Account Security

About this report

Statistics on how people on Twitter are protecting their accounts.

 

Account Security

Published on July 19, 2022

01.

02.

2FA

03.

 

01.

Overview

Keeping your account secure is an important part of using Twitter. While we recommend a number of best practices to users to help them protect their accounts, not all users take these precautions. These challenges are not unique to Twitter -- across the Internet, individuals are subject to a range of attacks aimed at taking over individual user accounts and employ a variety of protections to repel such attacks. In order to shine a light on the challenges we all face securing our accounts online, we’ve begun to publish statistics on the security protections used on Twitter accounts.

 

Over time, we hope to see the data on this page trend toward better security practices for all accounts. We’d also like to see other organizations publish similar account security information about their services. Doing so will provide the data necessary for security researchers and professionals to continue to advance the state of account security on the Internet. 

 

 

02.

2FA

Two-factor authentication (2FA) is one of our strongest protections against account compromise. Enabling 2FA ensures that even if your account password is compromised (perhaps due to the reuse of your Twitter password on other, less secure, websites), attackers will still be blocked from logging into your account without access to the additional authentication required.

 

Twitter supports several types of two-factor authentication. These include sending a unique code to the phone number linked to an account (Text message/SMS), using a mobile app to generate a unique code (authentication app), or using a security key. While any form of 2FA is much more secure than not having 2FA enabled at all, some forms of 2FA are more secure than others. In general, SMS-based 2FA is the least secure due to its susceptibility to both SIM-hijacking and phishing attacks. Authentication apps avoid the SIM-hijacking risk, but are still susceptible to phishing attacks. Security keys are the newest and most secure form of 2FA since they include built-in protections from phishing attacks.

 

Over the most recent reporting period (July 2021 through December 2021):

 

 

03.

Analysis

We are pleased to see a continued (albeit slow) growth in 2FA relative to our last report. The move from 2.5% of our active users in the previous reporting period to 2.6% of our active users in the current period represents an 6.3% increase compared to the previous reporting period. Overall 2FA adoption remains relatively low, which is an unfortunate challenge across the industry. When accounts do not enable 2FA, we are left relying on less robust mechanisms to help keep Twitter accounts secure. We are, however, encouraged to see a significant increase in 2FA usage over the reporting period since it shows that people are increasingly utilizing 2FA to protect their Twitter accounts.

 

Security keys, while the most secure form of 2FA, are still relatively new. Twitter has made numerous improvements to our security key support over the past year, and we hope to see the usage number grow in the next reporting interval. 

 

Overall, these numbers illustrate the continued need to encourage broader adoption of 2FA, while also working to improve the ease with which accounts may use 2FA. Making 2FA methods simpler and more user friendly will help to encourage adoption and increase security on Twitter.

Other reports