Frequently Asked Questions about Security Keys:
What is a security key?
It’s a small physical device that plugs into a USB port on your computer and works with the Chrome browser and platforms that enable it (like Google, Facebook, GitHub, Dropbox). You can carry it on a keychain like a regular key. Here’s a photo:
Why do I need one?
A physical security key is the most effective defense against phishing, where you are tricked into entering your password or credentials into an attacker's’ website.
Do I still need a password if I use a security key?
Yes, the security key is a second factor that you use in addition to your password.
How do I log in with a security key?
You plug it into the USB port of the computer you are using. After entering your password, you may need to touch a sensor on the security key to complete your login. (The touch does not read your fingerprint, it just activates the key).
What happens if I lose my security key?
Most services require you to set up a backup second factor in case this happens. This is usually a recovery code that you should print out and store in a safe place (like a safe deposit box). It may also be an app that generates a recovery code.
Where should I store my recovery code?
Don’t keep it on your computer, or in your password manager! This defeats the purpose of having a security key. Print the recovery code out, and store it with your other sensitive documents and valuables.
What happens if I lose both my security key and recovery code?
You’ll need to prove your identity to the site’s satisfaction. What this means will be different for each site. Expect to spend a lot of time on the phone.
Do I need a key per machine?
No, your key will work on a Chrome browser whatever machine you use. Carry it with you like a car key.
Does it work on my phone or tablet?
Not yet. On your phone, you’ll need to use an app like Google Authenticator to give you a login code to use with your password.
Why is a security key better than Google Authenticator?
Security keys protect you against phishing. If someone doesn’t have the physical key, they can’t log in as you. Google Authenticator generates a numerical code, which could potentially be phished.
Both are safer than using a login code sent to you over SMS.
Can I use it both on a MAC and PC?
Yes, as long as you are using the Google Chrome browser (which you should be anyway).
Can I access a public computer?
Yes, if the computer runs Chrome. Logging in to public computers is risky but if necessary, and the computer has Chrome, it should work.
Do I need a different security key for every account?
You can use a single key for many accounts.
How do I disable SMS if you say I must?
We’re working on a step-by-step instructions for this.
How do I set it up for Gmail? How do I set it up for Facebook?
instructions for Facebook and Google.
Which security key should I buy?
This one (the blue one on Amazon for 17.99) is the cheapest, and it does everything you need for two-factor authentication using the U2F protocol. (The more expensive ones add other bells and whistles but do not make it more secure.