How to use a two-factor security key
Two-factor authentication is a good way to add an extra layer of security to online accounts. It requires the use of your smartphone, however, which is not only inconvenient, but it can be a problem if your phone is lost or breached. Hardware security keys can offer an extra layer of security to password-protected online accounts and, in turn, your identity. They’re also not hard to install. Here’s how to set them up for your Google account, Facebook, and Twitter.
Security keys connect to your system using USB-A, USB-C, or Bluetooth, and they are small enough to be carried on a keychain (with the exception of Yubico’s USB-C nano key, which is so small that it’s safest when kept in your computer’s USB port). They mainly use an open authentication standard called FIDO U2F. There is also an improved Fido2 standard, although not all the keys or applications use it.
When you insert a security key into your computer or connect it wirelessly and press a button on the key, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then cryptographically signs and allows the challenge, logging you into the service.
Many sites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft account services, Nintendo, Okta, and Reddit. You can also use it to log into macOS, but not Windows — not yet, anyway. The Fido2 standard can use Windows Hello together with Microsoft’s Edge browser to authenticate Windows if the key supports it.