Secure your personal email accounts with a FIDO security key

A couple of weeks ago I wrote some articles about passwordless authentication to Windows 10 and SaaS apps (like Office 365) with FIDO2 security keys, from Feitian and Yubico. I shortly described how passwordless authentication works with these FIDO2 security keys. The focus was on using these FIDO security keys in a corporate environment, but these keys can also be used to secure the authentication process for personal usage, like securing your personal email accounts.

These security keys are designed at first for passwordless authentication with the FIDO2 protocol. Unfortunately support for FIDO2 is (at this moment) limited to a handful of personal websites, like Outlook.com.

But besides FIDO2 support, most security keys also support the FIDO U2F protocol. U2F stands for Universal Second Factor. This means you can use the key to secure the authentication process with a second factor (Multi factor authentication). You first authenticate with your (username and) password, but also with a second factor, in this case the security key. This secures your account, as it will be impossible to sign-in to your account without one of the two factors.

Fortunately a lot more websites at this moment already support FIDO U2F. Among these websites are Gmail, Facebook, Twitter and YouTube. But for this article, let`s focus on securing Outlook and Gmail. With these two examples we get a comparison in the authentication process between FIDO2 and FIDO U2F.

Content of this article

  • Configure the FIDO2 security key
  • Configure Outlook for passwordless authentication (FIDO2)
  • Configure Gmail for two factor authentication (FIDO U2F)

Configure the FIDO2 security key

There are several types of FIDO2 security keys of several vendors. The standard key is used with a PIN code, but some vendors have bio versions of the security key, with fingerprint support. In my setup I used a bio security Key, the Feitian K27. If it`s a standard or bio key, you always have to configure the key with a PIN code.

For the best users experience I recommend using Windows 10 1903 or later for setting up the key, as support for configuring a security key is build in these Windows versions. When using an older Windows version, you need to use third-party tooling to configure the key.

To get started insert the security key in your Windows 10 device via USB, open Settings and browse to Accounts. On the Sign-in options tab click Security Key and click Manage.

Your subtitle here

Touch your security key.

Your subtitle here

As you can see, the option to configure my fingerprint is greyed out. You always need to create a PIN for your security key first.
Click Add under Security Key PIN.

Your subtitle here

Enter your PIN twice and click OK.

Your subtitle here

When using a standard security key, setup of the key is finished. Click Close.

When using a bio security key, you are now able to configure on or more fingerprints. Click Set up.

Your subtitle here

Provide your PIN code and click OK.

Your subtitle here

Touch the fingerprint sensor.

Your subtitle here

When finished, add another finger or click Done.

The security key is setup, lets set it up for our personal email accounts.

Configure Outlook for passwordless authentication

Outlook.com (Hotmail/ Live) supports FIDO2 security keys, like Office 365 does. Because of this you only use your security key to sign-in to your webmail and don`t have to provide your username and password. This is the most secure way of authentication, as your username and password aren`t send over the internet.

Let`s first have a look how to register the security key with our Outlook.com account. Sign-in to your account via account.microsoft.com. Browse to Security via the top menu.

Your subtitle here

Choose More security Options.

Your subtitle here

Scroll down to the section Windows Hello and security Keys. Click Setup a security key.

Your subtitle here

You might be asked to confirm your password.
You are provide information about setting up a security key. choose USB Device and click Next to start the setup.

Your subtitle here

Choose Continue.

Your subtitle here

Insert the security key into the USB port.

Your subtitle here

Touch the security key.

Your subtitle here

Enter your security key PIN and click OK.

Your subtitle here

The website asks to see your security key, click Allow.

Your subtitle here

On the next page, give the security key a name and click Next.

Your subtitle here

You`re all set! Click Got it.

Your subtitle here

The registration is finished, let`s see how the end-user experience is when we sign-in to Outlook.com

On the Sign in page from Outlook, choose Sign in with Windows Hello or a security key.

Your subtitle here

Insert the security key.

Your subtitle here

When using a standard FIDO2 security key, your asked to enter the PIN.

Your subtitle here

Touch your security key.
When using a bio security key, you`re not asked for a PIN, only to touch the key.

Your subtitle here

And your signed in! With out providing a username and password!

Your subtitle here

Configure Gmail for two factor authentication

Instead of Outlook, Gmail doesn`t support the FIDO2 protocol (yet), but you`re still able to secure Gmail with the security key, as Gmail does support FIDO U2F. We can use the security key as second factor during the authentication process.

To register the key as second factor, sign in to myaccount.google.com. On the Security tab, under Signing in to Google, choose 2-step Verification.

Your subtitle here

Your are provided some information about protecting your account with 2-step verfication.

Your subtitle here

You might be asked to verify your password.
Click Choose another option an select Security key from the drop-down list.

Your subtitle here

Click Next.

Your subtitle here

Insert the security key into the USB port.

Your subtitle here

As I`m using a bio security key, I only have to touch the key, otherwise your also asked for a PIN.

Your subtitle here

The website asks to see info of the security key, click Allow.

Your subtitle here

Give your security key a name and click Done.

Your subtitle here

The security key is registered for 2-step verification (two factor authentication). Let`s see how the authentication process now looks like.

Browse to Gmail.com and enter your password.

Your subtitle here

Insert the security key into the USB port and touch the security.
With a standard key, you`re asked to enter your PIN.

Your subtitle here

And you`re signed in to Gmail using a second factor!

Your subtitle here

As Microsoft with Outlook is (at this moment) the only (free) email provider with support for FIDO2, with Outlook you get the best user experience when using a FIDO2 security key. But as Google is also a member of the FIDO Alliance, I assume that Gmail will receive FIDO2 support in a near future.
For now you`re able to secure your Gmail account with the key as second factor.

As mentioned, not only email accounts have FIDO U2F support and can be secured with a security key. Social media accounts like Twitter and Facebook can also be secured with the security keys, and maybe in the future get FIDO2 support for a passwordless future!

That`s it for now!

Be the first to comment

Leave a Reply

Your email address will not be published.


*