If you're on the internet, you probably have an account with Google, whether it's to post videos to YouTube, to check your email with Gmail, or to access the range of features available on Android devices. Because Google is so important, it's critical you keep your Google account secure from takeovers, and the best way to do that is with multi-factor authentication (MFA) with a security key. (That's especially true if you use Gmail—if a bad guy can access your email, they can use the account recovery tools on other sites to hijack those accounts, too.)
But just what is a security key and how can you use one to protect your Google account? We're here to show you.
What Is Multi-Factor Authentication?
MFA is sometimes called two-factor authentication (2FA), but not because it adds a second step to your login process. Instead, the name actually comes from a deeper theory about identity, which holds that all forms of authentication fall into three broad categories:
- Something you know, like a password.
- Something you are, like your fingerprint or some other biometric factor.
- Something you have, like a security key.
The idea is that using more than one of these factors together will effectively keep bad guys out. Even if an attacker has your password (something you know), they won't have your security key or fingerprint, and therefore won't be able to get into your account.
This isn't just a theory. When Google required its employees to use hardware security keys, account takeovers effectively dropped to zero. The system works.
The most important thing you, as a reader, should take from this article is that you should be using MFA wherever it's offered. While some forms of MFA are more secure than others, what's most important is that you choose the one that works for you and that you actually use it.
The two most common methods for MFA are authenticator apps for smartphones and one-time use codes sent via SMS. We think authenticator apps are a good starting point for anyone new to MFA. These apps generate one-time use codes you enter along with your username and password. They're easy to use and free, but they do require you to have a functional smart device on hand. We strongly recommend readers avoid receiving MFA codes via SMS, as these can potentially be intercepted. But if it's the only option available, then it's better than not using any form of MFA.
Keep in mind that Google offers other forms of MFA, particularly for Android users. You can configure Google to send you a push notification to a trusted smart device that acts as an MFA factor, or use your Android device as a security key. These only work for logging into Google, however.
Although MFA works great, it only works if you are using unique, complex passwords for each and every site and service. The best way to do that is with a password manager. Also, no amount of MFA will protect you if a bad guy has already installed malware on your machine, so we also recommend readers use local antivirus software.
What's a Security Key?
A security key is a small device, usually about the size and shape of a USB flash drive, that you use to authenticate yourself to a site or service. To do so, you typically first enter your username and password as usual and are then prompted to plug in and tap your security key. Although you can plug security keys into mobile devices, most keys also use NFC to communicate wirelessly with phones and tablets.
There are several benefits to using security keys, the first and foremost being they don't require a phone to work. Most security keys have no moving parts or batteries, and don't require a network connection to function. Because they're dedicated, offline devices, they're also harder for bad guys to attack. Plus, security keys are a little more fun to use, giving a secret agent thrill to the mundane task of logging into your corporate email.
There are, of course, drawbacks to using security keys. For one thing, they cost money—typically between $20 and $80. For another, not every site or service supports security keys. Even if you're ready to go all-in with security keys, you'll need to use an authenticator app for all the places that don't accept keys.
Readers have reached out to us, concerned ne'er-do-wells might steal their security keys. That's possible, but not probable, and they would still need your password to hijack your account. You're far more likely to lose your key than have it stolen. Don't let that deter you, however. There are lots of ways to protect against being locked out of a site because of MFA. The easiest is to simply enable multiple MFA options—such as a second backup key or an authenticator app—or generate backup codes as a last resort.
Which Security Key Should I Use With Google?
Unlike Apple, Google actually sells its own branded security keys: Titan Security Keys. We've tested them and found them to be excellent devices, though they are far from the only options when it comes to protecting your Google account. Some newer Android phones can be used as security keys when logging into Google, as mentioned above.
Google recommends any FIDO-compliant security key—that is, any key that works with the main standard that enables security keys to work in the first place. So, just about any key will work. When shopping for keys, look for keys that work with FIDO2 or WebAuthn, which are the two most recent versions of the standard.
When choosing a key, your main considerations should be cost and practicality. As we said above, advanced security keys can cost over $80, so pick a key that fits your budget.
In terms of practicality, you'll want a key that actually fits your devices—literally. Most security keys have either an unshielded USB-A or USB-C connector, so you'll want to choose the key that works with all your primary devices. Fortunately, security keys can use simple port adapters, too. Again, most security keys also offer NFC for communicating with phones or tablets, so you'll want to consider that as well.
Beyond the basics, security key manufacturers offer a cavalcade of advanced features. The YubiKey 5 series, which includes our Editors' Choice pick the YubiKey5C NFC, is enormously powerful, with features like encryption key storage and much more besides. The Bio series from Yubico and the Kensington VeriMark Guard USB-C Fingerprint Key add biometric confirmation, requiring a fingerprint to authenticate you. Most people won't need these features, and if you're looking over the list of features and find that your eyes glaze over, consider some lower-cost devices.
For most people starting out with security keys, the affordable Yubico Security Key Series is probably the best option. Do note that Yubico appears to be poised to release a new version of this key, which will presumably be an upgrade over the previous blue version of the Security Key NFC. The Nitrokey FIDO2 is a similarly priced security key that uses open-source hardware and software, but is a bit bulkier.
Note that Google's Advanced Protection Program requires not one but two security keys. This is similar to the requirements for using security keys with your Apple ID. This program adds additional layers of protection to your Google account and is targeted at high-value targets such as activists, journalists, and politicians, but anyone can sign up. Apple has a similar option called Advanced Data Protection for iCloud.
How to Set Up Security Keys for Your Google Account
Before you start, you'll need a few things: First, you'll need to have at least one security key. Second, you'll need your existing password to your Google Account. Finally, you may need to authenticate yourself in order to enable MFA security keys, so be sure you can access your email inbox, a trusted device, and your existing MFA option if you've already enabled it for your Google Account.
On Google.com, click your user image in the upper-right corner and select Manage Your Google Account. If you have multiple Google accounts, be sure you're logged into the right one, but you should add your security key to all of them.
Next, click on Security on the left of the screen. In the Ways We Can Verify It's You section, make sure you have enabled some recovery options. Next, look for the section called Signing In To Google and click 2-Step Verification.
A quick note: The account we used was already configured to use MFA, but if you've never enabled MFA before, you may be prompted to use a different method other than security keys. You can always change your MFA options later, once you enroll your keys, and it's a good idea to have backup MFA options. We recommend Google prompts, which let you authenticate via push notifications sent to your phone, as well as through the authenticator app and backup codes.
When you're ready, click on Security Key, and then Add Security Key. On the next screen, you can choose to enroll a physical security key or an Android device as a security key. Click the one that's relevant to you. If you've bought a separate hardware key, you'll want to click the Physical Choice and then hit Next.
On the next screen, you'll be prompted to follow the instructions in your browser. These will look different depending on which browser you favor. You'll then be told to plug in your security key. If you already plugged it in, just wait a beat or two. You may be prompted to tap your key at some point, so be sure to read the instructions carefully.
On the next screen, you'll be asked to give your key a name. Use something descriptive here. Perhaps the model of key (Nitrokey), some physical characteristic (Blue key), or perhaps its location (taped to my leg). Whatever will help you remember which key to use!
And that's it! You've enrolled your first security key with your Google account. If you already bought a second key to use as a backup, you can add it as well. And don't forget to enable a second backup form of MFA while you're changing settings, and to enroll your key with any other Google accounts, too.
Note that we used a Mac running Firefox for these instructions. While you can access MFA settings through Android, making any changes and enrolling new keys will all happen through your mobile browser. The only difference is that you have the option to tap or plug in your key on a mobile device. Although some laptops or desktops might support NFC, we haven't tested those configurations.
More Ways to Secure Your Accounts
Using any kind of multi-factor authentication is better than not using any at all, but using security keys is probably the best way to protect your accounts online—especially your Google account. Rest easy knowing the key to your accounts is nestled safely with the keys to your home.
Now that you've secured your Google account with a security key, consider doing the same with your Apple ID. You should also consider ways to improve not only your security but also your online privacy.