How to Secure Your Google, Dropbox, and GitHub Accounts With a U2F Key

Posted on by

img_562d3bbca39fa

U2F is an emerging standard for physical authentication tokens. Current U2F keys are all small USB devices. To log in, you won’t need to enter an authentication code provided from an app or SMS — just insert the USB security key and press a button. Here’s how they work.

This standard is just taking form, so it’s only supported in Chrome at the moment — Microsoft and perhaps Mozilla are adding support. Google, Dropbox, and GitHub all allow you to use U2F keys to secure your account.

What You’ll Need

To get started, you’ll need just a few things:

  • A FIDO U2F security key: You’ll need the physical authentication token to get started. Google’s official documentation tells users to search for “FIDO U2F Security Key” on Amazon and buy one. The top result is from Yubico, who worked with Google to develop U2F before other companies signed on and has a history of making USB security keys. The Yubico U2F key is a good bet.
  • Google Chrome: Currently, this is only supported in Google Chrome. Mozilla Firefox may eventually add support, and Microsoft is working on adding support to Edge. For now, you’ll need Chrome for this — it works on Windows, Mac, Linux, and Chrome OS.

When signing in from a platform that doesn’t support security keys — for example, your smartphone or a non-Chrome browser — you’ll be able to authenticate in another way. For example, you might have to enter an authentication code sent to you via SMS.

Google

Head to Google.com and sign in with your Google account. Click the profile picture in the upper-right corner of any Google page and select “My Account” to view information about your account.

img_562d333d9e336

Remove your key from your USB port if it’s already inserted. Click the “Register” button, plug in the security key, and press a button if it has a button. Click “Done” and that key will then be associated with your Google account.

img_562d3436a9c70

When you log in from a new PC, you’ll be prompted to authenticate with the USB security key. Just insert the key and press the button on it when you’re asked to do so.

If you don’t have your security key or you’re signing in from a device or browser that doesn’t support this, you can still use SMS verification or another two-step verification method you’ve configured in your Google account security settings.

img_562d34aa4c386

Dropbox

To set this up with Dropbox, visit the Dropbox website and sign in with your account. Click your name at the top-right corner of any page, select “Settings,” and then click the “Security” tab. You can also click here to go straight to your account security page.

If you haven’t enabled two-step verification yet, click the “Enable” link to the right of Two-step verification. You’ll have to set up either SMS verification or a mobile authenticator app like Google Authenticator or Authy before you can add a security key. This will be used as a fallback.

Once you’re done — or if you’ve already enabled two-step verification — click “Add” next to Security keys.

img_562d369d342e9

Just click through the process, inserting your USB security key and pressing the button on it when you’re asked to do so.

img_562d36ecc90d5

The next time you log into Dropbox from Chrome, you’ll be prompted to insert your USB security key and press its button. If you don’t have it or your browser doesn’t support it, you can use a code sent to you via SMS or generated by a mobile authenticator app instead.

img_562d3754d5d95

GitHub

To secure your GItHub account with a security key, head to the GitHub website, sign in, and click the profile picture at the top-right corner of the page. Click “Settings” and then click “Security.” You can also click here to go straight to the Security page.

If you haven’t set up two-factor authentication yet, click “Set up two factor authentication” and go through the process. As with Dropbox, you can set up two-factor authentication using SMS codes sent to your phone number or with an authenticator app. If you have set up two-factor authentication, click the “Edit” button.

img_562d39decaf8a

On the two-factor authentication configuration page, scroll down to the bottom and click “Register new device” under Security keys.

img_562d3a27b6d44

Type a nickname for the key, click Add, and then insert the key into a USB port on your computer and press its button.

img_562d3ac1bcef5

You’ll be asked to insert the key and press the button on it whenever you sign into GitHub. If you don’t have it, SMS authentication, the code-generating app, or a standard recovery key can all be used to gain access to your account.

img_562d3af471c4f

It’s early days for U2F, but expect more and more services to add support for it in the future. The FIDO consortium, which develops U2F, contains companies like Google, Microsoft, Intel, ARM, Samsung, Qualcomm, VISA, MasterCard, American Express, PayPal, and a variety of big banks. With so many big companies involved, many more websites should start supporting U2F security keys soon.