Two-factor authentication is a good way to add an extra layer of security to online accounts. However, this requires the use of your smartphone, which is not only inconvenient but can also be a problem if your phone is lost or damaged. Hardware security keys can provide an additional layer of security to password-protected online accounts and, therefore, your identity. They are also not difficult to install. Here's how to set them up for your Google, Facebook, and Twitter account.
ContentsWhich security key should I use?Link a key to your Google accountLink a key to your Twitter accountLink a key to your Facebook account
Security keys can connect to your system via USB-A , USB-C, Lightning, or NFC, and they're small enough to carry on a keychain (with the exception of Yubico's 5C Nano Key, which is so small it's most secure when carried). stored in your computer's USB port). They use a variety of authentication standards:FIDO2, U2F, smart card, OTP and OpenPGP 3.
When you insert a security key into your computer or connect one wirelessly, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and authorizes the challenge, logging you into the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft Account Services, Nintendo, Okta, and Reddit . The best thing to do is to visit the website of the security key of your choice and see which services are supported. For example, here is a link to the applications supported by YubiKeys.
A configuration process is required before a security key can be used. After that, to securely access your online profile on a site, all you need to do is enter your password, insert the key and press the button.
Keep in mind that you cannot copy, migrate, or save security key data between keys (even if the keys are of the same model). This is by design, so the keys cannot be easily duplicated and used elsewhere. If you lose your security key, you can use two-factor authentication on your mobile phone or an authenticator app. Then, if you want to use a new key, you will have to start the process of reauthorizing your accounts again.
Which security key should I use?
Several brand choices are available. Yubico, one of the developers of the FIDO U2F authentication standard, markets several different versions. Google sells its own U2F key, called the Titan, which comes in three versions:USB-C, USB-A/NFC or Bluetooth/NFC/USB. Other U2F keys include the Kensington USB-A key that supports fingerprints, and the Thetis USB-A key.
For this tutorial, we used the YubiKey 5C NFC Security Key, which fits into a USB-C port but also works with phones via NFC. However, the process is quite similar for all hardware security keys.
Associate a key to your Google account
To use a security key with your Google Account (or any account), you must already have two-factor authentication set up.
- Sign in to your Google account and select your profile icon in the upper right corner. Next, choose "Manage your Google Account".
- In the left menu, click "Security". Scroll down until you see "Sign in to Google". Click the "2-Step Verification" link. At this point, you may need to log into your account again.
- Scroll down until you see the header "Add more second steps to verify this is you". Look for the "Security Key" option and click "Add Security Key".
- A pop-up lists your options, which include devices with built-in security keys and the option to use an external security key. Select "USB or Bluetooth / External Security Key".
- You will see a box telling you to make sure the key is nearby but not plugged in. You'll also see an option to only use the security key as part of Google's Advanced Protection Program (which is for users with "high visibility and sensitive information"). Assuming you don't fall into this category, click "Next".
- The next box allows you to save your security key. Insert your key into the port on your computer. Press the button on the key, then click "Allow" once you see the Chrome popup asking you to read your key's make and model.
- Name your key.
- Now you are ready! You can return to your Google Account 2FA page to rename or delete your key.
- Log in to your Twitter account and click "More" in the left column. Select "Settings &Privacy" from the menu.
- Under "Settings", select "Security &Account Access"> "Security"> "Two-Factor Authentication".
- You will see three choices:"SMS", "App Authenticator", and "Security Key". Click "Security Key". You will probably be prompted for your password at this point.
- Select "Start".
- Insert your security key into the port on your computer, then press the button on the key.
- The window should refresh to say "Security Key Found". Type a name for your key and click "Next".
- The window will now show "You are all together. It will also give you a one-time backup code to use if you don't have access to any of your other sign-in methods. Copy this code and put it in a safe place.
- If you've changed your mind and want to remove the security key, return to the "Two-Factor Authentication" page and select "Manage Security Keys".
- Click on the key name, then choose "Delete Key". You will need to enter your password and verify that you want to delete the key.
Associate a key to your Facebook account
- Log in to your Facebook account. Click the triangle icon in the upper right corner and select "Settings &Privacy"> "Settings".
- You are now in "General Account Settings". Select the "Security &Login" link in the left sidebar.
- Scroll down until you see the section titled "Two Factor Authentication". Click "Edit" on the "Use two-factor authentication" option. You may be prompted for your password.
- If you have not configured 2FA, you will have three choices:"Authenticator App", "Text Message (SMS)", and "Security Key". It is recommended to use an authenticator app as your primary security, but if you prefer, you can simply click on "Security Key".
- If you have configured 2FA, you will find the "Security Key" option under "Add Backup Method".
- In any case, you will get a popup window; click "Save Security Key". You will be prompted to insert your security key and press its button.
- And that's it. If you are not using 2FA, you will now be prompted for the security key if you log in from an unrecognized device or browser. If you do, you can use your key if you don't have access to your authenticator app.
- If you no longer want to use the key, return to "Two-factor authentication", find "Security key" under "Your security method", and click "Manage my keys".
