A security key is a USB-based device that generates an encrypted, one-time security code for use in two-factor authentication (2FA) systems.
In most cases, security codes for 2FA are sent to a user's phone via text-based SMS message. But security keys go the route of hardware-based authentication, requiring an actual physical device that's inserted into the computer's USB drive as a second form of identification.
Security keys are thought to be more effective at preventing phishing attacks and data breaches than 2FA via SMS, because even if someone's credentials are compromised, account login is impossible without that physical key.
The caveat, at least in Facebook's implementation, is that these security keys only work with the latest version of Chrome or Opera web browsers, and Facebook says it won't immediately support the mobile Facebook app.
Facebook is supporting security keys based on the Universal 2nd Factor (U2F) standard established by the FIDO Alliance, such as the YubiKey by Yubico. Google, Dropbox, GitHub, and Salesforce also offer security key support based on the U2F protocol.
Facebook noted that users with an NFC-capable Android device can use Yubico's NFC-capable keys to log in from Facebook's mobile website. However, this method requires the latest version of Chrome and Google Authenticator installed on the device. To add a security key, go to Facebook's Security Settings and follow the prompts under Login Approvals.
From a small business perspective, security keys offer a relatively simple way to secure online accounts from malicious activity. Passwords alone are inefficient when it comes to internet security, and both companies and individuals continue to rely on embarrassingly lazy passwords.
Meanwhile, SMBs tend to rely on an increasing number of web platforms to run their businesses, making the need to secure and protect data and access all the more critical.
Russian hackers are stealing up to $5M a day from US companies