Hardware Security Keys for MFA

Owned by Sean Stockburger (Unlicensed)
Last updated: Mar 29, 2021
3 min read

A security key will not work as your only form of verification method. You must add another option like your mobile phone number, the Authenticator App, or even your home or office phone number before you can add a security key.

The recommended sign-in/verification methods for multi-factor authentication are the Authenticator App and your mobile phone number, but if you do not have a mobile phone there are other options:

  • You can register your home phone number, but that will work only when you are home. You will not be able to sign-in when you are in other off-campus locations.

  • You may purchase a hardware security key for MFA.

 

Types of hardware security keys

The type of security key you should purchase is a FIDO2 key, but you need to make sure you purchase one that will work with your off-campus device(s).

  • Most FIDO2 keys cost between $20 and $50. Popular brands include Yubico (maker of the Yubikey), Token2, and Thetis.

  • Keys vary by material, ruggedness, water-resistance, and interface. The most important consideration is the interface:

    • Buy a security key that has a USB-A interface if you plan to use it with a desktop computer at home (Mac or PC)

       

    • Buy a security key with a USB-C interface if you have a Macbook or PC laptop that has only a USB-C port.

       

    • Optional features include NFC for wireless sign-ins on an Android device, but if you have a device capable of running Android or iOS we recommend just using the Authenticator app.  

Adding your security key as an MFA sign-in verification method

  1. Go to https://mysignins.microsoft.com/security-info to add a new sign-in verification method.

  2. Click the Add Method button.

    1. If you already have a phone number or the Authenticator app listed, continue to Step 3.

    2. If you do not have a phone number or the Authenticator app added, you must add the Authenticator app, your mobile number, or your office or home phone number before you add a security key.

  3. Choose Security Key and click the Add button.

     

  4. Follow the on-screen instructions to finish setting up your security key. You will be prompted to choose the type of device you have. Select USB Device

  5. Insert the USB security key into one of your computer’s available USB ports when prompted, and follow the instructions. You may need to wait a few seconds for the prompts to appear. Windows should automatically recognize the device, but depending on the brand of security key you may need to refer to instructions from the manufacturer. Some security keys will prompt you to create a key, and others will prompt you to touch a button that will read your fingerprints.

Using your Security Key to sign in to Office 365

  1. Plug your USB security key into the computer.

  2. On a Microsoft sign-in screen, select Sign-in options

  3. Select Sign in with Windows Hello or a security key

  4. Enter the PIN you created while setting up your security key.

  5. Touch the security key when prompted