Here’s How to Make Your Twitter Account Super Secure with a YubiKey

On Tuesday, Twitter announced the roll out of a new security feature; users can now lock their account with a security key, a physical device they plug into their laptop in order to log in. This means that even if someone obtains a user’s password, generally speaking, the hacker shouldn’t be able to break into the account.

But, there’s a slight catch. Twitter has various different methods of multi-factor authentication available, including sending a code via text message or typing in a series of numbers from an app on your smartphone. And when multiple of these are enabled, the account is only as secure as the weakest option. In other words, if you use a security key on Twitter, but also still let Twitter send you SMS messages to verify your login, an attacker is just going to exploit the less robust option. Hackers have broken into the accounts of celebrities, activists, and just ordinary users largely because the victims used text messages to secure their account.

With that in mind, here is a hopefully straightforward guide to locking down your Twitter account with a security key, but also removing text message verification at the same time.

YOU GOTTA ADD A PHONE TO START

When enabling Twitter’s multi-factor authentication—what they call ‘login verification’—the site requires you to do it at first with a mobile phone.

• Click your profile image in the top right corner

• Select “Settings and privacy”

• On the next screen, under “Security”, click “Set up login verification”

This will then take you through enabling multi-factor authentication for the first time. Twitter will ask you for a mobile phone number, and then text you a code, as you may already be used to. Once you enter the code, login verification is enabled.

“Congrats, you’re enrolled!” Twitter should tell you.

KEEP THAT BACKUP

Twitter then presents you with a backup code, which you can use to log back into your account if you lose your verification device. Generally, it’s a good idea to retain these codes just in case that happens, so perhaps write it down and keep the code in a drawer, or take a photo on your phone.

OKAY NOW THE SECURITY KEY

Here comes the new bit. Once you’re enrolled, Twitter will send you back to the settings screen.

• Under “Security,” click “Review your login verification methods.”

• Under “Login verification” find the “Security key” option, and click “Set up.”

• When prompted, click “Start”

Now plug in your security key. Motherboard tested the feature with a YubiKey, a small device that can fit on your keychain. Twitter will ask you to push the button on the key, and once successful, will ask you to press it once more to complete the process.

“You’re all set!” Twitter should say. “Now you can use this security key anytime you log into from a compatible browser.” (Only some browsers work with security keys; Motherboard completed this test with Chrome).

THE TRICK: NOW ENABLE A MOBILE SECURITY APP, SO YOU CAN DISABLE TEXT MESSAGE

In Motherboard’s tests, if you are using a security key, Twitter also forces you to have a second form of multi-factor authentication enabled. Otherwise, when trying to remove the option for text verification, the site then removes multi-factor authentication altogether. Presumably, this is a usability decision: if users only have a security key enabled, and then lose it, they’ve effectively locked themselves out of their account, unless they can find that backup lying around.

The trick is to temporarily have three different forms of authentication enabled at once, so you can then remove one of them. Once Twitter returns you once again to the settings screen.

• Under “Security,” click “Review your login verification methods.”

• Under “Login verification” find the “Mobile security app” option, and click “Set up.”

• When prompted, click “Start”

If you’re reading this guide about security keys, you may already have a mobile authenticator app installed. If not, for this test, Motherboard used the Google Authenticator app, available on the App Store and Play Store.

Twitter will display a QR code. Scan this using your authentication app, and then enter the code the app provides.

“You’re all set up!” Twitter will say.

Now, time to get rid of that pesky text verification; once you’re back on the settings screen.

• Under “Security,” click “Review your login verification methods.”

• Under “Login verification” find the “Text message” option, and click “Edit.”

• Select “Off” and then click “Save changes.”

There you go. You now have Twitter configured to use a security key for login, while removing relatively weak text message protection. Of course, you can still access your account with Google Authenticator or a similar app, but at least you’ve removed the weakest of the login methods.