Twitter has revealed in its latest transparency report that only 2.3% of all active accounts have enabled at least one method of two-factor authentication (2FA) between July and December 2020.
2FA is an extra security layer for Twitter accounts that requires users to use a security key or enter a code together with their passwords to log into their accounts.
This ensures that only the account owner can sign in and blocks malicious takeover attempts which try to guess, use stolen credentials, or reset the password.
While some high-profile Twitter accounts were successfully hijacked last year despite having 2FA enabled after attackers gained access to internal admin systems, you should still toggle on 2FA to be protected against less-sophisticated hacking attempts.
Almost 80% of 2FA enabled accounts use SMS
Out of the 2.3% of all users who had 2FA enabled over this reporting period, 79.6% used SMS-based, 30.9% a multifactor authentication (MFA) app, and only 0.5% a security key.
It's also worth noting that Twitter also allows enabling multiple 2FA methods per account, making it possible to have one, two, or all three 2FA methods enabled for each account.
"In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks," Twitter explains.
"Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks. Security keys are the newest and most secure form of 2FA since they include built-in protections from phishing attacks."
However, despite the meager rate of adoption, Twitter saw a growing number of users who enable 2FA to secure their accounts from hijacking attempts, with an increase of 9.1% from July to December 2020.
The low rate of 2FA adoption is an industry-wide issue, with users being discouraged by the overly complicated and non-intuitive procedure they need to go through to enable it.
"Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA," Twitter added.
"Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter."
Better protection from SIM-swapping attacks
Twitter has been working throughout the last few years to upgrade and improve the platform's 2FA support, with a clear focus on security keys as the primary 2FA method.
It first added security keys as one of several 2FA methods on the web in 2018 and support using them when logging into mobile apps for 2FA-enabled accounts in December 2020.
Security key support was also later upgraded to the WebAuthn standard, which delivered secure authentication over the web and made it possible to use 2FA on any Twitter account without a phone number.
Earlier this year, Twitter added support for using multiple security keys on 2FA-enabled accounts, and, starting this month, security keys can be used as the only 2FA method for Twitter accounts while having all other login methods disabled.
To turn on 2FA on your Twitter account, you have to go to your profile menu into Settings and Privacy, then to Security and account access (on the desktop) or Account > Security (on iOS) and enable the Two-factor authentication option.
Comments
yawnshard - 2 years ago
For me it is the reverse: I use 2FA absolutely everywhere, where I am not forced to enter a phone number!
*smdh* @ Twitter
TsofT - 2 years ago
2FA is a lot of hassle for a friggin Twit account. Though I might use it if it was integrated in to the browser. Firefox should add that to the password manager. I don't really trust 3rd-party add-ons for such features.
Wannabetech1 - 2 years ago
Not sure why this is surprising. How many "average folks" even know or care what it is? Most people don't even have strong passwords & now they're expected to use 2FA?
I'm not a pro(hence my name) so I only know about strong passwords & managers & 2FA because I read Brian Krebs, Bruce Schneier, & watch Steve Gibson(and Leo) on Security Now.
.
mrsleep - 2 years ago
Sounds about right. Hard to blame your unpopular tweets on hackers if you use 2FA.
RevenantOrigin - 2 years ago
Wouldn't be so bad if it wasn't hard to find the option. Most users are never tipped to where it is, how to use it, or that it even exists.
Dominique1 - 2 years ago
2FA is such a hassle, so inconvenient. If you're not near your phone when it is asked, you are locked out. :facepalm: I really hate it. It's a total waste of time, especially if sim cards can be stolen.