A physical USB security key plugs into your computer's USB port and functions as an extra layer of protection that's used on Windows 11 and your Microsoft Account.
When you use Windows Hello as a sign in authentication method, you typically think about providing your face or your fingerprint for verification. But you could also use a FIDO2-compliant USB physical security key
You can use a USB security key with a unique PIN as a passwordless sign-in method to sign into Windows 11 and access your Microsoft account.
Because security keys require you to have the physical device and something that only you know, like a unique PIN, physical security keys are considered to be a stronger authentication method than using just a username and password.
Set up a USB security key on Windows 11
Of course, you can't simply create a USB physical security key by just using any spare USB flash drive like you can create a USB startup key. Instead, you need to buy a FIDO2 security key.
According to Microsoft, a FIDO2 security key is "an unphishable standards-based passwordless authentication method." FIDO2 security keys are typically USB devices that are equipped with Bluetooth or NFC.
Since a FIDO2 USB security key is equipped with the hardware to handle the authentication, the security of the account is increased because there's no password that could be exposed or guessed. FIDO2 security keys are a great option for enterprises who are very security sensitive and can also be used for employees who aren't willing or able to use their phone as a second factor for authentication.
The Security Key NFC by Yubico is only about $25, supports FIDO2 (Fast IDentification Online) and U2F (Universal 2nd Factor), and has a USB-A connection with NFC connectivity. It's also IP68 rated and made of ceramic, so I can carry it on my keychain without having to worry about getting it wet or damaged.
If you are wondering where to look for USB security keys, Microsoft offers an extensive list of FIDO2 security key providers. Here's what you need to do to set it up and use a USB security key on your Microsoft Account and Windows 11.
Manage USB security key PIN in Windows Hello settings
If you ever want to change your USB security PIN or reset the USB security key back to factory settings, you can do that from within Windows Settings. Here's what you need to do.
1. Go to Settings > Accounts > Sign-in options.
2. Under Ways to sign in, go to Security key and click Manage.
3. After you click Manage, a window will pop up prompting you to insert your USB security key. Insert your USB security key or tap your NFC reader to verify your identity on your Windows 11 PC now.
4. Once your USB security key is inserted and verified, you can either change the Security Key PIN or Reset Security Key to factory settings.
5. Click Close when you are finished.
Add USB security key to your Microsoft Account
Here's how to set up a USB security key on your Microsoft Account.
1. Set up a security key by signing into your Microsoft Account's Security basics page in a browser.
2. Click "Get started" under Advanced security options.
3. Click Add a new way to sign in or verify.
4. Click Use a security key.
5. Ensure that the USB device tab is selected, and your USB is inserted into your PC, then click Next to set up your USB security key.
6. Next, you will need to set up a PIN. Once you set up and confirm your PIN, click OK.
7. Finally, you need to name the USB security key so you can identify it later. Create a name for your USB security key and then click Next. I named my security key, "Security Key NFC by Yubico."
8. You're all set! The next time you sign in, you can use your security key and PIN to sign into your Microsoft Account.
From here, you can add another security key or click Got it to be taken back to your Microsoft Account's Security dashboard.
Once added, you will see your security key listed as a sign-in verification option under Ways to prove who you are.
You can add up to 10 physical security keys to your Microsoft Account.
Now, you can use your physical USB security key and PIN to sign into your Microsoft Account. Just plug in the USB to your PC, enter the PIN, and you will have access to your Microsoft Account and PC in no time at all.
Have you tried out the YubiKey or another brand on Windows 11? Any problems with losing your USB drive or having it fail? Let us know in the comments below.