top of page
Blog article

Blog article

Two-factor Authentication Login to Twitter with YubiKey

I think that many people use Twitter, both individuals, and corporations. But have you ever paid attention to the security of the Twitter account to prevent the account from being hijacked by leaking the password?

Twitter supports two-factor authentication, so by setting up two-factor authentication, you can take measures against unauthorized access such as hijacking.

If you haven't set it yet, we recommend that you should do so.


Table of Contents

 

About Twitter's two-factor authentication

Twitterの2要素認証

Twitter's two-factor authentication supports the following three types:


・Text message (SMS)

・Application app (TOTP)

・Security key (FIDO)


As described on Twitter's help center page, of the three methods, if you set the "Security key", you don't need any other backup method. So, if you can use the security key, I recommend you set it up.


Note: If you add security keys to add extra protection to your two-factor authentication, you no longer need to use other backup methods to add extra protection. A security key can be used as the only authentication method, with other authentication methods turned off.

In this article, I will introduce how to set a "Security key" using "YubiKey 5 NFC".


How does it compare to other authentication methods?


A little extra on the benefits of choosing a security key.


Both text message (SMS) and authentication app (TOTP) are two-factor authentication methods for enhancing security, but both are for entering letters and numbers notified (or displayed in the app). So, it is challenging to prevent man-in-the-middle attacks such as phishing.

Even though you have set up two-factor authentication to improve security, it turns out that the security is not as high as you thought.


Security key uses the FIDO protocol, which prevents man-in-the-middle attacks such as phishing.

Therefore, you can get a high-security strength compared to other methods.


Also, entering the text from SMS and TOTP is quite troublesome...

If you set up a YubiKey, you will able to log in by touching the YubiKey without having to enter characters that are notified or displayed in the app each time.


About the device to use


This time, I wanted to use Twitter on both my PC and my smartphone, and I wanted to use NFC on my smartphone, so I used the "YubiKey 5 NFC", which has an NFC function.

You can insert it into a USB port when using it on a PC, and authenticate via NFC when using it on a smartphone.

YubiKey 5 NFC

Any FIDO-compatible key can be used as a security key, so if you have a FIDO device other than the YubiKey, you can try the same setting.


 

How to set up two-factor authentication


You can set up two-factor authentication on your PC or smartphone.


a. When setting on a PC


From the Twitter menu, select "Settings and privacy", then select "Security" under "Security and account access".

Twitterの設定メニュー
Twitterの設定メニュー

Select "Two-factor authentication".

2要素認証を選択

From "Two-factor authentication", check "Security key".

2要素認証 - セキュリティキー選択

You will be asked for a password when you change the settings for the first time, so enter your password and select "Confirm".

パスワード入力

The security key enrollment sequence begins. Select "Add key".

セキュリティキー登録開始
セキュリティキーを追加















Connect the YubiKey to your PC.

Since the YubiKey 5 NFC is a FIDO2-compatible device, you will be prompted for a PIN.

Enter your PIN and click OK.

※ If your device supports U2F (in short, FIDO1), you will not be asked to enter the PIN because there is no PIN.

Added on 2023/3/6:

※ Even if your device supports FIDO2, you will not be asked to enter the PIN if the PIN is not set on your device, such as a new key or after resetting the PIN. Please note that the behavior changes depending on the setting state of the device.

Also, PIN entry is required only during registration, and PIN entry is not required during authentication (when logging in), regardless of whether you are using a FIDO2-compatible device or a U2F device.

PIN入力

Touch your Yubikey.

セキュリティキータッチ

After successful registration, you will be presented with an input field to name your key.

Arbitrarily set a descriptive name and click "Next".

セキュリティキーの名前入力

You have successfully registered your key.

As mentioned in the message, it is a good idea to register multiple keys in advance if you have other keys in case of unexpected situations such as key loss.

メッセージ表示

The setup is complete.

Click "Get Backup Code" to see your backup code.

We recommend that you keep a backup code just in case you lose your key so that you can still log in.

キー登録完了

When you return to the Two-factor authentication screen you can see that the "Security key" item is checked.

If you want to register another security key, you can open "Manage security keys" and add another key.

If you want to cancel the two-factor authentication of the security key, it will be canceled by removing this check.

At that time, the registered YubiKey information will also be cleared, so if you want to set up two-factor authentication again, you will need to register the key again.

セキュリティキーにチェック済み

After the setting, you will need the security key when you log in. However, once logged in, the logged-in state is maintained, so it seems that it is not necessary every time you open Twitter.


 

b. When setting on a smartphone


You can also register the security key from your smartphone. However, it seems that it cannot be done from the Twitter application, and a message is displayed to set from the browser.


ブラウザへの誘導

Open Twitter in your browser and proceed with the settings.

Open "Security and account access" of Settings and select "Security".

セキュリティとアカウントアクセス

Select "Two-factor authentication".

Select "Security key".

セキュリティ - 2要素認証
セキュリティキーを選択



























You will be asked for a password when setting up for the first time. Enter and continue.

パスワード入力

The security key registration sequence will start, so follow the instruction on the screen.

登録開始
セキュリティキー追加開始



The security key registration will start.

セキュリティキー登録開始

Since I am using an NFC compatible key this time, select "Use security with NFC". If you have a USB Type-C or Bluetooth compatible device, please select the corresponding method.

NFC選択

You will be asked for a security key.

In order to use NFC this time, it is necessary to turn on the NFC function of your smartphone in advance.

NFC登録

Hold your YubiKey over your smartphone's NFC position.

NFCにYubiKeyをかざす

Registration has been completed. Move your YubiKey away from your smartphone.

デバイス登録完了

After successful registration, you will be presented with an input field to name your key.

Arbitrarily set a descriptive name and click Next.

名前を付ける

Your key has been registered. As mentioned in the message, it is a good idea to register multiple keys in advance if you have other keys in case of unexpected situation such as key loss.

登録後のメッセージ表示

Setup is complete.

Click "Get Backup Code" to see your backup code.

We recommend that you keep a backup code just in case you lose your key so that you can still log in.

登録完了

After setting, you will need a security key when you log in. However, once logged in, the logged in state is maintained, so it seems that it is not necessary every time you open Twitter.


 

How to log in


Now that the two-factor authentication setting is complete, let's check the behavior when logging in.


a. For PC


Let's take a look at the case of PC first.

Enter your login ID on the login screen.

PCからTwitterにログイン

Enter your password.

パスワード入力

If two-factor authentication is not set, login will be completed here, but since the security key has been set, you will be asked for the security key.

Connect your YubiKey to your PC.

The display changes to ask you touch the key.

セキュリティキーの要求メッセージ

The center of the YubiKey will light up, so touch it.

YubiKeyにタッチ

After successful authentication, login is completed.


In this way, you can no longer log in without a YubiKey.

It is pretty simple to operate, just plug it into a USB and touch it.


 

b. For smartphone


Let's look at the login behavior on a smartphone in the same way.

Afeter entering the password, the authenticator selection is displayed.

If you select "Use a security key" and proceed to the next step, authentication of the security key will start.

認証選択
セキュリティキーの使用

Since NFC is used this time, select "Use security with NFC".

A message will be displayed asking you to hold the security key over your smartphone.

セキュリティ使用方法選択
セキュリティキーをかざすメッセージ

Hold your YubiKey over your smartphone's NFC position.

スマホにYubiKeyをかざす

After successful authentication, login is completed.

認証成功

Even on smartphone, it was possible to restrict login without a YubiKey.

By using NFC, you can easily log in with two-factor authentication without the need to connect into USB port.

 

Summary


By using YubiKey for Twitter's two-factor authentication, the security strength is higher than other two-factor authentication methods, and itwas possible to log in with a simpler operation.

Above all, because it is a physical key, it also has the advantage of being easy to manage.

It is difficult to notice if the password is stolen, but one of the advantage of the physical key is that if it is lost, it will be noticed immediately.


The YubiKey used this time can be used to enhance the security of various services other than Twitter, so please try using it in various places.


You can buy YubiKeys and other authentication devices we handle from the following sites.

For a quote, please contact us using the inquiry form.


YubiKeyShop Authorized Reseller


Amazon

Contact


Thanks for reading until the end.

Comments


bottom of page