Why you need a security key for Twitter

Your Twitter account is a tempting target, and may contain confidential information in DMs. Adding a security key will protect your account even if your password is compromised.

A security key is a physical token (similar to a thumb drive) that offers you the highest possible level of protection against impostor websites that may trick you into typing your Twitter password (phishing).

If you use a security key, an attacker will not be able to log into your Twitter account even if they learn your password, and even if they can fool you into trying to log in to an impostor site that they control.

This is a higher level of safety than you can get by using other forms of two-factor authentication, like SMS messages or an authenticator app.


Who this guide is for

This guide is designed for regular humans. It will walk you through the steps of effectively protecting your Twitter account with a security key, without explaining in detail the reasons for each step. You can learn more about those in the security key FAQ.


Let's do it!

  1. If you already set up a security key on another service (like Gmail), you can use it on your Twitter account.

    If you don't own a security key, order a Yubikey! Any Yubikey will do; we recommend the blue one because it's cheapest. You can buy it for $20 from Yubico:

  2. Once you have a Yubikey, log in to your Twitter account in Chrome on a laptop or desktop, and click on the round logo next to the tweet button. Choose 'settings and privacy'. (These instructions will also work in Firefox, but you have to enable the security key support yourself).

  3. Under the Account > Security tab, click on 'set up login verification' or 'review your login verification methods'.

  4. If you haven't added it previously, at this stage Twitter will ask you for your phone number. We'll turn off the ability to reset by phone later, but there's no way around this step during setup.

  5. You'll get an SMS from Twitter. Enter it into the confirmation box.

  6. At this point, Twitter will give you a single-use backup code. Write this down, or print it, and keep it somewhere safe (like with your wallet or passport). You'll need this code to get back into your Twitter account if you lose your security key and your phone.
  7. At this point you'll see the login verification menu. Text message option is enabled, but we haven't set up a security key or mobile security appl.

  8. Go to "Security Key > Set up", and click 'start'

  9. Plug your key into any USB port, with the gold disk facing upwards. If you're on a newer Mac, you may have to use a USB adapter, like an animal:

    If you did this right, a light in the gold disk should start flashing.

  10. Press your fingertip against the gold circle until it stops flashing. (If you have longer fingernails, you may need to wiggle your finger a bit, or press harder.)

  11. Once Twitter accepts your key, we'll need to set up a backup method. We'll use a phone app called Google Authenticator.

    (Even though this is a Google app, it doesn't talk to Google servers or store any data with Google. It's just a way to share a secret between Twitter and your phone).

    On your phone, install the Google Authenticator app if you don't have it already.

  12. Once you've downloaded the app, go back to your computer and click 'set up' next to 'Mobile security app'. You'll see a confirmation screen.

  13. The next page will show a QR code. On your phone, open the Google Authenticator app and click the 'plus' icon. You'll have the option to scan in a code. Point the phone at your computer screen and frame the Twitter QR code so it fills the green box.

  14. Once the code scans, the authenticator app will display a six digit number. Twitter will ask you to enter this number to confirm it's set up right.

  15. Now you have a security key, a single-use backup code, and the Google Authenticator app set up. The last thing we want is to turn off the ability to log in to your account with a text message. (Text messages are convenient, but it's too easy for someone who really wants to break into your account to hijack your phone number, or otherwise intercept them).

    Click 'edit' next to "text messages", and make sure they're turned off.

  16. Congratulations! You just secured your Twitter account!



Test Drive

Now let's try logging in, with and without the security key:

  1. Open an incognito window in Chrome (make sure there are no other incognito windows open), and try logging in to Twitter. It will ask you for your password as usual, and then it should prompt you for your security key.
  2. Insert the key like you did during setup, and press the gold disk until it stops flashing.

    You should now be logged in to Twitter!

  3. Let's also test logging in without the key. Close the incognito window, open a fresh one, and log in to Twitter again. This time, instead of inserting the key, click the 'use a different method' link at bottom:

  4. Choose "use a code generator app", and open your Google Authenticator app on the phone. Type in the six-digit number it shows for your Twitter account.
  5. Enter the code as prompted. You should now be logged in to your Twitter account! Again! You can't stop logging in!

    (You could also enter the one-time recovery code in this step)

  6. If either of these methods didn't work, or you weren't prompted for a security key, go back and double-check your two-factor security settings.

    If you feel lost, contact me (maciej@ceglowski.com) and I will help you!

One-Time Passwords

If you want to set up a Twitter app on your phone or tablet (where there's no way to use your security key), Twitter gives you the option to create a one-time app password. This kind of password is valid for an hour, so you don't have to remember it or worry about protecting it.

  1. To get a one-time password, go back to the login verification screen and click on 'Generate app password'.

  2. Write down or copy the password you see (you can leave the spaces in) and use it to log in to your account in the Twitter app.



What have we done?

You now have a Twitter account that is more resistant to phishing, as long as you remember to use the security key every time you log in.

Remember, you're only fully protected when you use the key. The Google Authenticator app we set up as a backup is convenient, but it does not give you as much protection against being tricked into typing your credentials into a website pretending to be Twitter.

The one-time passwords are useful for situations where you can't use a security key, but be extra careful any time you're logging in to Twitter without the Yubikey. Mind your URLs!

Now that your Twitter account is secure, go add a U2F key to your Gmail account and your Facebook account! You can use the same blue security key as you did here to protect both.

(If you work at Twitter, please make the official instructions clearer, and give people the ability to add multiple security keys to their account. You are welcome to use this howto without restriction.)

< Tech Solidarity / Resources