X rolls out passkey support after SEC account hack

24 Jan 2024

Image: © Diego/Stock.adobe.com

X has revealed an interest in supporting passwordless sign-in methods, weeks after the SEC’s account was breached on the platform.

X – formerly known as Twitter – is now offering passkey support as an extra security measure for iOS users.

The company said this feature offers “enhanced security” compared to traditional passwords as they are individually generated by a device for each account, which makes them less susceptible to phishing attacks and unauthorised access.

The passkey support is currently only available for iOS users in the US and X has not given a timeframe for when – or if – it will expand passkey support. The move by the social media company follows pledges by various tech companies to support passwordless sign-in methods in the future.

X generates a unique key pair – one public and one private – for each account that opts for passkey support. The public key is shared and stored on X, while the private key remains on the user’s device.

“Your private passkey automatically authenticates your account using the server’s public passkey, allowing you to log in without the need to type it in,” X said in a blogpost. “Passkeys are automatically generated, removing the need to remember login information and is securely backed up for easy recovery.”

Supporters of passkeys argue that they are more secure than passwords as they can’t be stolen in a data breach.

The decision to integrate passkey support follows various high-profile accounts on X being taken over by hackers. For example, the X account of the US Securities and Exchange Commission (SEC) was breached earlier this month and shared links supporting a certain bitcoin product.

X attributed this breach to an “unidentified individual” who got control of a phone number associated with the account through a third party. X also said the SEC account “did not have two-factor authentication (2FA) enabled at the time the account was compromised”.

However, X also limited access to some forms of 2FA last year, when it made the version that uses text messages available only to users that pay for a premium version of the site.

Currently, non-subscribers who want to retain 2FA on their accounts have to choose between an authentication app and a security key. Last year, X blamed the abuse of 2FA through text message by bad actors as the reason for this change.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com