How to use a two-factor security key

Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but can be a problem if your phone is lost or breached. Hardware security keys can offer an additional layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.

Security keys can connect to your system using USB-A, USB-C, Lightning, or NFC, and they’re small enough to be carried on a keychain (with the exception of Yubico’s 5C Nano key, which is so small that it’s safest when kept in your computer’s USB port). They use a variety of authentication standards: FIDO2, U2F, smart card, OTP, and OpenPGP 3.

When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you in to the service.

Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. The best thing to do is to check the website of your security key of choice and see which services are supported — for example, here’s a link to the apps supported by YubiKeys.

A setup process is necessary before you can use a security key. After that, securely accessing your online profile on a site is a simple matter of entering your password, inserting the key, and tapping the button.

Keep in mind that you can’t copy, migrate, or save security-key data between keys (even if the keys are the same model). That is by design, so keys can’t be easily duplicated and used elsewhere. If you lose your security key, you can use two-factor authentication on your cellphone or an authenticator app. Then, if you want to use a new key, you will have to go through the process of reauthorizing your accounts all over again.

Which security key should I use?

Several brand choices are available. Yubico, one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, called the Titan, which comes in three versions: USB-C, USB-A / NFC, or Bluetooth / NFC / USB. Other U2F keys include Kensington’s USB-A fingerprint-supporting key, and the Thetis USB-A key.

For this how-to, we used the YubiKey 5C NFC security key, which fits into a USB-C port but also works with phones via NFC. The process is pretty similar for all hardware security keys, though.

Pairing a key with your Google account

In order to use a security key with your Google account (or any account), you need to have already set up two-factor authentication.

Log in to your Google account, and select your profile icon in the upper-right corner. Then choose “Manage your Google Account.” In the left-hand menu, click on “Security.” Scroll down until you see “Signing in to Google.” Click on the “2-step Verification” link. At this point, you may need to sign in to your account again. Go to “Security” > “Signing in to Google” > “2-step Verification.” Scroll down until you see the “Add more second steps to verify it’s you” heading. Look for the “Security Key” option and click on “Add Security Key.” A pop-up box will list your options, which include devices that have built-in security keys and the option to use an external security key. Select “USB or Bluetooth / External security key.” You’ll see a box telling you to make sure the key is nearby but not plugged in. You’ll also see an option to use only the security key as part of Google’s Advanced Protection Program (which is for users with “high visibility and sensitive information”). Assuming you don’t fall into that category, click “Next.” The next box lets you register your security key. Insert your key into your computer port. Press the button on the key, then click “Allow” once you see the Chrome pop-up asking to read the make and model of your key. Give your key a name. Now you’re set! You can come back to your Google account’s 2FA page to rename or remove your key.

Pairing a key with your Twitter account

Log in to your Twitter account and click on “More” in the left-hand column. Select “Settings and privacy” from the menu. Under the “Settings” heading, select “Security and account access” > “Security” > “Two-factor authentication.” You’ll see three choices: “Text message,” “Authentication app,” and “Security key.” Click on “Security key.” You’ll probably be asked for your password at this point. Select “Start.” Once your security key is registered, you receive a just-in-case backup code (deleted here). Insert your security key into your computer’s port, then press the key’s button. The window should refresh to say, “Security key found.” Type in a name for your key and click “Next.” The window will now read “You’re all set.” It will also give you a single-use backup code to use if you don’t have access to any of your other log-in methods. Copy that code and put it somewhere safe. If you’ve changed your mind and want to remove the security key, go back to the “Two-factor authentication” page and select “Manage security keys.” Click on the name of the key, and then choose “Delete key.” You’ll need to enter your password and verify that you want to delete the key.

Pairing a key with your Facebook account

Log in to your Facebook account. Click on the triangle icon on the upper-right corner and select “Settings & Privacy” > “Settings.” Now you’re at “General Account Settings.” Select the “Security and Login” link from the left sidebar. Scroll down until you see the section labeled “Two-Factor Authentication.” Click “Edit” on the “Use two-factor authentication” option. You may be asked for your password. If you don’t have 2FA set up, you’ll be given three choices: “Authentication App,” “Text Message (SMS),” and “Security Key.” It’s recommended that you use an authenticator app as your primary security, but if you prefer, you can just click on “Security Key.” You can use a security key as your main authentication method. If you do have 2FA set up, then you’ll find the “Security Key” option under “Add a Backup Method.” Either way, you’ll get a pop-up box; click on “Register Security Key.” You’ll be instructed to insert your security key and press its button. And that’s it. If you don’t use 2FA, you’ll now be asked for the security key if you log in from an unrecognized device or browser. If you do, you can use your key if you don’t have access to your authentication app. If you no longer want to use the key, go back to “Two-Factor Authentication,” find “Security Key” under “Your Security Method,” and click on “Manage my keys.”