Twitter now supports hardware security keys for iPhones and Android

Twitter said Wednesday that accounts protected with a hardware security key can now log in from their iPhone or Android device.

The social media giant rolled out support for hardware security keys in 2018, allowing users to add a physical security barrier to their accounts in place of other two-factor authentication options, like a text message or a code generated from an app.

Security keys are small enough to fit on a keyring but make certain kinds of account hacks near impossible by requiring a user to plug in the key when they log in. That means hackers on the other side of the planet can’t easily break into your account, even if they have your username and password.

But technical limitations meant that accounts protected with security keys could only log in from a computer, and not a mobile device.

Twitter solved that headache in part by switching to the WebAuthn protocol last year, which paved the way for bringing hardware security key support to more devices and browsers.

Now anyone with a security key set up on their Twitter account can use that same key to log in from their mobile device, so long as the key is supported. (A ton of security keys exist today that work across different devices, like YubiKeys and Google’s Titan key.)

Twitter — and other companies — have long recommended that high-profile accounts, like journalists, politicians and government officials, use security keys to prevent some of the more sophisticated attacks. Twitter explains how to set up two-factor authentication (and security keys) here.

Earlier this year Twitter rolled out hardware security keys to its own staff to prevent a repeat of its July cyberattack that saw hackers break into the company’s internal network and abuse an “admin” tool, which the hackers then used to hijack high-profile accounts to spread a cryptocurrency scam.

In the wake of the attack, Twitter hired Rinki Sethi as its new chief information security officer, and famed hacker Peiter Zatko, known as Mudge, as the company’s head of security.