Tech Solidarity > Resources > Security Key FAQ

Frequently Asked Questions about Security Keys:

What is a security key?

It’s a small physical device that plugs into a USB port on your computer and works with the Chrome browser and platforms that enable it (like Google, Facebook, GitHub, Dropbox). You can carry it on a keychain like a regular key. Here’s a photo:

Why do I need one?

A physical security key is the most effective defense against phishing, where you are tricked into entering your password or credentials into an attacker's’ website.

Do I still need a password if I use a security key?

Yes, the security key is a second factor that you use in addition to your password.

How do I log in with a security key?

You plug it into the USB port of the computer you are using. After entering your password, you may need to touch a sensor on the security key to complete your login. (The touch does not read your fingerprint, it just activates the key).

What happens if I lose my security key?

Most services require you to set up a backup second factor in case this happens. This is usually a recovery code that you should print out and store in a safe place (like a safe deposit box). It may also be an app that generates a recovery code.

Where should I store my recovery code?

Don’t keep it on your computer, or in your password manager! This defeats the purpose of having a security key. Print the recovery code out, and store it with your other sensitive documents and valuables.

What happens if I lose both my security key and recovery code?

You’ll need to prove your identity to the site’s satisfaction. What this means will be different for each site. Expect to spend a lot of time on the phone.

Do I need a key per machine?

No, your key will work on a Chrome browser whatever machine you use. Carry it with you like a car key.

Does it work on my phone or tablet?

Not yet. On your phone, you’ll need to use an app like Google Authenticator to give you a login code to use with your password.

Why is a security key better than Google Authenticator?

Security keys protect you against phishing. If someone doesn’t have the physical key, they can’t log in as you. Google Authenticator generates a numerical code, which could potentially be phished. Both are safer than using a login code sent to you over SMS.

Can I use it both on a MAC and PC?

Yes, as long as you are using the Google Chrome browser (which you should be anyway).

Can I access a public computer?

Yes, if the computer runs Chrome. Logging in to public computers is risky but if necessary, and the computer has Chrome, it should work.

Do I need a different security key for every account?

You can use a single key for many accounts.

How do I disable SMS if you say I must?

We’re working on a step-by-step instructions for this.

How do I set it up for Gmail? How do I set it up for Facebook?

instructions for Facebook and Google.

Which security key should I buy?

This one (the blue one on Amazon for 17.99) is the cheapest, and it does everything you need for two-factor authentication using the U2F protocol. (The more expensive ones add other bells and whistles but do not make it more secure.