Social media giant X (formerly Twitter) has made passkeys available as a login option for US-based users on iOS.
A post from the firm’s safety account, @Safety, on January 23, 2024, highlighted the security benefits of passkeys over the traditional username-password combination.
The announcement follows a spate of crypto-related X account takeover attacks targeting high-profile organizations including Mandiant, Hyundai, and most notably, the Securities and Exchange Commission (SEC).
In the case of the SEC, hackers hijacked the regulator’s X account in early January to publish a fake announcement that the regulator had approved the listing and trading of Bitcoin exchange-traded funds on security exchanges, leading to Bitcoin prices briefly spiking.
The incident was caused by a classic SIM swap attack after the hackers were able to take over the phone number associated with the account.
The SEC’s X account was not protected by multi-factor authentication (MFA), which had been disabled at the request of SEC staff in July 2023.
Do Passkeys Offer Better Security?
X stated that the availability of passkeys offers a stronger level of security for X accounts over traditional usernames and passwords.
Passkeys are created using public key cryptography, with the user’s device generating a unique pair – one public and one private – for each account.
The public one is shared and stored by the organization, while the private key remains on the device and is never shared. This allows users to log in to their account by choosing the passkey option on their device.
The device will securely connect with the organization using the stored public key to authenticate the user’s identity.
The fact that passkeys are individually generated by the user’s device for each account makes them less vulnerable to phishing attacks and unauthorized access.
While X said it “highly encouraged” the use of passkeys for applicable users, it is not required for login.
In October 2023, Google announced it is making passkeys the default sign-in option for all users as part of efforts to shift towards passwordless authentication.