Twitter eyes phishing deterrence with security key rollout

Dive Brief:

Twitter has rolled out security keys to company employees in an effort to prevent future spear phishing incidents like the July 2020 attack where a 17-year-old hacker was able to access the accounts of numerous athletes, business executives and other high profile celebrities, according to a blogpost released Wednesday.
The security keys use FIDO and WebAuthn standards that can help separate legitimate websites from malicious fake sites and block phishing attempts in a much more robust manner, when compared with two-factor SMS or one-time passcode verification, Twitter said.
The company was able to migrate 100% of employee accounts from legacy security methods using two-factor authentication to mandatory use of security keys in less than three months.

Dive Insight:

Twitter in June announced it was offering social media customers the option to use multiple security keys in order to bolster protection against malicious attacks. The 2020 attack involved a teen hacker who managed to access dozens of celebrity Twitter accounts by using social engineering and bypassing two-factor authentication used by Twitter employees.

Twitter is using a combination of YubiKey 5 NFC and and 5C NFC keys to support laptops using UBS and NFC for Android and iOS mobile devices. The company sent security keys to more than 5,500 company workers across the globe, according to a spokesperson.

"In the end, we successfully migrated 100% of employee accounts from legacy 2FA methods to mandatory security key usage in under three months," Nick Fohs, senior IT product manager, and Nupur Gholap, senior security engineer, wrote in the blogpost.

Passwords by themselves are the lowest common denominator of secure access, according to Sean Ryan, senior analyst at Forrester. Hackers can hack, steal or purchase these credentials on the Dark Web without too much of an effort, Ryan said.

"Adding 2FA using OTPs adds some protection but not a lot — they are still susceptible to social engineering and phishing attacks," Ryan said. "SIM swapping, bribing employees at telcos for SIM information, or posing as IT and tricking the user into giving the OTP code to the attacker in real time are examples."

Security keys allow remote corporate workers to interact with a wide variety of devices, ranging from iPhones to Android devices and Windows systems, according to David Mahdi, VP analyst at Gartner. The device variety helps drive adoption among millions of corporate employees that still work from home and may need to access work applications and email across different platforms.

Google has been using security keys with employees, and Microsoft Azure Active Directory is working to eliminate passwords and use security keys to reduce the risk of phishing attacks.

"In a world that is moving to the cloud, our work, personal and government communication systems are now accessible to anyone on the internet," a spokesperson for Yubico said. "Of all the different cyberattacks, credential phishing is by far the largest problem."

Google earlier this month announced a program to safeguard 10,000 high-profile users through its Advanced Protection Program. The security program is designed to protect users like human rights activists, journalists, elected officials and political campaigns.

Amazon, during the White House cybersecurity meeting with technology industry leaders in August, announced plans to offer free security keys to certain AWS account holders who spend more than $100 per month. The company is also offering the same security training to users that it also provides to company employees. Amazon uses MFA devices internally, but the company has not outlined any details of that program.