[comex]

I’m pretty sure Twitter is still (mostly) working from home like all the other tech companies in the area, so a physical proximity requirement is out. A VPN requirement could work; in theory there’s no reason a VPN login is any more inherently secure than the login to whatever admin panel they’re using, but in practice VPNs can help centralize security policies across many applications. (I have no idea what Twitter’s systems look like, though.)

[tjohns]

> there’s no reason a VPN login is any more inherently secure than the login to whatever admin panel they’re using

VPN credentials can also be tied to a device certificate, which can be securely stored in the machine’s TPM.

This prevents VPN login from anything except a company issued machine. You don’t get this with normal password auth.

[_kbh_]

People are generally far less likely to give out credentials to their VPN or personal accounts than they are to give out passwords to a random application. Additionally requiring a VPN increases the barrier to entry to accessing the application as you could have additional requirements to a VPN (such as a 2FA and device certificate).