As we become more dependent upon online platforms for social and professional purposes, it grows increasingly important that we embrace stronger online security measures. One of the most important steps you can take to secure your online services is setting up two-factor authentication. This protocol—commonly abbreviated as 2FA—requires you to type in a password and also provide one other piece of proof that you are who you say you are before you can log into a service. One of the more common 2FA methods in use today employs six-digit passcodes that are sent to your phone via text message. When a unique scramble of numbers shows up on your phone, you type them into the browser along with your password at the login screen. Combined with a strong passphrase like those generated by password managers such as 1Password or LastPass, a 2FA login is quite effective at verifying your identity.
But no matter how strong a password is, or what level of code-based authentication a website is using, any system that sends codes in a text message can be compromised from afar by a skilled attacker. The best way to set up two-factor authentication is using a secure app on your phone to generate those six-digit codes, or to carry a piece of hardware that can verify your identity.
A device like the YubiKey is just that sort of hardware. These little key-shaped fobs plug into your computer and, along with your password, complete the second half of a 2FA web login. A hacker might find a way to snoop on your passwords or intercept a six-digit 2FA code while it’s being sent to your phone, but they’d be hard pressed to snatch an actual key off your keychain.
We should note that if you already have 2FA set up through an app like Google Authenticator or Duo Security, that’s great. A YubiKey will simply provide another, more convenient method of authentication. If you lose your YubiKey or forget it at home, you can use the secure code generator on your phone to complete your 2FA logins.
What Is It?
The YubiKey—like other, similar devices—is a small metal and plastic key about the size of a USB stick. They plug into your computer, and some also connect to your phone. You can use them in either place, along with your password, to authenticate web logins. Think of it as a physical key that, instead of unlocking a door, unlocks your online life.
Several manufacturers make these keys, and they all basically work the same way. They adhere to an industry standard called Universal 2nd Factor, or U2F. The standard weds hardware-based authentication with public key cryptography—a set of tools that’s extremely difficult to compromise. These U2F keys simplify the process of securely accessing online services like Google, Facebook, Dropbox, Windows, and Mac OS. They also support password managers like Lastpass, Dashlane and Keepass. U2F keys can even be used to unlock your Mac or Windows PC from the home screen.
Which One Should I Get?
There are several models of U2F key to choose from; all of them look like variations on a compact USB stick. We’re concentrating on the YubiKey here simply because it’s the most popular option, but you can use the instructions below with any key that supports U2F and the similar FIDO2 standard. Also (full disclosure!) we started giving away YubiKeys to new WIRED subscribers as free gifts earlier this year. If you receive one from us, you may wonder how to use it.
Made by the company Yubico, which helped draft the open U2F and FIDO2 standards, the keys are durable, water resistant, and battery-free. There are key-shaped models that attach to your keychain, or “nano” models, which are designed to be less awkward when plugged into a laptop. The full-size YubiKey 4 Series ranges from $40 to $60 and comes in versions for USB-A ports or USB-C ports. For Android users, there’s the NFC-compatible YubiKey Neo for $50 that lets you access your online services on your phone. You can also plug it into USB-A ports on your PC or other devices. For something more economical, you can try the brand new Security Key for USB-A ports. It costs only $20, and it’s compatible with any services that support U2F and FIDO2. Finally, government-regulated institutions might be interested in the YubiKey FIPS, which meets common regulatory requirements. To dig deeper into which key is right for you, take Yubico’s quiz here.
Once your YubiKey arrives in the mail, you start by activating it. Go to Yubico’s website and select your YubiKey. Next, choose the services you’d like to use your YubiKey to log into. Popular services that support U2F and FIDO2, like Facebook, Google, and Dropbox, are listed at the top. Also among the top choices are computer login options for Macs and Windows PCs. You can set up your YubiKey for use with password management solutions like Dashlane and LastPass, and developer platforms like Github and Bitbucket. Just about every service you can access with non-SMS-based two-factor authentication lets you add a YubiKey to your login protocol.
To give you a clear example, let’s set up a YubiKey to work with Facebook. Note that for Facebook, the YubiKey can only log you in if you’re using the latest version of Chrome or Opera. The hardware keys will work with Mozilla Firefox and Microsoft Edge on some services, but other services are more fickle—check the browser requirements for each of your most commonly used web services. For the ones that don’t support your hardware key, you can use a 2FA code-generator app instead.
On the YubiKey setup page, click on Facebook. Yubico will send you to a Facebook page called “What is a security key and how does it work?“. To set up your YubiKey, Facebook directs you to Security and Login Settings. Since a YubiKey is one of the factors in a two-factor authentication process, if you don’t have 2FA set up yet, Facebook will guide you through setting that up first. This usually involves providing Facebook with a phone number to text you a one-time passcode. Once that’s set up, go back to the Security and Login Settings page and look underneath where it says “Setting up extra security.” Next to the menu item “Use two-factor authentication,” click Edit. Under “Security Keys,” you’ll find the option called “Add Key.”
Now the moment of truth: the actual inserting of the key. Place your YubiKey into your USB port. Once plugged in, the key should show you a blinking light. If it’s not blinking, try plugging it into a different USB port, or flip it around—you may have inserted it upside-down. Once you see the blinking light, press the gold disk in the middle of the key. (If your model has a button, press the button instead.) With that, your hardware two-factor authentication key is activated. The next time you try to log into Facebook, instead of using a six-digit passcode to verify your identity, you’ll be asked to insert your YubiKey and give it a touch.
If you ever forget your YubiKey at home, don’t stress it. Facebook (or whatever service) will merely ask you to use another form of 2FA to log in, so you can go back to using your code-generating app as a fallback. If you ever lose your YubiKey entirely, you can go into your service’s settings and remove your old YubiKey from your list of security keys.
Want more news and reviews you can use? Sign up for the Gadget Lab newsletter.