A Physical Authentication Device (PAD) (also called a security key) is a form of 2 Factor Authentication (2FA) that works as an extra layer of security to your online accounts. With a PAD, you simply register it to your account, then when you log in, you must input your login credentials (username+password) and use your PAD (plug into USB-port or scan via NFC). Both login credentials and PAD are needed at login. This physical layer of protection prevents many account takeovers that can be done virtually.
2FA is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition).
Two-factor authentication (also known as 2FA or two-step verification) is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. A password is typically considered one factor, and with 2FA that is combined with another factor to increase login security. Factors used for 2FA include something that you know (e.g. password or PIN), or something that you have (e.g. a security key or phone) or something that you are (e.g. facial recognition).
Traditional Password authentication schemes have some security and usability issues. Using simple passwords across multiple sites will create security risks such as phishing and Man-In-The-Middle attacks. Using complex passwords can also bring usability issue and frequent password reset.
Security Keys utilized public key cryptography to provide a secure authentication scheme to online accounts. The security key will create a new set of key pairs to enhance the security.
An authenticator app lives on your phone and generates a time-based numerical code. It is a better second factor than text messaging, but not as good as a security key. An attacker who tricks you into entering your password and an authenticator code into a website they control can get into your email account. This is not the case if you log in using a security key.
You'll need it every time you log in to a new machine. You can decide whether to make sites to ask you for the security key every time you log in to a known machine, or to trust it after first use.
You can use a single key for as many accounts as you like.
No, your security key will work on any device that has supports the communication method of the key. For example, a USB type Security Key can be used with any device with a USB port, similarly, a Bluetooth type Security key can be used with any device that supports Bluetooth connectivity.
So, carry your security keys with you like a car key.
Yes, you can use the NFC and Bluetooth keys with your smartphones remotely. Alternatively, if your smartphone has a USB-C port, you can use that as well to plug-in your key.
Yes, you can use the NFC and Bluetooth keys with your iPhone. As for the iPad, only the new generation that have a USB-C port supports the use of a security key.
Yes, you can leave the key plugged/connected to a device you use frequently. It is however recommended that you don't keep the security key connected on public/shared devices that might be accessible by others (such as a public computer or a work computer in an open setting).
Yes, you can add multiple security keys to an account, if fact, it is recommended to have at least 2 security keys linked just in case you damage/lose one.
It's recommended to have more than one form of 2FA added to your accounts (such as using an OTP, Mobile Push, etc.). This will be useful to regain access to your account in case you lose your security key. You could also add more than 1 security key to your account and keep the spare one in a secure location in case u need it.
If you do end up being locked out of your account, similar to losing/forgetting your password, you will need to contact the service for help with account recovery.
Once you have linked and set-up your security key with your account, it becomes like your password. The same way you wouldn't share your password with anyone, a security key must also be kept private.