Recently, Twitter migrated their internal workforce accounts from legacy two-factor authentication (2FA) to physical security keys. Aimed at preventing phishing attacks, the security keys can identify malicious sites by leveraging the FIDO and WebAuthn security standards.
Nupur Gholap, senior security engineer and Nick Fohs, senior IT product manager at Twitter, provided the overview of the security keys rollout completed in three months. A security key is used to unlock access to the user's Twitter account. This necessitates the compatibility of a security key across a range of devices. Twitter chose YubiKey 5 NFC and 5C NFC keys that support USB for laptops and NFC for Android or iOS mobile devices.
After identifying the above security key model, the security keys were purchased and shipped to 5,500 Twitter employees across the globe. Twitter opted for Yubico's Enterprise Subscription and Delivery services, which provided direct shipping to the USA, Canada and most parts of Europe. For the workforce in the rest of the countries, Twitter bulk shipped keys to existing regional distribution partners.
The COVID-19 situation added challenges to ensuring the validity of shipments. Employees were asked to "self-source" security keys from regional vendors if shipments were lost or delayed. Yubico's online verification tool verified the legitimacy of keys accordingly. Employees could enrol their security keys by taking advantage of the platform authenticators such as Apple FaceID/TouchID, Windows Hello and Android's built-in security key.
Twitter internal systems are behind a Single Sign On (SSO) provider. WebAuthn support for SSO providers enabled the employees to use both security keys and platform authenticators. This ensured that the access to systems was in place before the cutover date.
After the Security Keys were delivered, WebAuthn facilitated self-enrollment of the security keys. Twitter's IT team provided the support in addition to the enrollment guidance provided by the security team. An internal dashboard provided visibility on the security key enrollment. Managers and employees were able to use this dashboard to validate the status of their enrollment. A vigorous tracking and notification mechanism allowed the security team to reach the employees' pending enrollment by the migration deadline.
A "cutover date" was shared in advance with the entire organization. Around 90% security key enrollment was done by that date, disabling the legacy 2FA method for accessing the internal systems. The security team has also enabled the keys even after the employee has left the organization.
The Twitter security team has identified the future work, which includes broader support for WebAuthn. While rotating/replacing security keys remains an open challenge, currently, all the employees are provided with two keys - one primary and another as a backup.
To keep the Twitter account secure, the implementation of security keys is intended to prevent incidents like phone spear-phishing attacks in July 2020. The security team at Twitter hopes to see the industry-wide adoption of the security keys.
As an aside, Twitter was also in the news towards the end of the year 2021, as Jack Dorsey stepped down as Twitter CEO. Parag Agarwal, CTO of Twitter, replaces him.