A lot of people are already familiar with FIDO2 compatible security keys to sign in without a password to services like Office 365/ Azure AD. But passwordless sign-in is not the only use case for these keys. The keys can also be used as a second authentication factor for more and more online services as they support the FIDO Universal 2nd Factor (U2F) protocol. Among these online services are big social media platforms like Facebook and Twitter.
Twitter is one (the only?) of the first social media platforms which have the option to use security keys as the only form of two-factor authentication (2FA), as they announced in this blog post. They allow you to turn off other 2FA options like text messages (SMS) and authenticator apps. This only allows you to sign in to Twitter with your password and security key, which takes security to a higher level.
And also not entirely unimportant, Twitter also supports mobile devices running Android and iOS, unlike other platforms like Facebook at the moment of writing this blog. Which is a requirement for most people, as social media is mostly used on mobile devices.
So if you are already equipped with a FIDO2 security key, why not start using the key to also secure your Twitter account?
I’m equipped with several security keys, some support NFC for communication with mobile devices. I also have a Feitian iePass K44, which has a USB C and lightning connector. An ideal key for usage with mobile devices.
For this article, I used the iePass key from Feitian. But as long as you’re able to connect your key to your device (NFC, USB/lightning, or bluetooth), you should be good to go.
Let’s see how we can use the key with Twitter on several operating systems.
Security key usage on Windows
An easy way to manage your security key with Twitter is using a device running Windows 10. Window 10 itself has built-in management capabilities as I described in this previous article. You can add a PIN to the key or reset the key directly from the Windows Settings, unlike other platforms like macOS which require a third-party app.
Make sure your key is set up with a PIN.
To add a security key to your Twitter account, sign in to your account with a browser like Edge.
- Open Security and Privacy
- Choose Security and account access
- Choose Security
- Choose Two-factor authentication
- Check Security key
- Choose Add new security key
- Click Start
- Insert your security key
- Click OK
- Enter your PIN
- Touch the key
- Provide a name for your key
The key is added to your account.
From the Manage security keys section, you’re able to rename or delete the keys.
Next time when you sign in to Twitter, you’re asked for your security key.
Security key usage on iOS
We don’t need a Windows device to set up our security key, like the Feitian iePass. Feitian provides an app in the App Store and Play store, iePassManager, which we can use to set a PIN on the key when it’s a new key. And also other key vendors provide such apps.
So these keys can be used by users who only have devices running iOS or Android.
When we open the app and insert the key, it’s recognized by the iePassManager. As this is a new key, I can set a PIN, which is a straightforward process.
Enter a new PIN twice and click OK.
And the PIN is set successfully.
The PIN is set up and ready to be used with the Twitter app.
To set up the security with Twitter, the Twitter app opens a browser. Where Safari is the default browser on iOS, using that browser as default didn’t work fine for me. It first showed me a pop-up to recognize the key, but soon after that, a message was shown this setup wasn’t support with this browser. I set Edge as the default browser, rebooted the iPhone and everything worked fine. I’m not sure if Safari indeed doesn’t support the key, but it’s at least worth mentioning here.
To add the security key to our account, open the Twitter app and make sure you’re signed in.
Tap Settings and privacy
Tap Two-factor authentication.
Tap Add a new security key.
Tap Open Safari.
Again, tap Add a new security key.
Enter your Twitter password.
Tap Start, to start the enrollment of the security key.
Insert the key and tap it, to allow Twitter to use the key.
Enter the PIN of the security key and tap continue.
Enter a name for the key.
And the key is added to our Twitter account!
Now that we added the security key to our account, next time we’re asked for a second factor for authentication, we’re asked for our security key.
Security key usage on Android
The usage of the keys isn’t much different on Android compared to iOS.
Below is a short video of how we add the key to Twitter using an Android device.
And below is a video of how we can use a security key to sign in to Twitter.
If you do enable security keys as the only form for MFA, by disabling the other options like SMS, it’s advisable to register two keys in case you lose one.
Let’s keep our (social media) accounts secure.
Thanks for reading!