Two factor authentication is a great way to add an extra security layer to online accounts. However, it requires the use of your smartphone, which is not only inconvenient, but it can be a problem if the phone is lost or broken. Hardware security keys can offer an extra layer of security to password-protected online accounts and, in turn, your identity. They are also not difficult to install. Here's how to set them up for your Google Account, Facebook and Twitter.
Security keys connect to your system with USB-A, USB-C or Bluetooth, and they are small enough to be carried on a keychain exception for Yubico's USB-C nano key, which is so small that it is safest when it is held in the computer's USB port). They mainly use an open authentication standard called FIDO U2F. There is also an improved Fido2 standard, but not all keys or applications use it.
When you insert a security key into your computer or connect it wirelessly and press a button on the key, your browser issues a challenge to the key, which includes the domain name of the specific site you are trying to access. The key then writes cryptographically and allows the challenge, log you into the service.
Many websites support U2F security keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft Account Services, Nintendo, Octa and Reddit. You can also use it to log in to macOS, but not Windows ̵1; not yet, anyway. The Fido2 standard can use Windows Hello with Microsoft's Edge browser to authenticate Windows if the key supports it. But as far as we know, keys cannot be used on some devices, such as Android TV or Nvidia Shields, so do your research in advance.
There is an installation process that is necessary before you can use a security key. Then it is easy to access your password, enter the key and press the button to access your web profile on a website.
Keep in mind that you cannot copy, migrate or save security key data between the keys (even if the keys are the same model). It is of design, so keys cannot easily be duplicated and used elsewhere. If you lose your security key, you can use your mobile phone's two-factor authentication or authentication app. Then, if you want to use a new key, you have to go through the process of reauthorizing your accounts again.
Which security key should I use?
There are several brand choices available. Yubico, one of the developers of the FIDO U2F authentication standard, sells several different versions. Google sells its own U2F key, titled Titan (which has been under review to be manufactured in China). Google includes a backup key that has a Bluetooth feature, but it has to be charged, which can be a problem if it suddenly runs out of power at an uncomfortable time. Other U2F key manufacturers include Kensington and Thetis, which also offer USB-A keys but lack USB-C variants.
Here's how I used the YubiKey 5 NFC security key, which fits into a USB-A port for desktop computers, but it also works with Android phones and iPhone via NFC. The process is roughly the same for all hardware security keys.
Linking a key to your Google Account
In order to use a security key with your Google Account (or any account), you already need two-factor authentication.
- Sign in to your Google Account and click your profile icon in the upper right corner. Select "Google Account."
- On the left menu, click "Security." Scroll down until you see "Sign in to Google." Click on the "2-step verification" link. At this time, you may need to log in to your account again.
- Browse until you see "Configure Alternate Second Steps." Look for the "Security key" option and click "Add security key."
- You get a box that tells you that the key is nearby but not connected. Click "Next".
- Insert your key into the computer port. Press the button on the key and then click "Allow" when you see the Chrome popup and ask to read the tag and model on your key.
- Give your key a name.
- Now you're done! You can return to your 2FA Google Account page to rename, add or remove additional keys.
Link a key to your Twitter account
- Log in to your Twitter account and click on your profile icon in the upper right corner. Select "Settings and Privacy" from the drop-down menu.
- Look for the heading "Security". If you have not configured two-factor verification then you will see a button that reads "Enter login authentication." You get a popup telling you about login verification. Click "Start".
- Enter your password and press "Confirm." You will be sent an SMS message to verify your phone number.
- You will be sent back to the security page. Click "Review your login confirmation methods."
- Look for "Security key" and click "Set up." Select "Start".
- Insert your key into your USB port, then press the button. The installation wizard may prompt you to press it again. Go ahead and press it again.
- The window should be updated to say, "You are completely." Press "Got It". And now you have added a security key to your Twitter account.
- If you have changed your mind or want to remove the security key, go back to the "Login Confirmation" page, select "Edit" near the "Security Key" category, and then select "Off" and "Save Changes". "
Connect a key to your Facebook account
- Log in to your Facebook account. Click the drop-down menu in the upper right corner and select" Settings. "
- Now you are on" General Account Settings. "Select the link "Security and login" from the left sidebar.  Scroll until you see the "Two Factor Authentication" section. Click "Edit" in the "Use Two Factor Authentication" option.
- Click "Get Started" to set a text message or  an authentication app as your two-factor method.
- Return to "Two Factor Authentication" and scroll down to "Add a backup." Select "Setup" for the Security Key option.
- Enter your Facebook password and click "Send. "Insert your security key into the USB port, press your button. You should get a confirmation popup.
- You can see the" Two Factor Authentication "page from" Security and Login "to add, delete or rename security keys linked to your account
Vox Media has affiliate partnerships, which do not affect editorial content, but Vox Media may earn commissions for products purchased through affiliate links. For more information, see our Ethics Policy .