A password isn’t enough to fully protect your accounts and logins anymore. Websites and apps offer two-factor authentication and biometric login features, but another way to secure your accounts is through a physical security key.
A physical key serves as a backup to your password for verifying your identity. The right type of key can work with your computer and mobile phone, through a physical or wireless connection. Even if someone were to discover the password for one of your accounts, they wouldn’t be able to sign in without the physical key. As long as the key is safe and secure, your private information is protected.
You’ll find a variety of security keys for sale, including ones from Google, Yubico, and Thetis. The key you need depends on your specific needs. If you’re looking to plug it into your computer, choose one with a USB connector. For mobile devices, there are keys with USB-C or Lightning connectors for Android or iOS devices. You may also want one that uses NFC to connect wirelessly, which will cover all your bases and not require you to plug the key in each time.
For this story, I'm using a YubiKey 5C NFC security key from Yubico because of its support for computers and mobile devices. This key has both a USB-C connector and built-in NFC for a wireless connection. Here’s how to use a physical security key to secure your online accounts.
Set Up a Security Key With a Windows PC
One action you might want to take is to secure your Windows 10 login with a security key. In this instance, the key acts as a backup form of authentication beyond your username and password. There is one major limitation here, however. The YubiKey works only with a local Windows account; it won’t work if you use a Microsoft Account to sign into Windows 10. You can have both a Microsoft account and a local account on the computer, but the YubiKey will only log you into the local one.
For this to work, you’ll need to download the Yubico Login for Windows application by clicking on Yubico Login for Windows (64 bit) or Download Yubico Login for Windows (32 bit), depending on your flavor of Windows 10. Install the program and reboot your computer. At the Start menu, open the folder for Yubico and click the shortcut for Login Configuration, then follow the steps in this tool to set up your key.
After your key has been set up, reboot your computer again. At the Windows 10 sign-in screen, make sure your login is set to use the Yubico login in the bottom-left corner of the screen. Enter your Windows 10 username and password. If the YubiKey is not already inserted, you’ll be prompted to insert it and try again. You should then be signed into Windows.
If you run into any trouble configuring the YubiKey, check out the Yubico Login for Windows Configuration Guide.
You can also use the YubiKey as authentication to sign into a variety of websites, and not just those that support the FIDO2 standard. The number of websites that accept physical security keys is limited but always growing. Google supports it, though, so services such as Gmail, Google Calendar, Google Maps, Google Drive, Google Docs, and YouTube will all work with a security key.
Set Up a Security Key With Online Accounts
Open your favorite browser (Chrome, Firefox, and Edge are all supported) and sign into your Google Accounts page. In the left pane, select the setting for Security, then scroll down the page and click 2-step verification. At the next screen, click the Get Started button and sign in with your Google account, if prompted.
Under the Use your phone as your second step to sign in page, click the Show more options link and select Security Key. Click Next, then plug your security key into your computer and click OK. Touch the sensor on the security key to register it, then name your security key if you wish and click Done.
The next time you need to sign into your Google account, make sure the security key is inserted in your computer. When you enter your username and password, you will be prompted to touch the key to authenticate your login. You can then use the same security key in any browser and on any computer to sign into your account.
Set Up a Security Key With a Mobile Device
To use a Yubico security key for login authentications on your phone, you first need to download and install the Yubico Authenticator app (iOS, Android) on your device. Open the app and follow the steps to connect the YubiKey to your phone using USB, Lightning, or wireless NFC.
You can now use your Yubico security key to sign into supported apps and websites with your phone. Yubico has a database of websites and applications that are compatible with YubiKey, which you can use to set up your existing accounts with increased security. Click on a supported website, such as Twitter, and select the Get Setup Instructions button.
On your phone, sign into the Twitter website. Go to Settings and Privacy > Security and account access > Security > Two-factor authentication. You’ll first have to set up authentication through either text message or authentication app. Once this is set, check the box next to Security Key.
Plug in your security key or hold it at the top of your phone. Create a PIN or password to secure this login method. You should then receive a message telling you that you’re all set. The next time you try to sign into mobile Twitter, enter your username and password and then plug in or hold your security key next to your phone to authenticate your account.