I’m pretty sure Twitter is still (mostly) working from home like all the other tech companies in the area, so a physical proximity requirement is out. A VPN requirement could work; in theory there’s no reason a VPN login is any more inherently secure than the login to whatever admin panel they’re using, but in practice VPNs can help centralize security policies across many applications. (I have no idea what Twitter’s systems look like, though.)
People are generally far less likely to give out credentials to their VPN or personal accounts than they are to give out passwords to a random application. Additionally requiring a VPN increases the barrier to entry to accessing the application as you could have additional requirements to a VPN (such as a 2FA and device certificate).