As online threats continue to grow, protecting your accounts has never been more crucial. Traditional username and password combinations are often not enough to safeguard your online identity, and that’s where two-factor authentication (2FA) comes in. One of the most robust forms of 2FA involves using a hardware security key, like a Yubikey.
In this guide, we’ll take you through the step-by-step process of setting up a Yubikey for 2FA, explain the difference between 2FA and passkeys, and help you decide which Yubikey is best for your needs.
2FA Key Setup Tutorial (Yubikey)
Setting up your Yubikey for 2FA is easier than you might think. Follow this simple tutorial, and you’ll have an added layer of protection for your online accounts in no time.
Step 1: Check if the Account is 2FA Key Compatible
While 2-factor authentication has been widely adopted, there are different ways to implement this security standard. Some online accounts only allow for SMS text or authenticator apps, which are less secure than a security key.
So how do you check if an account offers 2FA key compatibility?
- Visit the 2FA Directory
- Search for the online account or browse the categories
- Search for 2FA “Hardware” support
If you don’t see the option, search the platform’s support or help pages for information on whether they support hardware security keys like Yubikey.
Step 2: Find Security & 2FA Settings
Once you’ve confirmed that the service is compatible with Yubikey, the next step is to locate the account’s security settings where 2FA can be activated. This will be different for each online login, but generally you’ll find these options under the “Security” or “Account Settings” section of the platform.
Let’s take Facebook as an example. To add a 2FA key, you will need to:
- Log in to your Facebook account;
- Navigate to the Security Settings (for Facebook, this happens in your Meta account);
- Find “Password and Security”
- Click on “Two-factor authentication”
- Turn this on and then click on “Security Keys” as you see below;
Many platforms will require that you have a backup 2FA method created as well.
Step 3: Set Up a Primary & Backup Key (or Backup Codes)
When setting up your Yubikey, it’s always a good idea to have both a primary and a backup method in place (in other words, it’s worth the money to purchase two Yubikeys). This way, if your primary Yubikey is lost or damaged, you won’t be locked out of your account.
Here’s how to set up your Yubikey as your primary 2FA method. First, when prompted by the platform’s 2FA setup process, select the option for adding a security key.
Sometimes you will be required to setup a PIN for your Yubikey. This is a security feature that will make sure that even if somebody steals your key, it’s still locked from being used without your permission.
Next, insert your Yubikey into the USB port of your computer or tap it to your mobile device if using NFC. Follow the on-screen instructions, which will usually involve pressing the button on the Yubikey to register it.
Next, consider one of the following backup methods:
- Add a second Yubikey: Many services allow you to register a backup key. You can store this second key in a safe place, so you’re covered if something happens to the primary one.
- Generate backup codes: Some platforms provide one-time-use backup codes that you can store securely. These can be used to log in if your Yubikey isn’t available.
Remember: your account is only as strong as your strongest form of 2FA, so if you secure your account with a Yubikey but then allow for SMS text backup, you’ve essentially downgraded the security of your account (since SMS text is the weakest form of 2FA thanks to SIM swap attacks and other vulnerabilities).
Step 4: Using a 2FA Key for Login
Once your Yubikey is set up, logging in is straightforward:
- Go to the login page of the service.
- Enter your username and password as usual.
- When prompted for 2FA, insert your Yubikey into the device (or tap it, if using NFC).
- Press the button on the Yubikey to authenticate and complete the login process.
This process replaces the need for entering a code from an authenticator app or text message, providing a faster and more secure way to authenticate.
Difference Between 2FA & Passkeys (Both on Yubikey)
Yubikey offers two key security options: traditional 2FA and passkeys. While both provide secure authentication, they work in slightly different ways:
- 2FA (Two-Factor Authentication): This involves adding an extra layer of security on top of your password. With Yubikey, after entering your password, you authenticate by physically tapping the key, ensuring that only someone with the key can log in.
- Passkeys: Passkeys are designed to eliminate the need for passwords altogether (learn more: What is a passkey?). Instead of entering a password, you use your Yubikey to generate a cryptographic authentication process. This method is faster and less prone to phishing attacks since there’s no password to steal.
In essence, passkeys are the future of authentication, offering a simpler and more secure method than traditional password-based 2FA. Watch this video for an in-depth explanation of how passkeys work:
Be sure to subscribe to the All Things Secured YouTube channel!
Which Yubikey is Best?
Yubikey offers several models, each tailored to different devices and security needs. Here’s a quick overview of the most popular options:
- Yubikey 5 Series: This is the most versatile model, supporting both USB-A and NFC, making it compatible with most computers and mobile devices. It’s an excellent choice if you want flexibility across platforms.
- Yubikey Bio: This model adds biometric authentication (fingerprint) to the Yubikey experience, offering another layer of security. It’s ideal for those who want maximum protection.
- Yubikey Security Key: A budget-friendly option, this model provides the basic functionality needed for 2FA but lacks some of the advanced features of the Yubikey 5 series.
For most individuals, the Security Key series will be enough for most of their security needs. The 5 series is geared more toward those advanced and enterprise users.
FAQ Troubleshooting
Here are some common questions and troubleshooting tips to help with your Yubikey setup:
Hopefully you’ve already set up a backup Yubikey or saved backup codes to access your account. After logging in, you can disable the lost key and set up a new one. If you have no backups, contact the service provider to see if you can recover access.
Make sure the key is properly inserted and the USB port is functional. If the problem persists, try a different port or computer. For NFC issues, ensure your phone’s NFC is enabled and that you’re tapping the Yubikey correctly.
Yes, you can register the same Yubikey with multiple services, making it a convenient tool for securing multiple accounts.
Store your Yubikey in a secure place when not in use. Consider using a keychain attachment or case for portability. If using a backup Yubikey, store it separately to reduce the risk of losing both keys simultaneously.
By following these steps and tips, you can easily set up a Yubikey for 2FA, boosting the security of your online accounts. Whether you’re protecting personal data or business credentials, Yubikey offers an efficient and secure solution for modern digital threats.
steve parsons says
Hi Josh,
love your passion for ‘all things’ security. thanks.
i have a question about the series 5 yubikeys which, unless i’ve missed it, i’ve not seen explained (in simple terms) for tech-dinosaurs like me!
I notice that within the 5 series, there are differences with the USB connection … one has USB-C, another USB-A and I’ve also seen one with a lightning connector. i want to purchase from the yubikey 5 range yet i’m not sure which type of connector to get? my iphone is an 11, so still has lightning. my work laptop has usb-C and usb-A, whereas my personal laptop only has usb-A.
a related question: should my backup yubikey have the same connection type or a different type? in all examples i’ve seen online, it appears the backup key has a different connection type. Perhaps this increases security, or just provides more options for some, i’m not sure.
i appreciate any clarification you can give. and if you can send me a link, or direct me to a page on your site, i’m happy to purchase via you so you benefit in some way.
many thanks
steve (from Australia)
Josh says
Hey Steve, great questions. I would recommend just getting a key that fits the most number of devices that you have. For most people nowadays, that’s a USB-C but you’ll need to have a C-to-A adapter.
As for the backup, it doesn’t matter as much as you think. There’s no added security having a different connection type. It’s easiest to just buy two of the same usually.