Twitter is about to take a big step toward a password-free future

Security keys make logging in simpler while making your account more secure.
Yubikey security key next to a phone and a MacBook
Get a security key like this YubiKey for your keychain. Yubico

Any day now, you won’t need a password to sign in to Twitter. The company’s upcoming change will allow users to log in with just a security key. It’s a huge leap forward in both convenience and account protection. The key in question is a physical object, like those currently on your keychain. Unlike the key for your front door, security keys like YubiKey and Titan can’t be physically copied nor can they be hacked. Even if someone stole your YubiKey chances are close to zero that anyone could get into an account with it because they’d also need your username, password, and physical access to the device you’ve registered your security key with. These amazing little fobs let you log in via USB, Bluetooth, and/or NFC.

Twitter added support for security keys in December 2020 as an option for two-factor log-ins. So if you wanted even better security than having a code texted to your phone or sent to email, you could simply plug in your key. Soon, Twitter is going to let users login with only a physical security key. People won’t have to type passwords or codes sent to your phone or email. That exciting detail was a follow-up to Twitter’s main announcement, saying that people can now use multiple security keys to log in if they so desire.

When reached for comment about when to expect the change, a Twitter spokesperson told Popular Science via email they have “no updates to share on that timeline at this moment,” but said they’d keep us posted.

Facebook only added the capability just a couple weeks ago. Yet even if you’re one of many users who just got “Facebooked” by the company, taking your account security to the next level is still worth it. The recent Facebook account breach and dump of 533 million users puts everyone affected by it at risk for account hijacks and break-ins on other sites through phishing and other attacks. A physical security key will stop those attacks in their tracks.

For once, better security is easy

Security keys are inexpensive and easy to use. There are several different brands to choose from, but don’t buy just any old model from Amazon. Chose one from a company reputable in security circles like Yubico’s YubiKey, Google’s Titan, or the Thetis Fido. Each brand has several different kinds and styles to choose from. We recommend that you start with the basic model and work your way into more advanced configurations if you think you need to later.

Each key has a unique code in it that generates one-time log-in codes to confirm your identity. Using it is a snap: just press the button on the key when it’s time to enter your password (on a laptop, you’ll be prompted to plug the USB part of the key into your computer, then press the button). Another perk: You can securely log in with your key when there’s no wi-fi or internet service available.

These handy gadgets can be used with accounts and apps that support 2-step verification (sometimes called 2FA) and have “security key” as an option. Unfortunately not all companies are using 2FA with keys as an option to secure user account. Those notable holdouts include banks and credit cards. However, plenty of sites and apps do, like Google, Twitter, Dropbox, eBay, Epic Games, and EA, Facebook, Instagram, GoDaddy, Reddit, Kickstarter, Squarespace, Twitch, and many more.

Phishing, malware and other attack methods simply won’t work because they’d need your username and password, and to plug in your YubiKey to work. It requires no special software, works across multiple devices, and rides along discreetly on your keychain. You can find them online at Amazon and other shopping spots.

Plug and play

You should really use a security key with every service that allows it. Your accounts will be incredibly hard to hack. Plus it says a lot that most hackers carry one with them everywhere they go. If all the recent breaches have taught us anything, a security key is worth it even if you’re the kind of person who thinks their accounts are “not worth hacking.” Any account is useful for someone to steal, especially if you use similar logins for multiple apps or services.

We’re excited for Twitter’s upcoming change. We hate passwords. You hate passwords. Lots of people in infosec feel the same way because securing them is the bane of everyone’s existence and they’ve wanted to kill the password for all the same reasons we hate and don’t trust them (or what companies do with our passwords). This move by Twitter could actually signal the end for dreaded password.