There are hardware for that called hardware security modules, but yeah I definitely wouldn’t trust Twitter’s implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn’t to get that key
A proper implementation would use multiple security measures and require a reset (delete) of certain private account data before the account access can be reset, otherwise the user’s password would be needed (for key derivation) or some other secret held by the user’s devices (in the TPM chip or equivalent)
I’ve run a cryptography forum for 10 years. I can tell snake oil from the real deal.
Musk’s Twitter doesn’t know how to do key distribution. The only major company using HSMs the way Musk intends to is Apple, and they have far more and much more experienced cryptographers than X does.
There are hardware for that called hardware security modules, but yeah I definitely wouldn’t trust Twitter’s implementation - especially because they probably just need the auth team to tell the HSM that the user logged in when they didn’t to get that key
A proper implementation would use multiple security measures and require a reset (delete) of certain private account data before the account access can be reset, otherwise the user’s password would be needed (for key derivation) or some other secret held by the user’s devices (in the TPM chip or equivalent)
So again, you think you know better than the employee simply because you want it to be done incorrectly.
I’ve run a cryptography forum for 10 years. I can tell snake oil from the real deal.
Musk’s Twitter doesn’t know how to do key distribution. The only major company using HSMs the way Musk intends to is Apple, and they have far more and much more experienced cryptographers than X does.