Twitter’s recent decision to remove blue check marks from accounts it has previously verified causes a number of issues for the platform and its users. One of the most obvious ones is around authentic identity. Without verification, how do I know that a particular account really does belong to the person or organisation who claims to own it? Blue ticks made this a little clearer but without them it is much easier for fake and impersonation accounts to flourish. So how can Twitter account users verify their identities and proved that their accounts are authentically theirs?
Fortunately help is at hand. The need to prove the authenticity of one’s identity is not a new problem in the world of information security and solutions exist to help prove that the users and services really are who they claim to be. By using cryptography it is possible to verify our identities beyond all doubt, and so if we can link cryptographic proofs to the websites and social media accounts that we own then we can prove irrefutably that they are ours.
Cryptography is complicated but you don’t need advanced technical skills to take advantage of its benefits. Keybase is a web-based service that makes it easy to incorporate cryptographic keys into online identities with proofs. Keybase uses public key cryptography to provide services like end-to-end encrypted chat and file sharing but it also offers the ability for users to cryptographically verify that they own a particular social media account or website.
After creating a Keybase account and then setting up and installing Keybase on your device (ideally on more than one device) Keybase allows you to claim and prove ownership of social media accounts and websites that you own. Keybase does this by providing cryptographic proofs that users can add to the Twitter accounts and websites that they own, thereby proving that the same person who owns a Twitter account also owns a particular website.
Use Case: Twitter Account Verification
Supposing your a Twitter user who has just lost your blue tick and you’re worried about people making fake profiles to impersonate you and your company. You could negate this problem by using Keybase to cryptographically prove that your Twitter account is also definitively linked to your website and/or other social media accounts, thereby removing any doubt that you are who you say you are.
Here’s what this looks like in practice. After installing Keybase and setting up my account, my public profile shows that I have verified ownership of both my Twitter account and this website.
Here’s the cryptographic proof for my Twitter account. This is Tweet is automatically generated by Keybase for me to paste into Twitter. Keybase then scans my profile to check for an exact match for the long random string of letters and numbers. If it finds the matching string, it will be able to verify that the account is linked to my Keybase profile. If it can’t, it won’t.
By clicking on the link in my verification Tweet you can go to my Keybase profile where Keybase will confirm that my Twitter account does genuinely belong to me.
Notice that in my Keybase profile I have also verified that I control the domain nixintel.info. I did this by adding a cryptographically signed file generated by Keybase and uploading it to my server where it can be publicly viewed and verified. So you can see how you can use this technique to prove that your Twitter account is also associated to your website.
If you have multiple Keybase users that belong to the same organisation, such as a particular news website, it is also possible to add multiple signatures to the website verification file. So if you are a news organisation whose journalists have just lost their blue checks and are worried about impersonators, one solution would be for each journalist to create Keybase profiles that verify their Twitter accounts and then also add their signatures to the Keybase verification file on the organisation’s website. That way they will be able to prove irrefutably that they own their Twitter account and that they really do work for the organisation where their signature file is stored. You can see how Keybase have implented this on their own site here.
But what’s to stop any random impersonator copying my verification Tweet or website file and trying to clone my profile? It might seem like an obvious way to work around the verification but it’s doomed to failure. Why so? Since Keybase derives the Twitter profile and website file proofs from cryptographic keys that are stored only on my devices, anyone who just copied the public proofs and pasted them into a fake site or profile would fail the Keybase verification process because they don’t have the necessary matching private keys. They would never be able to display the proof of ownership in their Keybase profile in a way that a genuine account holder would.
Keybase verification is not a direct replacement for all of the features and visibility of a Twitter blue check, but it does prove with cryptographic certainty that users own the accounts and websites that they claim to. It’s also an extremely powerful way to expose fakes and discredit impersonators since they cannot produce the cryptographic proof that genuine accounts can.
The only other thing to consider is how do you let your followers know how to verify you with Keybase?
Once you’ve added your proof tweet, you can make it your pinned Tweet. It isn’t essential that you pin it, but the tweet needs to stay in your feed so it can be verified by others. Another technique is simply to add a link to your Keybase profile in your Twitter bio or a link directly to your verification tweet. It’s not as visible as a blue check mark, but it is certainly a reliable way of proving your account ownership and authenticity. You also don’t need to pay $8 a month for basic cryptography.
For a previous article on the OSINT opportunities that Keybase presents. Click here.