How to Set Up a Hardware Security Key for Google, Twitter, and Facebook

Two-factor authentication (2FA) adds a vital extra layer of protection to your online accounts. Relying on your smartphone, however, can be inconvenient—and risky if your phone is lost or damaged. Hardware security keys offer a robust alternative, safeguarding password-protected accounts and your digital identity without those drawbacks. They're straightforward to set up. Follow our expert-tested guide to link one to your Google, Twitter, and Facebook accounts.

Contents

• Which security key should I use?
• Link a key to your Google account
• Link a key to your Twitter account
• Link a key to your Facebook account

Security keys connect via USB-A, USB-C, Lightning, or NFC and are compact enough for your keychain (except Yubico's ultra-small 5C Nano Key, best kept in your computer's USB port for security). They support standards like FIDO2, U2F, smart card, OTP, and OpenPGP.

Insert the key or connect wirelessly, and your browser sends a challenge including the site's domain. The key cryptographically signs it, authorizing secure login.

Major sites support U2F keys, including Twitter, Facebook, Google, Instagram, GitHub, Dropbox, Electronic Arts, Epic Games, Microsoft, Nintendo, Okta, and Reddit. Check your key's site for compatibility—YubiKey supported apps, for example.

Initial setup is required, but then it's simple: enter your password, insert the key, and press its button for secure access.

Keys can't be copied or migrated—even across identical models—by design, preventing duplication. If lost, fall back to phone 2FA or an authenticator app, then re-register a new key.

Which security key should I use?

Trusted brands like Yubico (FIDO U2F co-developer) offer multiple models. Google's Titan comes in USB-C, USB-A/NFC, or Bluetooth/NFC/USB variants. Others include Kensington's fingerprint-enabled USB-A key and Thetis USB-A.

We tested the YubiKey 5C NFC, which fits USB-C ports and works with phones via NFC. Steps are similar across keys.

Associate a key to your Google account

Enable 2FA first on your Google Account.

• Sign in, click your profile icon (top right), and select "Manage your Google Account".
• Click "Security" in the left menu. Scroll to "Signing in to Google" and select "2-Step Verification" (re-authenticate if prompted).

• Scroll to "Add more second steps to verify it's you". Click "Security Key" > "Add security key".
• Choose "USB or Bluetooth / External security key" (skip built-in options).
• Ensure key is ready but unplugged. Skip Advanced Protection unless needed; click "Next".
• Insert key, press button, and approve Chrome prompt to read it.
• Name your key.
• Done! Manage via 2FA page.

Associate a key to your Twitter account

• Log in, click "More" (left), then "Settings and privacy".
• Go to "Security and account access" > "Security" > "Two-factor authentication".
• Select "Security key" (enter password if asked).
• Click "Start".

• Insert key and press button.
• Confirm "Security key found", name it, click "Next".
• You're set! Save the backup code securely.
• To remove: Back to 2FA > "Manage security keys" > Delete (confirm password).

Associate a key to your Facebook account

• Log in, click down arrow (top right) > "Settings & Privacy" > "Settings".
• Select "Security and Login" (left).
• Scroll to "Two-Factor Authentication", click "Edit" (password prompt possible).
• No 2FA? Choose "Security key" (prefer authenticator app first). With 2FA? Under "Add backup method".

• Click "Save security key", insert/press key button.
• Complete. Use on new devices/browsers; as backup otherwise.
• Remove via 2FA > "Manage my keys".