According to a blog post published on June 30, the social media giant is now offering users the option of making physical security keys their sole method of two-factor authentication (2FA)—a move that could help make accounts more secure while eliminating the previous requirement for weaker backup methods. Still, experts warn that every method of 2FA comes with tradeoffs. “The problem is that none of these [authentication methods] are really as absolute as people think they are,” Joseph Steinberg, a 25-year cybersecurity expert and author of several books including Cybersecurity for Dummies, told Lifewire by phone.
Physical Security Keys, Explained
According to Steinberg, there are several types of multi-factor authentication—each with its own benefits and shortcomings. Physical security keys, like the ones offered by Twitter, are small devices that users have to physically plug into, or sync with, their personal devices in order to log into their accounts—much like car keys. This offers the benefit of preventing hackers from remotely accessing accounts through phishing attacks or malware. According to Twitter’s blog post, the keys “can differentiate legitimate sites from malicious ones and block phishing attempts that SMS or verification codes would not.” Theoretically, the keys offer the strongest security solution for users—but they are also one of the least convenient solutions for everyday users. “The major disadvantage is that you now have to carry the key in addition to your phone,” Steinberg explained. “So if you want to tweet from the beach, you’re carrying your phone and the security key.” Steinberg also cautioned that physical security keys carry the risk of being lost, which could result in a user being locked out of their own account.
Balancing the Tradeoffs
Less secure authentication methods, like having a login code texted to your cell phone, are often more convenient for users than physical security keys—but they can carry a higher risk. Steinberg said hackers can intercept SMS codes through methods like SIM swaps, where thieves steal a user’s phone number and receive the codes on their own device. “If you’re relying on text messages and somebody somehow steals your phone number and starts getting your text messages, you’ve got a problem because they’re going to get your codes and they’re going to be able to reset your passwords,” Steinberg said. Authenticator apps that generate a one-time login code are another popular method of 2FA, but they still carry the risk of being accessed by hackers. “If a user is logging into a phishing site and they enter that code, the phisher then has that code and can transmit it to the real site immediately,” Steinberg explained, adding that there is also a risk of losing the phone and therefore losing access to the app. Even more complex methods, like biometric fingerprint authentication, can carry risks. “Your fingerprints are all over the phone from touching it,” Steinberg said, explaining that sophisticated thieves can lift your prints and use them to log in to a device. “The fingerprint sensor doesn’t have a way of determining whether it’s an actual human putting their finger there, versus somebody putting an image of a fingerprint that was lifted from the phone.”
Weighing the Benefits
Due to the inconvenience of carrying around an extra physical security key, Steinberg said he doesn’t see most everyday users making the switch being offered by Twitter. “My experience has been that even things that are a small hassle when it comes to security—unless somebody has been breached and suffered serious consequences—it’s unlikely that someone is going to switch now when there are easier mechanisms that are considered to be good enough,” Steinberg said. Still, Steinberg said specific groups of users, like businesses and high-profile individuals, could benefit from physical security keys. While there’s no perfect solution to securing a user’s social media account, Steinberg stressed that any form of multi-factor authentication is better than none, due to the fact that social accounts are often used to log into other connected accounts across platforms. “If you’re not using two-factor authentication today for your social media accounts—turn it on,” Steinberg said.