How to use a two-factor security key - The Verge clock menu more-arrow no yes

Filed under:

How to use a two-factor security key

Use hardware to keep your data safe

Photo by Stefan Etienne / The Verge

Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but it can be a problem if your phone is lost or breached. Hardware security keys can offer an extra layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.

Security keys connect to your system using USB-A, USB-C, or Bluetooth, and they are small enough to be carried on a keychain (with the exception of Yubico’s USB-C nano key, which is so small that it’s safest when kept in your computer’s USB port). They mainly use an open authentication standard called FIDO U2F. There is also an improved Fido2 standard, although not all the keys or applications use it.

When you insert a security key into your computer or connect it wirelessly and press a button on the key, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you into the service.

Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. You can also use it to log into macOS, but not Windows — not yet, anyway. The Fido2 standard can use Windows Hello together with Microsoft’s Edge browser to authenticate Windows if the key supports it. However, as far as we know, keys cannot be used on some devices, such as Android TVs or Nvidia Shields, so do your research beforehand.

There is a setup process that is necessary before you can use a security key. After that, securely accessing your online profile on a site is a simple matter of entering your password, inserting the key, and tapping the button.

Keep in mind that you can’t copy, migrate, or save security key data between keys (even if the keys are the same model). That is by design, so keys can’t be easily duplicated and used elsewhere. If you lose your security key, you can use your cellphone’s two-factor authentication or authenticator app. Then, if you want to use a new key, you will have to go through the process of reizing your accounts all over again.

Which security key should I use?

There are several available brand choices. Yubico, which is one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, called the Titan (which has come under scrutiny for being manufactured in China). Google does include a spare key that has a Bluetooth function, but that has to be charged, which could be an issue if it suddenly runs out of power at an inconvenient time. Other U2F key manufacturers include Kensington and Thetis, which also offer USB-A keys but lack USB-C variants.

For this how-to, I used the YubiKey 5 NFC security key, which fits into a USB-A port for desktops, but it also works with Android phones and the iPhone via NFC. The process is pretty much the same for all hardware security keys, though.

Pairing a key to your Google account

In order to use a security key with your Google account (or any account), you need to already have two-factor authentication set up.

  • Log in to your Google account, and click on your profile icon on the upper right-hand corner. Select “Google Account.”
  • On the left-hand menu, click on “Security.” Scroll down until you see “Signing in to Google.” Click on the “2-step verification” link. At this point, you may need to sign into your account again.
Google setup for security key
  • Scroll down until you see “Set up alternative second step.” Look for the “Security Key” option and click on “Add Security Key.”
  • You’ll get a box telling you to make sure the key is nearby but not plugged in. Click “Next.”
  • Insert your key into your computer port. Tap the button on the key, then click “Allow” once you see the Chrome pop-up asking to read the make and model of your key.
  • Give your key a name.
  • Now you’re set! You can come back to your Google account’s 2FA page to rename, add, or remove additional keys.

Pairing a key to your Twitter account

  • Log in to your Twitter account and click on your profile icon on the upper right-hand corner. Select “Settings and privacy” from the drop-down menu.
  • Look for the “Security” heading. If you haven’t yet set up two-factor verification, you’ll see a button that reads “Set up login verification.” You’ll get a pop-up that tells you about login verification. Click on “Start.”
  • Reenter your password and hit “Confirm.” You will be sent an SMS message to verify your phone number.
  • You will be sent back to the Security page. Click on “Review your login verification methods.”
twitter — login verification
  • Look for “Security key” and click on “Set up.” Select “Start.”
  • Insert your key into your USB port, then press the key’s button. The setup wizard may ask you to press it again. Go ahead and press it again.
  • The window should refresh to say, “You’re all set.” Press “Got it.” And now you’ve added a security key to your Twitter account.
  • If you’ve changed your mind or want to remove the security key, go back to the “Login verification” page, select “Edit” near the “Security key” category, then select “Off” and “Save changes.”

Pairing a key to your Facebook account

  • Log into your Facebook account. Click on the drop-down menu icon on the upper right-hand corner and select “Settings.”
  • Now you’re at “General Account Settings.” Select the “Security and Login” link from the left sidebar.
  • Scroll down until you see the section labeled “Two-Factor Authentication.” Click “Edit” on the “Use two-factor authentication” option.
  • Click on “Get Started” to set up a text message or an authentication app as your two-factor method.
  • Head back to “Two-Factor Authentication” and scroll down to “Add a Backup.” Select “Setup” for the Security Key option.
Facebook security key
  • Enter your Facebook password and click “Submit.” Insert your security key into the USB port, tap your button. You should get a confirmation pop-up.
  • You can revisit the “Two-Factor Authentication” page from “Security and Login” to add, remove, or rename security keys tied to your account.

Vox Media has affiliate partnerships. These do not influence editorial content, though Vox Media may earn commissions for products purchased via affiliate links. For more information, see our ethics policy.