U2F is an emerging standard for physical authentication tokens. Current U2F keys are all small USB devices. To log in, you won’t need to enter an authentication code provided from an app or SMS—just insert the USB security key and press a button. Here’s how they work.
This standard is just taking form, so it’s only supported in Chrome at the moment—Microsoft and perhaps Mozilla are adding support for it. Google, Facebook, Dropbox, and GitHub all allow you to use U2F keys to secure your account.
What You’ll Need
To get started, you’ll need just a few things:
- A FIDO U2F security key: You’ll need the physical authentication token to get started. Google’s official documentation tells users to search for FIDO U2F Security Key on Amazon and buy one. The top result is from Yubico, who worked with Google to develop U2F before other companies signed on, and has a history of making USB security keys. The Yubico U2F key is a good bet for $18.
- Google Chrome (or Opera): Currently, this is only supported in Google Chrome. Mozilla Firefox may eventually add support, and Microsoft is working on adding support to Edge. For now, you’ll need Chrome for this—it works on Windows, Mac, Linux, and Chrome OS. (Opera also supports U2F security keys, since it’s based on Google Chrome.)
When signing in from a platform that doesn’t support security keys—for example, your smartphone or a non-Chrome browser—you’ll be able to authenticate in another way. For example, you might have to enter an authentication code sent to you via SMS.
How Set Up U2F for Your Google Account
Head to Google.com and sign in with your Google account. Click the profile picture in the upper-right corner of any Google page and select “My Account” to view information about your account.
Click “Signing into Google” on the My Account page, and then click “2-step Verification”—or just click here to head straight to that page. Click the “Security Keys” tab and click “Add Security Key.”
Remove your key from your USB port if it’s already inserted. Click the “Register” button, plug in the security key, and press a button if it has one. Click “Done,” and that key will then be associated with your Google account.
When you log in from a new PC, you’ll be prompted to authenticate with the USB security key. Just insert the key and press the button on it when you’re asked to do so.
If you don’t have your security key or you’re signing in from a device or browser that doesn’t support this, you can still use SMS verification or another two-step verification method you’ve configured in your Google account security settings.
How Set Up U2F for Your Facebook Account
To enable a U2F security key for your Facebook account, visit the Facebook website and sign in with your account. Click the down arrow at the top right corner of the page, select “Settings”, click “Security” at the left side of the Settings page, and then click “Edit” to the right of Login Approvals. You can also click here to go straight to the Login Approvals page.
Click the “Add Key” link to the right of Security Keys here to add your U2F key as an authentication method. You can also add other two-factor authentication methods from here, including text messages sent to your smartphone and mobile apps that generate codes for you.
Insert your U2F security key into your computer’s USB port and press the button on it when prompted. You’ll be able to enter a name for the key afterwards.
When you’re done, click “Enable Two-Factor Authentication” to require the security key to sign in.
When you sign into Facebook in the future, you’ll be prompted to insert your security key to continue. You can also click the “Use a different method” link and select another two-factor authentication method you’ve enabled. For example, you could have a text message sent to your smartphone if you don’t have your USB key on you.
How Set Up U2F for Your Dropbox Account
To set this up with Dropbox, visit the Dropbox website and sign in with your account. Click your name at the top-right corner of any page, select “Settings,” and then click the “Security” tab. You can also click here to go straight to your account security page.
If you haven’t enabled two-step verification yet, click the “Enable” link to the right of Two-step verification. You’ll have to set up either SMS verification or a mobile authenticator app like Google Authenticator or Authy before you can add a security key. This will be used as a fallback.
Once you’re done—or if you’ve already enabled two-step verification—click “Add” next to Security keys.
Click through the steps that appear on the page, inserting your USB security key and pressing the button on it when you’re asked to do so.
The next time you log into Dropbox from Chrome, you’ll be prompted to insert your USB security key and press its button. If you don’t have it or your browser doesn’t support it, you can use a code sent to you via SMS or generated by a mobile authenticator app instead.
How Set Up U2F for Your GitHub Account
To secure your GitHub account with a security key, head to the GitHub website, sign in, and click the profile picture at the top-right corner of the page. Click “Settings” and then click “Security.” You can also click here to go straight to the Security page.
If you haven’t set up two-factor authentication yet, click “Set up two factor authentication” and go through the process. As with Dropbox, you can set up two-factor authentication using SMS codes sent to your phone number or with an authenticator app. If you have set up two-factor authentication, click the “Edit” button.
On the two-factor authentication configuration page, scroll down to the bottom and click “Register new device” under Security keys.
Type a nickname for the key, click Add, and then insert the key into a USB port on your computer and press its button.
You’ll be asked to insert the key and press the button on it whenever you sign into GitHub. If you don’t have it, SMS authentication, the code-generating app, or a standard recovery key can all be used to gain access to your account.
We’re still in the early days for U2F, but expect more and more services to add support for it in the future. The FIDO consortium, which develops U2F, contains companies like Google, Microsoft, Intel, ARM, Samsung, Qualcomm, VISA, MasterCard, American Express, PayPal, and a variety of big banks. With so many big companies involved, many more websites should start supporting U2F security keys soon.