-factor authentication
You can set up two-factor authentication on your PC or smartphone.
a. When setting on a PC
From the Twitter menu, select "Settings and privacy", then select "Security" under "Security and account access".
Select "Two-factor authentication".
From "Two-factor authentication", check "Security key".
You will be asked for a password when you change the settings for the first time, so enter your password and select "Confirm".
The security key enrollment sequence begins. Select "Add key".
Connect the YubiKey to your PC.
Since the YubiKey 5 NFC is a FIDO2-compatible device, you will be prompted for a PIN.
Enter your PIN and click OK.
※ If your device supports U2F (in short, FIDO1), you will not be asked to enter the PIN because there is no PIN.
Added on 2023/3/6:
※ Even if your device supports FIDO2, you will not be asked to enter the PIN if the PIN is not set on your device, such as a new key or after resetting the PIN. Please note that the behavior changes depending on the setting state of the device.
Also, PIN entry is required only during registration, and PIN entry is not required during authentication (when logging in), regardless of whether you are using a FIDO2-compatible device or a U2F device.
Touch your Yubikey.
After successful registration, you will be presented with an input field to name your key.
Arbitrarily set a descriptive name and click "Next".
You have successfully registered your key.
As mentioned in the message, it is a good idea to register multiple keys in advance if you have other keys in case of unexpected situations such as key loss.
The setup is complete.
Click "Get Backup Code" to see your backup code.
We recommend that you keep a backup code just in case you lose your key so that you can still log in.
When you return to the Two-factor authentication screen you can see that the "Security key" item is checked.
If you want to register another security key, you can open "Manage security keys" and add another key.
If you want to cancel the two-factor authentication of the security key, it will be canceled by removing this check.
At that time, the registered YubiKey information will also be cleared, so if you want to set up two-factor authentication again, you will need to register the key again.
After the setting, you will need the security key when you log in. However, once logged in, the logged-in state is maintained, so it seems that it is not necessary every time you open Twitter.
b. When setting on a smartphone
You can also register the security key from your smartphone. However, it seems that it cannot be done from the Twitter application, and a message is displayed to set from the browser.
Open Twitter in your browser and proceed with the settings.
Open "Security and account access" of Settings and select "Security".
Select "Two-factor authentication".
Select "Security key".
You will be asked for a password when setting up for the first time. Enter and continue.
The security key registration sequence will start, so follow the instruction on the screen.
The security key registration will start.
Since I am using an NFC compatible key this time, select "Use security with NFC". If you have a USB Type-C or Bluetooth compatible device, please select the corresponding method.
You will be asked for a security key.
In order to use NFC this time, it is necessary to turn on the NFC function of your smartphone in advance.
Hold your YubiKey over your smartphone's NFC position.
Registration has been completed. Move your YubiKey away from your smartphone.
After successful registration, you will be presented with an input field to name your key.
Arbitrarily set a descriptive name and click Next.
Your key has been registered. As mentioned in the message, it is a good idea to register multiple keys in advance if you have other keys in case of unexpected situation such as key loss.
Setup is complete.
Click "Get Backup Code" to see your backup code.
We recommend that you keep a backup code just in case you lose your key so that you can still log in.
After setting, you will need a security key when you log in. However, once logged in, the logged in state is maintained, so it seems that it is not necessary every time you open Twitter.
■ How to log in
Now that the two-factor authentication setting is complete, let's check the behavior when logging in.
a. For PC
Let's take a look at the case of PC first.
Enter your login ID on the login screen.
Enter your password.
If two-factor authentication is not set, login will be completed here, but since the security key has been set, you will be asked for the security key.
Connect your YubiKey to your PC.
The display changes to ask you touch the key.
The center of the YubiKey will light up, so touch it.
After successful authentication, login is completed.
In this way, you can no longer log in without a YubiKey.
It is pretty simple to operate, just plug it into a USB and touch it.
b. For smartphone
Let's look at the login behavior on a smartphone in the same way.
Afeter entering the password, the authenticator selection is displayed.
If you select "Use a security key" and proceed to the next step, authentication of the security key will start.
Since NFC is used this time, select "Use security with NFC".
A message will be displayed asking you to hold the security key over your smartphone.
Hold your YubiKey over your smartphone's NFC position.
After successful authentication, login is completed.
Even on smartphone, it was possible to restrict login without a YubiKey.
By using NFC, you can easily log in with two-factor authentication without the need to connect into USB port.
Summary
By using YubiKey for Twitter's two-factor authentication, the security strength is higher than other two-factor authentication methods, and itwas possible to log in with a simpler operation.
Above all, because it is a physical key, it also has the advantage of being easy to manage.
It is difficult to notice if the password is stolen, but one of the advantage of the physical key is that if it is lost, it will be noticed immediately.
The YubiKey used this time can be used to enhance the security of various services other than Twitter, so please try using it in various places.
You can buy YubiKeys and other authentication devices we handle from the following sites.
For a quote, please contact us using the inquiry form.
YubiKeyShop Authorized Reseller
Amazon
Contact
Thanks for reading until the end.