Security Keys

by | Jul 15, 2022 | 1 comment

How do security keys work?

A security key is a small device you plug into your computer or phone with a special key on it. When you set up a security key with an account, the key will know it should only work on that site. This is very helpful against phishing attacks!

Hardware Authentication Security Keys (Yubico Yubikey 4 an… | Flickr
Three security keys. From left to right: A Yubikey 4 USB-A, Yubikey 4 USB-C, Feitan Bluetooth/NFC key

Let’s say you add a security key to your Twitter account, and later you click on a phishing link (to trying to steal your Twitter account. You don’t realize you’re on a phishing website, and so you enter your username and password. But wait — the attackers need one more thing to steal your account!

This is usually where hackers ask for your two-factor code from SMS or TOTP. But they can’t steal a security key. The security key will only work on – it will not work on a phishing site and can’t be used remotely.

Security keys are fabulously effective, especially against all kinds of attacks

Do you need a security key? Yubico is the absolute best in the business. If you have a USB-A port on your computer (the older, rectangular kind) you can get this one for $25. If you need USB-C (the newer, oval-shaped port on Androids and Macbooks) grab this one. Both have near-field communication (NFC) which means you can touch them to the back of your phone to use it on the go.

Multi-key madness

Most sites will let you use multiple 2FA methods. Usually, they prompt for two-factor methods in order of security — security key first, then TOTP, and so on. When possible, consider adding two security keys to your account. If you only have one, remove your phone number and rely on a TOTP code.

Try to make it a habit that whenever you can log in with a security key, you do. This can alert you to danger if you end up on a phishing site asking you for a TOTP code where you usually use a key.

How does a security key protect you against phishing?

To help prevent you from being tricked by attackers, we need to look a little deeper at how the Web works. In the next section, we’re going to walk through all the parts of a website, so you can spot the real ones from the fakes.

The above content is part of a course on If you login, you’ll see quizzes and links to other lessons in the course.