The benefits of two-factor authentication (2FA) are clear: A person trying to get into your accounts will need something else besides your username and password, which makes it more difficult to hack you. That something else is often a code sent via SMS or through an app, but there’s another option: a physical security key.
These keys take the form of USB dongles that you can plug into your computer or just bring close to your phone (with NFC replacing USB to make the connection), which then verify your identity and allow you into your accounts. And while using an authenticator app for 2FA is a lot more secure than using SMS, using a physical security key is even better from a security standpoint.
That’s primarily because you’re using a physical object rather than a code: There’s no chance of you typing the code into a fraudulent website, or having it stolen by another app or by someone reading your screen. Authenticator apps are very secure, but they can be compromised remotely. With a security key, someone needs physical access to you.
It’s more convenient, too: Just plug it in and your identity is confirmed. There’s no need to unlock your phone, open an app, or type out a code. If you’re upgrading your phone or laptop, no problem — the security key stays the same.
You can assign multiple keys to your accounts too: Maybe keep one on your keyring and keep another in a safe place (like… inside a safe). There is, of course, the danger that you’ll lose your key or have it stolen, but it’s the same as a set of keys or with your smartphone. Backup options will be available if you lose access to your USB dongle.
There are a few specs and standards to know about, with FIDO2 the most recent and the most secure to date. It builds on earlier technology, like Universal 2nd Factor (U2F), and it’s encrypted, private, and anonymous (as far as the USB dongle itself is concerned). As for the keys themselves, they work offline and don’t need to be charged up.
You can buy keys from the likes of Yubico, Google, SoloKeys, Thetis and others — just look for FIDO2 compatibility to make sure they’ll work with services and accounts that support the standard. Obviously you need a key that’s the right sort of USB for whatever your laptop or desktop computer uses as well, which is probably the main consideration when you’re weighing which key to buy.
While you’re not going to be able to use these unlocking devices for all of your accounts on all of your devices, quite a few of the major apps and services will now accept hardware as a form of authentication. They include Microsoft, Google, Dropbox, Twitter, Nintendo, Twitch, ProtonMail, eBay, Trello, Instagram, Facebook, and Kickstarter, for example. Password managers like LastPass, Dashlane, Bitwarden and 1Password support these keys too.
Here’s how it’s done on Dropbox, for example, with a YubiKey 5C NFC sent to us by Yubico: Open your account security page and enable two-factor authentication, if you haven’t done so already. You get a choice of how to get your 2FA codes, either via SMS or through an authenticator app.
One of these options must be enabled, so they can be used on devices where physical security keys aren’t supported, or as a backup method if your physical security key isn’t available for whatever reason. At the moment, Dropbox supports the tech for logging into the website through either Chrome or Firefox.
To add your physical key, click Add next to Security keys, then Begin setup. You’ll need to enter your account password, then when prompted, plug the key into a spare USB port and click Key inserted. You then need to tap the key itself to confirm the connection, and you’re done. You also have the option to give the key a unique name so you can recognise it again in the future.
The next time you’re signing in on a new device, all you need to do is plug the key in when prompted and then touch the button on top: The account in question will recognise the USB dongle as the one you’ve previously verified. Your other 2FA option (either SMS or an authenticator app) will still be available if needed.
Adding a physical security key to other accounts is just as straightforward. In the case of Google accounts, you need to go to the security page for your account and click 2-Step Verification — there are a host of options to pick from for 2FA, from prompts on your trusted devices to codes generated by an authenticator app. As with Dropbox, a physical key doesn’t remove these options, but adds another alternative.
Click Add security key and follow the prompts on screen. You might see one or more of your phones or tablets listed, as they can be used as security keys too. If you’re using a USB key like our YubiKey 5C NFC, click USB or Bluetooth. You’ll be told when to insert your USB key, and when it’s been recognised you can give it a specific name.
The next time you log into your Google account on a new device, a security key will appear as the default option (where supported by the hardware and software). Plug it in, tap the button on the key, and you’re into your account, with the other 2FA measures you’ve configured there as a safety net if needed.