How To Setup & Use Passkeys on Yubikey & Your Phone! - Full Walkthrough

passkeyssecurityprivacy
Written By Shannon Morse

Today we’re setting up passkeys with a hardware key! Now that I’ve posted several videos explaining what passkeys are and how they work, it’s time to show you how you can set them up. If this is your first time hearing about passkeys, which will be the future of logging in, then I highly recommend that you check out my playlist - it’s short, only a few videos long - but that playlist explains what they are, how they work, compares the pros and cons to passwords and 2fa, and I also answered all the most common questions about them.

This video is in partnership and sponsored by Yubico, and I’m glad I get to work with them on this series because not only have I used their hardware keys for years for 2fa, but I can also use the same exact key for my passkey setup. If you don’t own any hardware keys yet, but you want to upgrade your security with either multi factor authentication or passkeys (or both!) then stick around for my special coupon code, which will give you a discount off any of the keys shown in this video and many more on their site.

Sites are continuously adding passkey support, so if you’re curious if a site you use supports them, you can either go to the site in question and check your security settings or you can visit passkeys.directory to see which sites currently support them. I don’t know how often this site is updated but I did see some added in August of 2023, just weeks before I recorded this video.

Today we’ll setup a passkey on Ebay, then Google. Again, remember that this is a relatively new feature for consumer account protection online, so right now finding a site that uses passkeys is going to be hit or miss. Some sites do say they support passkeys but the implementation is a little glitchy, so for those sites I would recommend setting up 2FA instead.

I’ll show you how to set up a hardware bound passkey with my Yubikey, and then I will show you how to set up a passkey that is bound to your phone.

On Ebay: Go to account settings, then choose sign in and security. Find the section near the bottom that says “Security key sign in”. From this setting, choose turn on, then go through the on screen directions to enable the passkey. In this case, I’m on a Windows machine so a prompt will pop up asking me if I want to use Windows Hello or a security key or some other options. I’ll click security key, click ok twice, then plug in my Yubikey. If I’ve never set up a pin for this Yubikey, then it’ll ask me to create one. Once created or entered, touch the metal pad on the Yubikey to verify you actually have it in hand, then the site will register the key. Now when you sign in, you can use the Yubikey instead of a password to sign in.

Now, what’s up with that PIN? That PIN is delegated to the hardware key, not the website - So whenever you plug in the Yubikey to authenticate on a site, the Yubikey needs to be “unlocked” with your PIN, then you can tap it to tell the website that you actually have the key in hand.

In the case of eBay, the site will still have a password registered in the event you need to sign in on a device that doesn’t support passkeys, so make sure your account still uses a strong password and 2FA.

Running through signing in: I go to ebay.com and choose sign in. Since I use a password manager, you’ll see a password autofill there, but we’ll click Sign In with a security key, it’ll ask for that PIN I set up. Input the PIN, click on your yubikey, and you’re signed in.

[yubico logo lower third] As I mentioned before, my viewers have access to a sweet deal through Yubico so you can use it as a passkey, which will get you $5 off the purchase of any series 5 Yubikeys with the coupon code SHANNONMORSE at checkout. That can save you some money, and you’ll be buying a product that can not only be used as a passkey but also as a multi factor authentication device for tons of websites. That’s code SHANNONMORSE for $5 off and you can use the link below to snag one (or two!) right now. Thank you to Yubico for sponsoring this video!

Google has implemented support for both hardware keys as well as smartphone passkeys. That means you can either use a Yubikey or your smartphone to authenticate whenever you sign in on a new machine. So, to set up your smartphone to work as a passkey:

Go to g.co/passkeys on a supported device. That can be:

  • A laptop or desktop that runs at least Windows 10, macOS Ventura, or ChromeOS 109

  • A mobile device that runs at least iOS 16 or Android 9

  • A hardware security key that supports the FIDO2 protocol

If you’ve been using your google account for a while, you may notice google already created a passkey for a device that you own. You can manage those devices by clicking on Manage Devices and removing any that no longer need to be registered.

Google remind you up at the top to only create passkeys on devices that you own. If you don’t want someone signing into your account on a shared device, don’t make a passkey on that device.

To enable the use of passkeys, click on Use Passkeys. A little prompt will be displayed saying you can now use your passkeys to sign in. Cool!

Way down at the bottom, if you’ve already set up hardware keys on this account, you’ll see them listed there. Below that is a button that says Create a Passkey. Click on that button. If your machine isn’t supported, you’ll see a prompt that says you can’t create a passkey on that device. If your device is supported, then you can then follow the on screen prompts to create a passkey with your hardware key. At this point in time, several users have reported having issues with this option - which seems to be a problem with Google. And myself included, Google was having problems letting me sign in when I tried to create a Passkey. So we’re going to use the smartphone passkey for my account.

If you sign into your account on a supported smartphone, then Google will automatically make that smartphone a passkey for your account. So under your account settings, go to Security, then choose Passkey. If it asks you to sign in, go ahead and sign into the Passkeys page. This is where you can manage those passkeys as needed. So now I’m going to try and sign in on my Windows PC. I input my email, then instead of asking me to put in a password, it says “use your passkey to confirm it’s really you”. So click Continue. On a supported desktop, you’ll see a popup that says “Use Your Passkey” then you can choose the device that has the passkey for google.com. In my case, it’s a few options down. So I click on that device and it says “Check your device”. Going back over to my smartphone, there’s this new notification that popups up saying “Verify your identity: your computer wants to use this device to sign in to a site”. Click it, then click allow, and it will say “Connecting To Your Device”. Place your phone close to your computer, then it’ll popup a fingerprint prompt (or FaceID scan), where you will authenticate your biometrics, and the prompt will go away. Back over on my computer, when it sees that handshake from my phone, it automatically signs in.

That looks like a lot but let’s do it again without the walkthrough. Okay, so email is entered, click continue, choose my device, on my phone click on the popup prompt, hold it up near my computer, scan my fingerprint, and my Windows browser is signed in. That took about 10 seconds or so.

Some sites, like Paypal, have enabled passkey support but only for smartphones. These passkeys only work on iOS or Android devices and either through Safari or Chrome. So to set a passkey up on my Chrome browser, I first go to paypal.com in Chrome on my phone, then sign in with my normal email and password. Then, I click the 3 lines (the hamburger icon) and click the gear for settings and security. Choose Passkeys and this will open a prompt asking if you want to create a passkey. This uses the same biometrics you use to unlock your phone (like your FaceID or fingerprint).

https://www.paypal.com/myaccount/security/

My paypal app is set up so screen recording isn’t allowed in the app. So sorry for the handheld shakycam here. To sign into your paypal app, just choose sign in with fingerprint, and this’ll use your smartphone passkey to sign you in. It takes mere seconds.

Many sites still don’t accept passkeys either in smartphone or hardware key form so in those cases, I’m opting to use the same Yubikey for multi factor authentication. In the event the sites also don’t support hardware keys for MFA, I’ll fall back to an authentication app.

I weirdly get super excited whenever I’m able to strengthen my online security and I feel soooo productive whenever I make these changes to my own accounts. I feel like I just completed some Korok puzzle in Zelda and I got a Korok seed. Pat yourself on the back because hearing about upgraded security and actually taking action and making the changes is an accomplishment! If you have questions about passkeys, leave them below. And subscribe because I have security content coming up every month! Bye yall!

Shannon Morse

Shannon Morse is an online video producer and host. She has reviewed hundreds of consumer tech products and produces easily understandable tutorials about security and privacy.

Shannon currently hosts Morse Code, Sailor Snubs, and Shannon Travels The World. Her tech channel is a leading source for practical and logical security and privacy information in today’s digital age.

https://www.shannonrmorse.com/
Previous

Samsung Galaxy Z Flip 5 Review - It Gets Better (With Hacks!)
Next

Top 9 EASY Smartphone Security Tips For Android and iPhone!