Twitter details internal Yubico security key rollout

Twitter detailed its process for onboarding 100% of employee accounts with physical Yubico security keys in a blog post Wednesday.

The post comes a little over a year after last summer's Twitter hack, in which attackers used a social engineering attack that granted access to administrative systems and tools within the company. Through this access, the threat actors briefly gained control of high-profile accounts, including those owned by former President Barack Obama and Tesla and SpaceX CEO Elon Musk, to tweet out bitcoin scams.

Following the attack, Twitter announced last September plans to roll out additional authentication measures both internally and for users, enhanced detection and monitoring capabilities, and new trainings and tools for employees.

Wednesday's post, written by Twitter senior IT product manager Nick Fohs and senior security engineer Nupur Gholap, provided an update on internal authentication improvements as well as how Twitter's recent physical key rollout occurred.

Due to the need for keys that worked with a wide range of devices, Twitter said that it "selected a combination of the YubiKey 5 NFC and 5C NFC keys since these support both USB for laptops and NFC for Android or iOS mobile devices."

Physical keys like YubiKey are generally considered more secure than two-factor authentication, as it's much harder to phish someone when a tangible authentication mechanism is required.

The post describes Twitter's process for purchasing and shipping 5,500 keys to employees around the world, which was complicated by the COVID-19 pandemic.

"Yubico's enterprise subscription and delivery services, including its APIs, helped us automate the address collection-to-shipping pipeline," the blog read. "Yubico provided a direct shipping solution within the U.S., Canada and most of Europe. For the rest of our workforce, we bulk-shipped keys to existing regional distribution partners, who provided last-mile shipping."

To prepare for the new authentication standard, the social media giant enabled WebAuthn as well as support for security keys and platform authenticators like Touch ID through its single sign-on. "By allowing, but not requiring, WebAuthn devices for 2FA, employees were able to enroll their security keys as they received them without losing access to systems ahead of the cutover date," the post said.

Fohs and Gholap said that Twitter then aided employees, who needed to self-enroll their keys, with significant documentation and IT support as needed.

The last step was for Twitter to disable two-factor authentication methods and require the use of security keys "across our internal systems."

"We set a cutover date, which was shared with the entire company a month in advance," the blog read. "We reached ~90% security key enrollment by the deadline and were able to hit 100% within a month of cutting over, as folks returned from vacation or leave."

Fohs and Gholap wrote in the post's "lessons learned" section that one of Twitter's takeaways was to encourage wider use of physical keys.

"We made it clear that employees would be allowed to keep their security keys even after they leave the company," they wrote. "This allowed us to encourage employees to use their security keys to protect their personal accounts where supported. Better protection for employee personal accounts helps stop attackers from using those accounts to attack Twitter and wider usage of security keys promotes a more secure web for everyone."

Twitter did not respond to SearchSecurity's request for comment at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.