This article applies to:
Congratulations, you have a U2F YubiKey! So how do you set it up to protect your Facebook account? Follow these instructions and you'll be protected with the simplicity of YubiKey two-factor authentication in no time!
- Latest version of Google Chrome browser (or at least version 38) or Opera browser
- A FIDO U2F Security Key by Yubico, YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey NEO*, or other Yubico U2F-enabled YubiKey
- A Facebook account
Setting Up Your Facebook Account
- In Google Chrome or Opera, log in to Facebook.
- Click the arrow at the top right, and then click Settings.
- In the Security Settings page, in the left pane, click Security.
- Next to Login Approvals, click Edit.
- Under Code Generator, click the link to set up a third party app to generate codes.
- Scan the QR code with your favorite authenticator app that you use to generate codes (or enter the secret key manually, if required).
- Once the credential is added to your authenticator app, return to Facebook in your browser and enter the current 6-digit code generated by the app in the Security code field, and then click Confirm.
- Next, you are going to add your YubiKeys. Still in Login Approvals, under Security Keys, click Add Key, and then click Continue.
- Insert your YubiKey into a USB port of your computer (if it isn't already inserted), wait for the YubiKey to blink, and tap the YubiKey.
- Enter a name for your YubiKey, and then click Continue.
- Click Done.
- If you have additional YubiKeys to register, repeat steps 8-11 until all devices are registered
- Next, you are going to enable two-factor authentication, so that you can use your YubiKeys. Still in Login Approvals, for Two-Factor Authentication is currently disabled, click Enable.
- You are prompted with a message for the next seven days, do not require a second factor to disable two-factor authentication. This option is checked automatically. For greater security, we recommend that you uncheck this option. This means that if you want to disable two-factor authentication, a form of two-factor authentication will be required first. This is a way to ensure that your account isn't accessed by someone who could then change or disable your security settings.
- Click Enable.
- Click Close.
- You can now log out of your Facebook account and log back in to confirm that two-factor authentication is enabled.
Note: For better security, we recommend removing your phone number to stop receiving text messages (SMS) for login approvals. You can replace it by adding both a security key and Code Generator to your Facebook account.
Logging in to Your Facebook Account
Logging in to your Facebook account with your YubiKey is refreshingly simple.
- On the Facebook login page using Chrome or Opera, enter your Email or Phone, Password, and click Log In.
- In the Two-Factor Authentication Required screen, be sure your registered YubiKey is inserted and the light is flashing, before you tap it.
- In the Remember Browser screen, choose if you want to save this browser so you don't have to authenticate the next time you log in.
Congratulations! Your Facebook account is now secure with Yubico two-factor authentication!
Using YubiKey NEO with NFC?After you have set up your YubiKey NEO, you can use it to log in on your Android device. For information on how to use your YubiKey NEO with Facebook on Android, see the following section.
No U2F-Enabled YubiKeys?
Here is a one-time password solution for Facebook that works with YubiKeys that do not currently support U2F. It relies on a free application called Yubico Authenticator (that works on the Windows, Mac, or Linux operating systems) to generate time-based authentication codes.
Running Microsoft Internet Explorer or Mozilla Firefox?
Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to bring support to Windows 10. But for now, you can use Yubico Authenticator, described above, for YubiKey two-factor authentication if your browser isn't Google Chrome or Opera.
How to Use Your YubiKey NEO with Facebook on Android
Congratulations, you have an NFC-enabled U2F YubiKey! So how do you set it up to protect your Facebook account? Follow these instructions and you'll be protected with the simplicity of YubiKey two-factor authentication in no time!
- Smartphone running Android OS with NFC enabled
- Latest version of Google Chrome browser
- Latest version of Google Authenticator
- A YubiKey NEO*
- A Facebook account
*YubiKey NEO for NFC requires firmware version 3.4.6 or later (available since October 2015)
Logging in to Your Facebook Account on an Android Device
Logging in to your Facebook account with your YubiKey NEO is refreshingly simple.
- Ensure you have added your YubiKey NEO to your Facebook account following these instructions, and that you have enabled two-factor authentication.
- On your Android device, open Google Chrome, and log in to Facebook using your username and password. The Google Authenticator app opens.
- You may see the message Preparing Security Key data, wait a short amount of time (this message usually appears only the first time when you use your YubiKey NEO). When you see the message Touch & hold, hold your YubiKey NEO against the NFC antenna on your phone.
- If Google Authenticator is not communicating with your YubiKey NEO, you may need to confirm you're holding the device in the proper location against your phone. For more information, see the documentation for your phone.
- After the authentication process has completed, make sure you select Don't Save, and then tap Continue. If you leave the default setting of Save Browser, you will not be asked to authenticate with your YubiKey NEO on this browser again (depending on your settings in Google Chrome).
Congratulations! You can now log in to Facebook on your Android device using your YubiKey NEO with NFC enabled!
Useful Tips and Information
- For better security, we recommend removing your phone number to stop receiving text messages (SMS) for login approvals. You can replace it by adding both a security key and Code Generator to your Facebook account.
- Your security key can be used with other websites while also being used for your Facebook account.
- Currently, you can't use a security key to log into the Facebook App for Android or iOS.
Frequently Asked Questions
- How can I use my YubiKey to log into Facebook on my iOS device?
- When I log in to Facebook, why am I not prompted to use my Security Key or YubiKey every time?
- What happens when I want to log in from an unsupported browser (such as Internet Explorer, Edge, or Safari)?
- Why are Security Keys more secure than the current SMS method I am using with Facebook?
iOS currently does not support the U2F protocol over USB or NFC, so a backup authentication method must be used to log in to your Facebook account. We recommend that you use Google Authenticator. (Note: The FIDO U2F Security Key by Yubico is not compatible with Google Authenticator.)
When you logged in the first time, and used your Security Key or YubiKey at that time for two-factor authentication, you selected the option to Remember Browser. This is a feature that Facebook is using with the built-in capabilities of your browser. A cookie is issued after you have authenticated, and it’s used to remember that you have logged into Facebook previously. To force the requirement to use your Security Key or YubiKey when you login each time, go to Settings > Security > Login Approvals, Recognized Devices, and remove the browser you are currently logged in with.
Mozilla is currently building support for U2F and Microsoft is working within the FIDO Alliance to bring support to Edge and Windows 10. For now, you can use backup codes from Google Authenticator or Yubico Authenticator, for two-factor authentication if your browser isn’t Google Chrome or Opera. Here is how to use Yubico Authenticator together with a YubiKey to get one-time codes that work with various services.
Security Keys are based on FIDO U2F, using public key crypto and with native support in the browser. FIDO U2F is developed to protect against phishing and man in the middle attacks. SMS is a commonly-used backup option but is susceptible to both man-in-the-middle and phishing attacks. This is further validated by National Institute of Standards and Technology (NIST), that no longer recommends SMS as highlighted in section 188.8.131.52 in the latest draft of its Digital Authentication Guidelines.