What is a Physical Security Key?
A Security Key is a hardware authentication device used to protect access to computers, networks, and online services that supports one-time passwords, public-key cryptography, and authentication.
How do Physical Security Keys Work?
Typically, you insert the security key into your device (or wirelessly connect it) and press a button on the key itself. The security key will then be presented with a challenge by your web browser or app. It will cryptographically sign this challenge, verifying your identity and whatever it is you're trying to access.
Using a Physical Security Key with Internet Identity
You can use a physical security key to authenticate into almost any application or service, but you should use a dedicated one for the Internet Identity service and authorize as many other devices as possible. Ideally, you’ll want to purchase a security key that supports Fido U2F and can communicate with both your phone and your computer.
Internet Identity Security Key Best Practices
We always recommend you add multiple devices to your Internet Identity and at least one actual security key. You should register as many devices as possible to prevent you from losing access to your applications should you lose a device. Again, the best way to prevent accidental loss is to use a dedicated security key as a registered device, in addition to other devices, and keep it in a safe place.
The minimum backup setup we should recommend for now is:
- Security Key
- Phone with Biometrics (Don’t clear cache if Mac or iOS!)
- Recovery Phrase
Physical Security Key FAQs
Why do I need a special/late-model hardware to use Internet Identity?
Currently, Webauthn is not supported. As such, Windows computers require the use of a security key that supports Fido U2F to use the Internet Identity. DFINITY does not sell these keys.
Additionally, the Firefox browser will only accept a security key for both authentication and for device/browser authorization.
Non-Windows users do not need to have a device with biometrics to use the Internet Identity service. There should be an option to use the computer screen unlock passcode and/or phone screen unlock pin. The screen unlock feature must be active on the device for that option to be available.
How do I use my security key for authentication when login in?
Simply plug it in to your device’s USB port (or wirelessly connect it) and tap/touch when prompted.
I’ve lost my security key and did not add additional devices to my Internet Identity, what can I do?
Unfortunately, if you’ve lost your security key and did not set up Account Recovery (an additional security key or a seed phrase) you will be locked out.
I’ve lost my security key but added an additional security key to my Internet Identity, how can I log in?
Please visit identity.ic0.app directly and follow the "Lost access and want to recover?" prompt. Please note, if you use a security key as a recovery device, you still need to remember your User Number.
I just set up my Internet Identity using my physical security key. I have another one that I’d wish to use as a backup in the event I lose my current one, how can I do that?
Please go through the process of generating and saving a recovery key. This can be done by logging into your account and adding an additional account recovery option. This would consist of setting up an additional physical key or a seed phrase for which you’d be able to login with afterwards.
Note when creating a Recovery Seed Phrase: Please make sure to click the “Copy” button upon generating the Recovery Phrase to confirm. Failure to do so will not save the Recovery Phrase under your “Account Recovery” options. The User Number is the first part of the recovery seed-phrase.
There are so many physical security keys out there. Which one should I use?
Anything that supports Fido U2F will work, such as YubiKey® and the Kensington Verimark Fingerprint Key.
Why am I being asked to enter my PIN upon login into Internet Identity service using my YubiKey® ?
When Yubikeys are configured with a PIN (which happens automatically on Windows laptops) Internet Identity service will request the user's PIN upon each login.
What hardware is acceptable to use for users who opt for self-custody?
At this time, hardware wallets are not supported for self-custody.