We’ve long extolled the benefits of two-factor authentication for all of your online accounts. But while a great step toward improving your cybersecurity, SMS-based 2FA is still not completely secure. That’s where a physical security key can come in.
Physical security keys are maybe one of the best ways to shore up your online defenses. And best of all, most of them are 100 percent compatible with your iOS devices.
Here’s what you need to know about security keys and how to use them on your iPhone.
What is a security key?
Two-factor authentication is a security feature that requires a second step before you can log into your accounts. You’re likely already familiar with those one-time codes sent via SMS.
Security keys essentially offer an alternative to this. Instead of authenticating via text, you’ll confirm that it’s really you trying to log in with your security key.
On iPhones, this is typically done by near-field communication (NFC) or by simply plugging the security key into your iPhone.
Keep in mind that, just like regular text-based 2FA, you’ll only need to authenticate on new devices or systems that you don’t use regularly. If you’re already logged into a Gmail account on your primary iPhone, for instance, you wont need to authenticate every time you open the app.
Benefits of a security key
The biggest benefit of a physical security key is that your authentication codes are stored in a single tangible place that’s likely on your person or somewhere else secure.
Because of that, an attacker is going to have an extremely hard time logging into your accounts without access to both your password and that physical security key.
That makes physical security keys much more secure than SMS authentication, since hackers have been known to hijack phone numbers via SIM-jacking to intercept and steal those one-time 2FA passcodes.
Downsides of a security key
The biggest downside: convenience. While authenticating with a security key only takes a couple of seconds, you’ll always need to have it with you if you’re logging into accounts on new devices.
This becomes especially important since losing the security key means you’ll normally be locked out of your accounts. While many platforms offer a time-intensive recovery, we’d recommend buying two or more security keys and registering them with your accounts as backups.
The only other downside that becomes apparent is that security keys will cost you. Many of the higher quality ones, which we’d recommend going with, can cost upwards of $40 a piece.
Which services support security keys?
Pretty much every major online service now offers support for security keys. That includes everything from Facebook and Google to password managers like 1Password or Bitwarden.
It’s worth noting that some services, like the aforementioned password managers, require a premium account or subscription to use a security key. Most social media platforms or services like Google do not.
Also important for Apple users to keep in mind: currently, Apple doesn’t support using a security key to log into your iCloud or Apple ID account. You can, however, use a security key to log into a Mac.
For iPhone users, you’ll normally only be able to use security keys on apps. Web browsers like Chrome or Firefox Focus don’t currently support security keys.
On the other hand, Apple recently added security key support to Safari in iOS 13.3. That means you’ll be able to log into your online accounts via security key, as long as you’re using the native iOS web browser.
How to set up a security key
Setting up a security key is usually pretty simple, although the exact method can differ wildly depending on which system you’re using it for.
Because of that, we’ll offer the following general advice.
- Make sure the accounts you use support the security key you’re looking at. You can typically find this information on an FAQ or within other documentation.
- Google how to add a security key to your specific account. Like we said, the method will vary depending on whether you’re trying to secure Google or Twitter.
- Keep your devices handy. When setting up a physical security key as a 2FA method, you’ll want to make sure you have your password handy. Similarly, you’ll need to actually plug your security key into your device or authenticate via NFC.
For example, on Google, you’ll log into your Google account (preferably from an already trusted device.) Then navigate to your Settings —> Security and two-step verification settings. Click Add Security Key and plug your device in or place it on the back of your iPhone.
Facebook has a similar method. Just head over to Security & Login Settings and enable two-factor authentication. Then, navigate to Edit > Security Keys and click Add Key. Follow the onscreen instructions.
How to use a security key on iPhone
When it comes time to actually using your security key, it’s even simpler than setting it up.
Say you’re trying to log into your Bitwarden account (which is an open-source password manager that we can wholeheartedly recommend). You’ll enter your email and your master password. Then, once the app clears those, you’ll come to a new screen that looks like this.
Depending on which security key you have, you can either plug it into the iPhone’s Lightning port or hold it near the back of your iPhone.
Once it authenticates, you’ll be logged into your app.
Security key recommendations
There are plenty of high-quality security keys available on the market, but there are a few that we’ve tested and can wholeheartedly recommend.
That’s especially true for Apple users. The Yubico YubiKey 5 NFC works beautifully with Apple’s iPhones over near-field communication. The fact that it can also plug into a standard USB-A port is great because you may find yourself at a Windows terminal sometimes.
If you’d like a more Apple-centric solution, the Yubico YubiKey 5Ci has both a USB-C connector for plugging into your Macs and iPad Pros, as well as a Lightning connector for authentication on iPhones and iPads.
Keep in mind that the Yubico 5Ci doesn’t have NFC. The same goes for the tiny Yubico 5 Nano, which is great for users who only need to authenticate via USB-A.
Again, if you lose any of your security keys, you’ll be locked out of your account unless you go through an arduous recovery process or write down backup access codes in advance.
Because of that, we recommend buying at least two security keys — one as a primary for your keychain and one to keep at home as a backup. We’ve found that the YubiKey 5Ci and the standard 5 are a great pair.
Google security key
So we’ve covered using a security key with your iPhone pretty extensively so far. But what about using your iPhone as a security key?
That’s actually possible now thanks to a recent Google app update. Basically, the search giant will now let you use your iPhone as a FIDO2 security key.
Essentially, what this means is that you’ll be able to log into your Google accounts on Windows, Mac or iOS using your iPhone to authenticate via Bluetooth. That’s extremely handy for Google account users, since you can use a physical security key and have your iPhone as a backup authentication method.
Of course, this only goes for Google accounts. But thanks to the Secure Enclave on iPhones, other app makers may take notice and add similar support for their services in the future.
We hope that you found this article helpful. Please let us know if you have any questions.
While he primarily covers Apple and consumer technology, he has past experience writing about public safety, local government, and education for a variety of publications.
He’s worn quite a few hats in the journalism field, including writer, editor, and news designer.