Twitter intends to combat phishing by introducing security keys in a rollout
In a proactive move to bolster security and prevent future phishing incidents, Twitter has distributed security keys to more than 5,500 of its employees worldwide. This decision comes in the wake of a high-profile attack in July 2020, where a teen hacker managed to access dozens of celebrity Twitter accounts by employing social engineering and bypassing two-factor authentication used by Twitter employees.
The use of security keys, such as YubiKeys and those compatible with the FIDO2 standard, is becoming increasingly popular among tech giants. Google has been using these keys with its employees since 2018, effectively reducing phishing to zero within the company. Microsoft Azure Active Directory is also working towards eliminating passwords and using security keys to reduce the risk of phishing attacks.
Security keys offer a more robust defence against phishing compared to two-factor SMS or one-time passcode verification. They use the FIDO and WebAuthn standards to separate legitimate websites from malicious fake sites, thereby blocking phishing attempts more effectively.
Nick Fohs, senior IT product manager, and Nupur Gholap, senior security engineer, wrote in a blogpost that they successfully migrated 100% of employee accounts from legacy two-factor authentication methods to mandatory security key usage in under three months. Amazon, too, is offering the same security training to users that it provides to its own employees.
The Advanced Protection Program, designed to protect users like human rights activists, journalists, elected officials, and political campaigns, is another initiative aimed at enhancing security. Both Google and Twitter support devices including YubiKeys and other FIDO2-compatible security keys for two-factor authentication.
Credential phishing is identified as the largest problem in a world that is moving to the cloud, according to a spokesperson for Yubico. Sean Ryan, senior analyst at Forrester, agrees, stating that passwords are considered the lowest common denominator of secure access. Hackers can easily hack, steal, or purchase passwords on the Dark Web without much effort, according to Ryan.
Amazon has announced plans to offer free security keys to certain AWS account holders who spend more than $100 per month. During the White House cybersecurity meeting, Amazon also announced plans to provide free security keys to some AWS account holders.
In June, Twitter announced it was offering social media customers the option to use multiple security keys to bolster protection against malicious attacks. As the digital world continues to evolve, it seems that security keys are becoming an essential tool in the fight against cybercrime.
