Twitter is not an average company. As one of the top 40 internet companies, they are in the position of setting industry standards. I think it's fair to expect more than what the average company does from Twitter.
For security internally, sure. Mandating that every one of your customers has a Yubikey is somewhat trickier to do in practice, and a nightmare to manage the logistics around lost keys.
I personally have 3 Yubikeys, one on my keyring, one in my small first aid kit (which is kept in my backpack and usually close to me) and one that doesn't ever travel with me. We give our staff yubikeys and require them to use them for services where we have customer data (including logins to our own service).
And we support them for our customers to use, but mandating that all our customers have physical 2FA devices to protect their own accounts is still a bridge very much too far today.
> Mandating that every one of your customers has a Yubikey is somewhat trickier to do in practice, and a nightmare to manage the logistics around lost keys.
Mandating that everyone that has access to your admin console has a U2F key, on the other hand, seems like a perfectly reasonable expectation for a company of Twitter's stature.
I personally have 3 Yubikeys, one on my keyring, one in my small first aid kit (which is kept in my backpack and usually close to me) and one that doesn't ever travel with me. We give our staff yubikeys and require them to use them for services where we have customer data (including logins to our own service).
And we support them for our customers to use, but mandating that all our customers have physical 2FA devices to protect their own accounts is still a bridge very much too far today.