Two-factor authentication is a great way to add an extra layer of security to online accounts. However, it requires the use of your smartphone, which is not only inconvenient but can also be a problem if your phone is lost or hacked. Hardware security keys can provide an extra layer of security for password-protected online accounts and, in turn, your identity. They are also not difficult to install. Here’s how to set them up for your Google account, Facebook, and Twitter.
Security keys can connect to your system via USB-A, USB-C, Lightning, or NFC, and they’re small enough to carry on a keychain (with the exception of Yubico’s 5C Nano key, which is so small it’s most secure if stored in your computer’s USB port). They use different authentication standards: FIDO2, U2F, smart card, OTP and OpenPGP 3.
When you insert a security key into your computer or connect to it wirelessly, your browser issues a challenge to the key, which contains the domain name of the specific site you are trying to access. The key then cryptographically signs and authorizes the challenge, logging into the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft Account Services, Nintendo, Okta, and Reddit. Your best bet is to check your preferred security key’s website and see what services are supported – for example, here’s a link to the apps supported by YubiKeys.
An installation process is required before you can use a security key. After that, securely accessing your online profile on a site is a matter of entering your password, inserting the key and tapping the button.
Note that you cannot copy, migrate, or store security key data between keys (even if the keys are of the same model). It’s designed that way, so keys can’t be easily duplicated and used elsewhere. If you lose your security key, you can use two-step verification on your mobile phone or an authentication app. Then, if you want to use a new key, you’ll have to go through the process of re-authorizing your accounts all over again.
Which security key should I use?
Several brand choices are available. Yubico, one of the developers of the FIDO U2F authentication standard, sells several versions. Google sells its own U2F key, called the Titan, which comes in three versions: USB-C, USB-A / NFC or Bluetooth / NFC / USB. Other U2F keys include Kensington’s USB-A fingerprint assist key, and the Thetis USB-A Key.
For this how-to we used the YubiKey 5C NFC security key, which fits into a USB-C port but also works with phones via NFC. However, the process is quite similar for all hardware security keys.
Link a key with your Google account
To use a security key with your Google account (or any other account), you must already have two-factor authentication set up.
- Sign in to your Google account and select your profile icon in the top right corner. Then choose ‘Manage your Google account’.
- Click on ‘Security’ in the left menu. Scroll down until you see “Sign in to Google.” click on the link “Two-step verification”. At this point, you may need to re-login to your account.
- Scroll down until you see the “Add more second steps to verify it’s you” heading. Look for the option “Security key” and click “Add security key”.
- A pop-up window will appear with your options, including devices with built-in security keys and the ability to use an external security key. Select “USB or Bluetooth / External Security Key”.
- You will see a box saying to check if the key is nearby but not plugged in. You will also see an option to use only the security key as part of Google’s Advanced Security Program (which is intended for users with “high visibility and sensitive information“). Assuming you don’t fall into that category, click “Next.”
- In the next box you can register your security key. Insert your key into your computer port. Press the button on the key and then click “To allow” once you see the Chrome popup asking you to read the make and model of your key.
- Give your key a name.
- Now you are done! You can return to your Google account 2FA page to rename or delete your key.
Link a key with your Twitter account
- Log in to your Twitter account and click “More” in the left column. Select “Settings and privacy” in the menu.
- Under the “Settings” heading, select “Security & Account Access” > “Security” > “Two-Factor Authentication”.
- You’ll see three choices: “Text Message,” “Authentication App,” and “Security Key.” click on “Security key”. At this point, you will likely be prompted for your password.
- Select ‘Start’.
- Insert your security key into your computer’s port, then press the key’s button.
- The window should refresh to say: “Security key found”. Type a name for your key and click “Next one”.
- The window now says ‘You’re all set’. It also gives you a one-time use backup code that you can use if you don’t have access to any of your other login methods. Copy that code and put it somewhere safe.
- If you’ve changed your mind and want to delete the security key, go back to the “Two-Factor Authentication” page and select “Manage Security Keys.”
- Click on the name of the key, then choose “Remove Key.” You must enter your password and confirm that you want to delete the key.
Link a key with your Facebook account
- Log in to your Facebook account. Click the triangle in the top right corner and select Settings & Privacy > Settings.
- Now you are at ‘General Account Settings’. Select the link “Security and Login” in the left sidebar.
- Scroll down until you see the section labeled “Two-Factor Authentication.” click on “edit” at the option “Using Two-Factor Authentication”. You may be asked for your password.
- If you have not set up 2FA, you will be given three choices: “Verification App”, “Text message (SMS)” and “Security key”. It is recommended that you use an authentication app as your primary security, but if you prefer you can just click on ‘Security Key’.
- If you have set up 2FA, you will find the option “Security key” below “Add a backup method”.
- Either way, you’ll get a pop-up window; click on “Register security key”. You will be prompted to enter your security key and press the corresponding button.
- And that’s it. If you are not using 2FA, you will now be prompted for the security key when logging in from an unrecognized device or browser. If you do, you can use your key if you can’t access your authentication app.
- If you no longer want to use the key, go back to “Two-Factor Authentication”, find “Security Key” under “Your Security Method” and click “Manage My Keys”.