Two-factor authentication is important, but a hassle. Instead of typing in a code from your phone, what if you could just insert a USB key to get access to your important accounts?
That’s what U2F does—it’s an emerging standard for physical authentication tokens. Current U2F keys are small USB devices. To log in, you won’t need to enter an authentication code provided from an app or text message—just insert the USB security key and press a button.
This standard is just taking form, so it’s only supported in Chrome, Firefox, and Opera at the moment, and by a few big services: Google, Facebook, Dropbox, and GitHub all allow you to use U2F keys to secure your account.
You’ll soon be able to use this type of USB security key on many more websites soon thanks to the Web Authentication API. It will be a standard authentication API that works across all platforms and browsers and will support USB keys as well as other authentication methods. This new API was originally known as FIDO 2.0.
To get started, you’ll need just a few things:
When signing in from a platform that doesn’t support security keys—for example, any browser on an iPhone, Microsoft Edge on a Windows PC, or Safari on a Mac—you’ll still be able to authenticate the old fashioned way, with a code sent to your phone.
If you have a key that supports NFC, you can tap it on the back of your Android device when signing in to authenticate, when prompted. This doesn’t work on an iPhone, as only Android provides apps with access to the NFC hardware.
Head to Google.com and sign in with your Google account. Click the profile picture in the upper-right corner of any Google page and select “My Account” to view information about your account.
Click “Signing in to Google” on the My Account page, and then click “2-Step Verification”—or just click here to head straight to that page. Click the “Learn More” link under “Your second step” and then click “Security key”.
Remove your key from your USB port if it’s already inserted. Click the “Next” button, plug in the security key, and press a button if it has one. Click “Done,” and that key will then be associated with your Google account.
When you log in from a new PC, you’ll be prompted to authenticate with the USB security key. Just insert the key and press the button on it when you’re asked to do so. If you have a YubiKey NEO, you can also set this up with NFC for your Android phone if you wish.
If you don’t have your security key or you’re signing in from a device or browser that doesn’t support this, you can still use SMS verification or another two-step verification method you’ve configured in your Google account security settings.
To enable a U2F security key for your Facebook account, visit the Facebook website and sign in with your account. Click the down arrow at the top right corner of the page, select “Settings”, click “Security and Login” at the left side of the Settings page, and then click “Edit” to the right of Use two-factor authentication. You can also click here to go straight to the Two-factor authentication settings page.
Click the “Add Key” link to the right of Security Keys here to add your U2F key as an authentication method. You can also add other two-factor authentication methods from here, including text messages sent to your smartphone and mobile apps that generate codes for you.
Insert your U2F security key into your computer’s USB port and press the button on it when prompted. You’ll be able to enter a name for the key afterwards.
When you’re done, click “Set Up Two-Factor Authentication” to require the security key to sign in.
When you sign into Facebook in the future, you’ll be prompted to insert your security key to continue. You can also click the “Use a different method” link and select another two-factor authentication method you’ve enabled. For example, you could have a text message sent to your smartphone if you don’t have your USB key on you.
To set this up with Dropbox, visit the Dropbox website and sign in with your account. Click your icon at the top-right corner of any page, select “Settings,” and then click the “Security” tab. You can also click here to go straight to your account security page.
If you haven’t enabled two-step verification yet, click the “Off” switch to the right of Two-step verification to turn it on. You’ll have to set up either SMS verification or a mobile authenticator app like Google Authenticator or Authy before you can add a security key. This will be used as a fallback.
Once you’re done—or if you’ve already enabled two-step verification—click “Add” next to Security keys.
Click through the steps that appear on the page, inserting your USB security key and pressing the button on it when you’re asked to do so.
The next time you log into Dropbox, you’ll be prompted to insert your USB security key and press its button. If you don’t have it or your browser doesn’t support it, you can use a code sent to you via SMS or generated by a mobile authenticator app instead.
To secure your GitHub account with a security key, head to the GitHub website, sign in, and click the profile picture at the top-right corner of the page. Click “Settings” and then click “Security.” You can also click here to go straight to the Security page.
If you haven’t set up two-factor authentication yet, click “Set up two factor authentication” and go through the process. As with Dropbox, you can set up two-factor authentication using SMS codes sent to your phone number or with an authenticator app. If you have set up two-factor authentication, click the “Edit” button.
On the two-factor authentication configuration page, scroll down to the bottom and click “Register new device” under Security keys.
Type a nickname for the key, click Add, and then insert the key into a USB port on your computer and press its button.
You’ll be asked to insert the key and press the button on it whenever you sign into GitHub. If you don’t have it, SMS authentication, the code-generating app, or a standard recovery key can all be used to gain access to your account.
LastPass also supports physical USB keys, but it doesn’t support the less expensive U2F keys—it only supports YubiKey-branded keys, like the YubiKey or YubiKey NEO, which are unfortunately a bit more expensive. You’ll also need to be subscribed to LastPass Premium. If you meet those criteria, here’s how to set it up.
Open your LastPass Vault by clicking on the LastPass Icon in your browser and choosing “Open My Vault”. You can also head to LastPass.com and log into your account there.
From there, click the “Account Settings” gear in the bottom-left.
Click the “Multifactor Options” tab and scroll down to the “Yubico” or “YubiKey” option. Click the Edit icon next to it.
Change the “Enabled” dropdown to “Yes”, then place your cursor inside the “YubiKey #1” box. Plug your YubiKey in, and once it’s recognized by your PC, press the button. You should see the text box fill up with your YubiKey’s generated code.
Repeat this process for any other YubiKeys you own and click “Update”.
Now, when you log into LastPass, you’ll be prompted to plug in your YubiKey and press its button to securely log in. If you have an Android phone and a YubiKey NEO, you can also set it up to use NFC with the LastPass Android app.
We’re still in the early days for U2F, but this technology is going to take off with the Web Authentication API. The FIDO consortium, which develops U2F, contains companies like Google, Microsoft, Intel, ARM, Samsung, Qualcomm, VISA, MasterCard, American Express, PayPal, and a variety of big banks. With so many big companies involved, many more websites will start supporting U2F security keys and other alternative authentication methods soon.