Twitter reveals surprisingly low two-factor auth (2FA) adoption rate

Twitter has revealed in its latest transparency report that only 2.3% of all active accounts have enabled at least one method of two-factor authentication (2FA) between July and December 2020.

2FA is an extra security layer for Twitter accounts that requires users to use a security key or enter a code together with their passwords to log into their accounts. 

This ensures that only the account owner can sign in and blocks malicious takeover attempts which try to guess, use stolen credentials, or reset the password.

While some high-profile Twitter accounts were successfully hijacked last year despite having 2FA enabled after attackers gained access to internal admin systems, you should still toggle on 2FA to be protected against less-sophisticated hacking attempts.

Almost 80% of 2FA enabled accounts use SMS

Out of the 2.3% of all users who had 2FA enabled over this reporting period, 79.6% used SMS-based, 30.9% a multifactor authentication (MFA) app, and only 0.5% a security key.

It’s also worth noting that Twitter also allows enabling multiple 2FA methods per account, making it possible to have one, two, or all three 2FA methods enabled for each account.

“In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks,” Twitter explains.

“Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks. Security keys are the newest and most secure form of 2FA since they include built-in protections from phishing attacks.”

However, despite the meager rate of adoption, Twitter saw a growing number of users who enable 2FA to secure their accounts from hijacking attempts, with an increase of 9.1% from July to December 2020.

The low rate of 2FA adoption is an industry-wide issue, with users being discouraged by the overly complicated and non-intuitive procedure they need to go through to enable it.

“Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA,” Twitter added.

“Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.”

Better protection from SIM-swapping attacks

Twitter has been working throughout the last few years to upgrade and improve the platform’s 2FA support, with a clear focus on security keys as the primary 2FA method.

It first added security keys as one of several 2FA methods on the web in 2018 and support using them when logging into mobile apps for 2FA-enabled accounts in December 2020.

Security key support was also later upgraded to the WebAuthn standard, which delivered secure authentication over the web and made it possible to use 2FA on any Twitter account without a phone number.

Earlier this year, Twitter added support for using multiple security keys on 2FA-enabled accounts, and, starting this month, security keys can be used as the only 2FA method for Twitter accounts while having all other login methods disabled.

To turn on 2FA on your Twitter account, you have to go to your profile menu into Settings and Privacy, then to Security and account access (on the desktop) or Account > Security (on iOS) and enable the Two-factor authentication option.