How to use a two-factor security key
Illustration by Maria ChimishkyanTwo-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but can be a problem if your...
Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but can be a problem if your phone is lost or breached. Hardware security keys can offer an additional layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.
Security keys can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s 5C Nano key, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you in to the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. The best thing to do is to check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.
A setup process is necessary before you can use a security key. After that, securely accessing your online profile on a site is a simple matter of entering your password, inserting the key, and tapping the button.
Keep in mind that you can’t copy, migrate, or save security-key data between keys (even if the keys are the same model). That is by design, so keys can’t be easily duplicated and used elsewhere. If you lose your security key, you can use two-factor authentication on your cellphone or an authenticator app. Then, if you want to use a new key, you will have to go through the process of reauthorizing your accounts all over again.
Which security key should I use?
Several brand choices are available. Yubico, one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, called the Titan, which comes in three versions: USB-C, USB-A / NFC, or Bluetooth / NFC / USB. Other U2F keys include Kensington’s USB-A fingerprint-supporting key, and the Thetis USB-A key.
For this how-to, we used the YubiKey 5C NFC security key, which fits into a USB-C port but also works with phones via NFC. The process is pretty similar for all hardware security keys, though.
Pairing a key with your Google account
In order to use a security key with your Google account (or any account), you need to have already set up two-factor authentication.Log in to your Google account, and select your profile icon in the upper-right corner. Then choose “Manage your Google Account.” In the left-hand menu, click on “Security.” Scroll down until you see “Signing in to Google.” Click on the “2-step Verification” link. At this point, you may need to sign in to your account again. Go to “Security” > “Signing in to Google” > “2-step Verification.” Scroll down until you see the “Add more second steps to verify it’s you” heading. Look for the “Security Key” option and click on “Add Security Key.” A pop-up box will list your options, which include devices that have built-in security keys and the option to use an external security key. Select “USB or Bluetooth / External security key.” You’ll see a box telling you to make sure the key is nearby but not plugged in. You’ll also see an option to use only the security key as part of Google’s Advanced Protection Program (which is for users with “high visibility and sensitive information”). Assuming you don’t fall into that category, click “Next.” The next box lets you register your security key. Insert your key into your computer port. Press the button on the key, then click “Allow” once you see the Chrome pop-up asking to read the make and model of your key. Give your key a name. Now you’re set! You can come back to your Google account’s 2FA page to rename or remove your key.