Facebook Just Made Login Way More Secure
To get ahead of the phishing fad—in which thieves poach people’s passwords—Facebook on Thursday added a new login option to its site: security keys. They’re not mandatory, but are advisable depending upon how secure you prefer to be.
These pieces of hardware act much like analog keys that a person might use to open, say, a bolted door. The only difference is that, in this case, the physical keys use electronic communication and cryptography, the science of code-making, to unlock digital accounts.
Cybersecurity experts widely recommend security keys as one of the best forms of protection against hacking. Beyond a password, pros endorse what’s known as a “second factor,” or additional login code. This often takes the form of a secret message texted to the account holder’s phone, or a number generated by, well, a random number generator app.
Security keys take that second factor one step further. As a separate, dedicated piece of hardware that’s ideally held only by the account holder, a key ensure that only the person in possession of it (and password) can access accounts so protected.
Get Data Sheet, Fortune’s technology newsletter.
“This is about giving people more options to protect their accounts and to find the choice that’s right for them,” says Brad Hill, a security engineer at Facebook (FB), in an interview with Fortune. Personally, he advocates for the keys: “If you use a security key, you’re pretty much completely immune to any kind of attack like phishing.”
The key’s technology performs similarly to another technology with which many consumers are now familiar: chip-enabled credit cards. Whereas chip cards authorize transactions through payment processors, the keys authenticate people by sending unique codes through web browsers to the websites in question.
There’s a difference though. If a person uses the same credit card at a bunch of stores, those retailers can identify the person associated with that card. A security key creates unique, independent codes for each online service, making it infeasible to suss out who’s who.
In practice, Hill says, “Google and Facebook can’t tell that you’re the same person.”
For more on passwords, watch:
Security keys have some advantages compared to SMS messages, a common second factor option. Firstly, SMS messages can be intercepted by sophisticated attackers. This is more than a theoretical attack; the Black Lives Matter activist Deray McKesson lost his account to hijackers this way last year.
Furthermore, as Hill explains, a key can suffice when a person is unable to receive SMS text messages—say when your phone is dead, you’re traveling abroad, or you’re onboard a flight.
In tandem with Facebook’s decision to adopt security keys is the company’s backing of the tech that makes them work: the “universal second factor” protocol, an authentication technology initially developed by Google (GOOG) and a much smaller company, Yubico, that manufactures keys.
The “U2F” protocol, as it’s abbreviated, has since been placed under the auspices of the FIDO Alliance—a group of big corporations including Microsoft (MSFT), Samsung (SSNLF), PayPal (PYPL), and Intel (INTC)—that collaborate one ways to make sign-ins safer and easier online.
Right now, the security key has a few limitations. People have to plug the device into a laptop or desktop via a USB port and sign on from a Chrome or Opera web browser. For mobile devices, people have to buy a key that supports near-field communication, a wireless tech that involves radio waves. Additionally, these more advanced keys work only with near-field communication-capable Android devices, where people sign on from the Chrome or Opera mobile web browser rather than directly via the Facebook app.
People can always fall back on SMS messages and random number generated second factor codes when using a phone too.
If you’re interested in setting up a security key to protect your account, buy one online at your favorite ecommerce shop and then go to your Facebook “settings.” Click on “security,” and you’ll see an option for “security keys.” Simply select “add key” and you’re off to the races.
Screenshots courtesy of Facebook
Other companies that support security keys include Google, Github, Dropbox, and the password manager Dashlane.