Twitter users are turning to the long-established federated community system known as Mastodon as the Musk era brings chaos to the ‘bird site’ social network. But how can you best secure a Mastodon account?
As even more employees leave Twitter following Elon Musk’s 48 hours to quit ultimatum, and previously banned accounts return, the social network could be facing it’s most perilous weeks since going into private ownership. For many Twitter users, the escape route to another network is coming via Mastodon. The Twitter infosec community is already establishing a healthy Mastodon presence, but many non-infosec users are asking how secure the federated community network is.
Is Mastodon a secure social network?
The first mistake that people migrating to Mastodon from Twitter make is expecting it to be a like-for-like replacement. It isn’t, and it’s all the better for that. This article is not a guide to what Mastodon is and isn’t; there are plenty of those already out there. Take a look at this Wired tutorial for how to get started on Mastodon and, of course, the official Mastodon Help Guide.
OK, so what this article is going to cover is how to best secure your new Mastodon account. This is a setting it up securely guide, not anything else. Questions still remain about broader security issues, especially around vulnerabilities that could sit within individual instances. Mastodon instances are self-funded, reliant upon donations from members and the goodwill of the administrator.
“Each instance is managed by an administrator, who has control over the infrastructure and the software running on the servers,” Melissa Bischoping, a director and endpoint security research specialist at Tanium, says. “This means that you are placing trust in the administrators to secure and maintain their instance and trusting they will protect your account. Because many of these are small teams or individual operators without large budgets or security teams, you should not assume that any instance is secure or private.”
What you should do, however, is choose your Mastodon instance carefully. I am a member of the ‘infosec.exchange‘ community which, as you might imagine, takes matters of security very seriously.
Securing a new Mastodon account
OK, with that out of the way, let’s start at the beginning of Mastodon account creation, and that means selecting a strong password or passphrase. C’mon folks, if you’ve been reading any of my output over the decades, you already knew I was going to say this. Go strong and long, use a password manager to employ truly random and all but impossible-to-remember password strings, or take the passphrase route if you prefer. If you do opt for the latter, make sure you don’t fall into the Trump trap: related words such as Person Woman Man Camera TV do not a strong passphrase make.
Set up two-factor authentication for your Mastodon account
Your login credentials need more protection than just that strong password, though; they need a second layer. Which, again no surprise, means enabling two-factor authentication. To do this, head for Preferences|Account settings|Two-factor Auth.
Get verified on Mastodon without paying $8 to Elon Musk
Another feature that I would include under the broad security umbrella is user verification. Because Mastodon is comprised of a myriad of individual instances, which are separate servers overseen by different admins, anyone can sign up at any of these where you are not registered and pretend to be you. This may or may not be problematical for you, but it really should be whether you are a person of interest or otherwise. Impersonation can be very harmful on both personal and professional levels.
You will see accounts with Twitter-like blue checkmarks on Mastodon, but these are just images placed there by the account holder. I have both a blue checkmark and one crossed through on mine, for example. I recommend, therefore, using the profile metadata verification feature. This links the web link in your profile to your website and vice-versa. Once the link is established, the web entry appears in green with a checkmark. It does require you to edit a bit of HTML on your website, or use something like the Social Icons block on a WordPress site running the Gutenberg editor. Essentially, you’ll need to insert a link somewhere on your home page in the form of:
Yes, I appreciate that a determined scammer could set up a website with a URL close to yours and link to that to get a verification this way. It’s not perfect, but it is better than the appearance of being verified by paying $8 a month in my never humble opinion. Yes, Twitter is bringing in some new granularity to verified accounts, but the paid-for ’blue tick’ problem will likely not go away. As you can see from my Mastodon profile, there are also third-party verification services in certain niches. PressCheck has been established by Dave Lee, a well-respected journalist covering technology for the Financial Times.