Twitter is planning a future update that will allow accounts enabled with two-factor authentication to use security keys as the only authentication method, the company said on Monday. At present, you can use a security key to sign in to your Twitter account, but you need to have another 2FA method — like an authenticator app or SMS codes — enabled as backup.
While authentication apps like Google Authenticator or Authy are more secure than using SMS codes for 2FA, security keys — physical keys that connect to your computer using USB or Bluetooth — are the most secure way to protect an account online. Users don’t have to type in a code that could be intercepted by a malicious third party.
You connect the key, your browser issues a challenge, then the key cryptographically signs the challenge and verifies your identity. Another benefit of using a security key: users don’t have to give Twitter any additional personal information, such as a telephone number, to be able to log in to their accounts.
Twitter also said Monday it will allow multiple security keys on a single account; until today, it only allowed one key per account, in addition to the other 2FA methods. In December, Twitter announced it was adding support for security keys for 2FA-enabled accounts when users log in to its mobile apps.
A Twitter spokesperson said Monday there wasn’t a timeline for when security key-only 2FA would take effect.