Why you need a security key for Gmail
Your primary email (the one you give to banks, social media sites, etc.) is the most important online account you have. If an attacker can take over your primary email account, they can reset passwords on every other service that uses that email for account recovery.
A security key is a physical token (similar to a thumb drive) that offers you the highest possible level of protection against impostor websites that trick you into typing your Gmail password (phishing).
If you use a security key, an attacker will not be able to log into your email account even if they learn your password, and even if they can fool you into trying to log in to an impostor site that they control.
Who this guide is for
This guide is designed for regular humans. It will walk you through the steps of effectively protecting your Gmail account with a security key, without explaining in detail the reasons for each step. You can learn more about those in the security key FAQ.
Unfortunately, Google makes you jump through some hoops to set up a security key securely. The steps outlined below are designed to put your account in the most secure configuration.
If you've already added a phone number to your account, or turned on other kinds of two-factor authentication (like the authenticator app) you can skip those steps.
Let's do it!
- First, order a Yubikey! Any Yubikey will do; we recommend the blue one because it's cheapest. You can buy it for $20 in the Yubico store:
- Once you have a Yubikey, log in to your Gmail in Chrome on a laptop or desktop, and click on the round icon in the upper right of the page to go to your account settings:
- A pane will open with a blue 'My Account' button. Click it.
- In the left hand menu, choose "Security".
- Under "Signing in to Google", choose "2-step verification"
- Click the 'get started' button.
- If you haven't previously provided it, Google will now ask you for your phone number. This step is mandatory to unlock the other two-factor options.
(We'll take the phone number off in a later step.)
Enter a phone number you have access to, click "next", and type in the code Google sends you:
- Once you've verified a phone number, you'll see this 2-step verification screen:
- Scroll down the list of options to the one called "Security Key":
- Click the "add security key" link. Google will now prompt you to insert your key:
Plug the key into any USB port, with the gold disk facing upwards. If you're on a newer mac, you may have to use a USB adapter, like an animal:
If you did this right, a light in the gold disk should start flashing.
- Chrome will ask you if it's okay to talk to the security key. Click 'allow'
- Press your fingertip against the gold circle on the key until it stops flashing. (If you have longer fingernails, you may need to wiggle your finger a bit, or press harder.)
Once Google accepts your key, you'll see a checkmark. You can now take the Yubikey out of the USB port (there's no need to unmount it like a flash drive).
If you want, at this point you can give your security key a name—this is useful if you add more keys to the account later, as a backup.
- Congratulations! You've added a security key to your account!
Now let's add some backup methods in case you lose the key, or don't have it with you. The first one we'll install is an app that lives on your phone.
- On your phone, download and install the Google Authenticator app:
- Back in your browser, scroll down the list of options until you see "Authenticator App". Click the Set Up link:
- Google will ask you what type of phone you use, and then display a QR code on your screen.
- Open the authenticator app on your phone, and click the 'plus' sign. It may ask you permission to use the camera. Give it permission, and scan the QR code.
You'll see a six-digit number, which changes every minute or so.
- Google will ask you to enter this six-digit code. If all goes well, you'll be back at the 2-Step Verification screen, now with three things configured:
Google is now set up to accept three kinds of second factors: our security key, a code from the authenticator app, or a text message.
- We're going to add one more backup method, in case we lose both our security key and our phone. Scroll down to 'Backup codes' and click 'set up'.
- You'll see a list of ten numeric codes. These are single-use codes that will let you in to your Google account. Print them and put them somewhere safe. Don't store them on your computer, or in your password manager. If you carry them with you, put them in your wallet rather than in your laptop bag.
- Now we need to remove our phone number as backup method. (If you're curious why it's important to not have a phone number on your account, see the security key FAQ.)
Click the pencil icon on the right of the phone number, and you'll see a confirmation screen:
- With joy in your heart, click the 'remove' button. (If you have multiple phone numbers on your account, delete all of them.)
You have just secured your Gmail account!
This should be your final configuration:
Now let's try logging in, with and without the security key:
- Open an incognito window in Chrome (make sure there are no other incognito windows open), and try logging in to your Gmail. It will ask you for your password as usual, and then it should prompt you for your security key.
- Insert the key like you did during setup, and press the gold disk until it stops flashing.
You should now be logged in to your email.
- Now let's test logging in without the key. Close the incognito window, open a fresh one, and log in to Gmail again. This time, instead of inserting the key, click the 'try another way to sign in' link at bottom:
- Choose the Google Authenticator option:
- On your phone, open the Authenticator app, and type the code in to Chrome.
- You should now be logged in to your Gmail.
- If either of these methods didn't work, or you weren't prompted for a security key, go back to your two-factor settings and make sure they look like the picture in Step 19.
If you're completely lost, contact me (firstname.lastname@example.org) and let's chat.
What have we done?
You now have a Gmail account that is very resistant to phishing, as long as you remember to use the security key every time you log in.
Remember, you're only fully protected when you use the key. The Google Authenticator app we set up as a backup is convenient, but it does not give you as much protection against being tricked into typing your credentials into a website pretending to be Google.
And if you work for Google, help make this setup easier by not requiring people to give their phone number!