Frequently Asked Questions about Security Keys
What is a security key?
A security key is a small physical device that looks like a USB thumb drive, and works in addition to your password on sites that support it. You can carry it on a keychain like a regular key. Here’s a photo:
Why should I have one?
Security keys protect you against impostor websites that try to steal login credentials to sensitive accounts like your email. Other forms of two-factor authentication (including text messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.
How do I use it?
The key is a 'second factor', which means you use it in addition to your password. After logging in normally, sites that support it will ask you to briefly insert the key into a USB port and tap the button with your finger.
What happens if I lose it?
When you set up your security key, you also set up backup methods you can use in case you lose your key. These include an authenticator app that lives on your phone, and a set of printed one-time recovery codes.
You can also add more than one security key to your account, and keep the backup in a safe place.
What happens if I lose both my security key and my phone?
You'll have a set of printed recovery codes, which you should store on paper in a safe place.
What happens if I lose my security key, my phone, and don't have recovery codes?
You’ll need to prove your identity to the site’s satisfaction. What this means will be different for each site. Expect to spend a lot of time on the phone.
What if my key gets stolen?
The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can't get into your email without knowing your password. You can log in with a backup method, and remove the stolen key from your account.
Do I need a separate key for every computer I use?
No, your key will work on any computer that has a USB drive. Carry it with you like a car key.
Do I need a separate key for every account?
You can use a single key for as many accounts as you like.
Can I use multiple keys on my account?
Yes, you can add multiple security keys. We also encourage people to cross-validate security keys with their spouse, friends or co-workers. That way if you lose your key, you can borrow one from another person. Adding someone's key to your account won't give them access unless they also know the password.
Can I use it both on a Mac and a PC?
Yes, as long the computer runs the Google Chrome browser (which you should be using anyway).
Can I use it on my phone or tablet?
Not yet. You'll need to use a backup method like an authenticator app, or generate a special one-time login for the device.
Why do you say it's bad to have a phone number on my account?
Many sites encourage you to add your phone number to secure your account. But there are at least three reasons why you should avoid using text messages for two-factor authentication.
- Your phone number can be easily hijacked by someone who calls the phone company and pretends to be you.
- The text message can be viewed or redirected while en route to your phone.
- Many phones are configured to display text messages on the lock screen.
If text messages are the only way to add two-factor authentication to your account, they are better than nothing. But if you can use an alternative method, like an authenticator app or a security key, use that instead.
Why is a security key more secure than an authenticator app?
An authenticator app lives on your phone and generates a time-based numerical code. It is a better second factor than text messaging, but not as good as a security key. An attacker who tricks you into entering your password and an authenticator code into a website they control can get into your email account. This is not the case if you log in using a security key.
Do I still need a password if I use a security key?
Yes, the security key is a second factor that you use in addition to your password.
How often will I need to use my security key?
You'll need it every time you log in to a new machine. You can decide whether to make sites to ask you for the security key every time you log in to a known machine, or to trust it after first use.
Can I just keep the key plugged in to my USB port?
Yes. Yubikey makes a special low-profile key for this purpose.
I'm a nerd. How does it work?
The key uses a standard called U2F. It cryptographically signs a challenge from the browser that includes the actual domain name, which is what makes it such an effective protection against phishing. An attacker would need to control the domain name, or the browser, to get a usable signature from the key.
How do I set it up for Gmail? How do I set it up for Facebook or Twitter?
Here are instructions for setting up your security key in Gmail, and here are instructions for Facebook and Twitter.
Which security key should I buy?
We recommend the blue yubikey, which costs $20 on the Yubico site. Any security key that supports "U2F" will do.