U2F is an emerging standard for physical authentication tokens. Current U2F keys are all small USB devices. To log in, you won’t need to enter an authentication code provided from an app or SMS — just insert the USB security key and press a button. Here’s how they work.
This standard is just taking form, so it’s only supported in Chrome at the moment — Microsoft and perhaps Mozilla are adding support. Google, Dropbox, and GitHub all allow you to use U2F keys to secure your account.
What You’ll Need
To get started, you’ll need just a few things:
- A FIDO U2F security key: You’ll need the physical authentication token to get started. Google’s official documentation tells users to search for “FIDO U2F Security Key” on Amazon and buy one. The top result is from Yubico, who worked with Google to develop U2F before other companies signed on and has a history of making USB security keys. The Yubico U2F key is a good bet.
- Google Chrome: Currently, this is only supported in Google Chrome. Mozilla Firefox may eventually add support, and Microsoft is working on adding support to Edge. For now, you’ll need Chrome for this — it works on Windows, Mac, Linux, and Chrome OS.
When signing in from a platform that doesn’t support security keys — for example, your smartphone or a non-Chrome browser — you’ll be able to authenticate in another way. For example, you might have to enter an authentication code sent to you via SMS.
Head to Google.com and sign in with your Google account. Click the profile picture in the upper-right corner of any Google page and select “My Account” to view information about your account.
Remove your key from your USB port if it’s already inserted. Click the “Register” button, plug in the security key, and press a button if it has a button. Click “Done” and that key will then be associated with your Google account.
When you log in from a new PC, you’ll be prompted to authenticate with the USB security key. Just insert the key and press the button on it when you’re asked to do so.
If you don’t have your security key or you’re signing in from a device or browser that doesn’t support this, you can still use SMS verification or another two-step verification method you’ve configured in your Google account security settings.
To set this up with Dropbox, visit the Dropbox website and sign in with your account. Click your name at the top-right corner of any page, select “Settings,” and then click the “Security” tab. You can also click here to go straight to your account security page.
If you haven’t enabled two-step verification yet, click the “Enable” link to the right of Two-step verification. You’ll have to set up either SMS verification or a mobile authenticator app like Google Authenticator or Authy before you can add a security key. This will be used as a fallback.
Once you’re done — or if you’ve already enabled two-step verification — click “Add” next to Security keys.
Just click through the process, inserting your USB security key and pressing the button on it when you’re asked to do so.
The next time you log into Dropbox from Chrome, you’ll be prompted to insert your USB security key and press its button. If you don’t have it or your browser doesn’t support it, you can use a code sent to you via SMS or generated by a mobile authenticator app instead.
To secure your GItHub account with a security key, head to the GitHub website, sign in, and click the profile picture at the top-right corner of the page. Click “Settings” and then click “Security.” You can also click here to go straight to the Security page.
If you haven’t set up two-factor authentication yet, click “Set up two factor authentication” and go through the process. As with Dropbox, you can set up two-factor authentication using SMS codes sent to your phone number or with an authenticator app. If you have set up two-factor authentication, click the “Edit” button.
On the two-factor authentication configuration page, scroll down to the bottom and click “Register new device” under Security keys.
Type a nickname for the key, click Add, and then insert the key into a USB port on your computer and press its button.
You’ll be asked to insert the key and press the button on it whenever you sign into GitHub. If you don’t have it, SMS authentication, the code-generating app, or a standard recovery key can all be used to gain access to your account.
It’s early days for U2F, but expect more and more services to add support for it in the future. The FIDO consortium, which develops U2F, contains companies like Google, Microsoft, Intel, ARM, Samsung, Qualcomm, VISA, MasterCard, American Express, PayPal, and a variety of big banks. With so many big companies involved, many more websites should start supporting U2F security keys soon.