Skip to main content

Security Keys for Hackers

Hackers: Learn how to set up, manage, and use security keys for 2FA

Updated today

Overview

Security Keys (WebAuthn) provide the highest level of account security by using physical hardware devices or built-in authenticators (such as Touch ID or Face ID) for two-factor authentication.


This document explains how users interact with security keys within our platform.

🔑 What Are Security Keys?

Security keys are physical or built-in authentication devices that provide strong, phishing-resistant two-factor authentication.

Examples include:

  • Physical devices: YubiKey, Google Titan Key, FIDO2 USB/NFC keys

  • Platform authenticators: Chrome’s built-in security (Windows/Mac), Safari’s Touch ID integration (macOS/iOS), Microsoft Edge (Windows Hello integration), and Mozilla Firefox (supports WebAuthn on all major platforms with standard security prompts).

Adding (Registering) a Security Key

Existing User Journey

Existing users who already have an account and Two-Factor Authentication (2FA) enabled can register one or more security keys for added login protection.

  1. Log in using your standard credentials and complete 2FA verification(currently authenticator app).

  2. Navigate to User settings → Account security → Security keys.

  3. Click Add new key.

  4. A modal window opens prompting you to enter a key nickname.

    • Example nicknames: YubiKey Office, iPhone Touch ID, MacBook Touch ID.

  5. Click Continue.

  6. The browser displays a security prompt based on the selected authenticator type:

    • Physical key: Insert and touch the key.

    • Touch ID: Place your finger on the sensor.

    • Face ID: Look at the camera.

  7. Once verified, the system confirms successful registration.

  8. The newly added key appears in the Security keys list within the account settings.

New User Journey

New users can register their first security key during initial setup if their 2FA feature flag is enabled.

  1. Sign up and complete the email verification process.

  2. After verification, you are redirected to the Sign-in page.

  3. If the 2FA feature flag is enabled for your account, you are prompted to set up Two-Factor Authentication on the Setup 2FA page.

    1. Note: If the 2FA flag is disabled, the new user flow remains the same as the current one, i.e., register on the authenticator app.

  4. Choose between the available 2FA options:

    1. Add an Authenticator App

    2. Add a Security Key

  5. To register a security key, click Add a security key.

  6. A modal window opens prompting you to enter a key nickname.

    1. Example nicknames: YubiKey Office, iPhone Touch ID, Windows Hello.

  7. Click Continue.

  8. The browser displays a security prompt depending on the authenticator type:

    1. Physical key: Insert and touch the key.

    2. Touch ID: Place your finger on the sensor.

    3. Face ID: Look at the camera.

  9. Upon successful activation, the system confirms the registration.

  10. You are automatically redirected to the Home page with your security key successfully added to your account.

System Constraints

  • Maximum 5 security keys per account

  • Each key must have a unique nickname per account

Business Benefits

  • Strongest authentication method

  • Phishing-resistant and cannot be intercepted

Deleting (Removing) a Security Key

  1. Go to User settings → Account security → Security keys

  2. View the list of registered security keys

  3. Click Remove next to the desired key

  4. Confirm deletion in the dialog

  5. The key is immediately removed

  6. Updated list shown in the interface

Post-Deletion Behaviour

If a user deletes their last remaining security key and has no other active 2FA method configured, they are automatically redirected to the 2FA Setup Page.

On that page, the user must configure a new Two-Factor Authentication method (such as an authenticator app or another security key) before continuing to access their account.

This safeguard ensures that the user always maintains at least one active 2FA method for secure authentication.

Using Security Keys for Authentication

During Initial Login (2FA Verification)

  1. Enter username and password

  2. The system displays authentication options based on the user’s enabled methods.

    • If the user’s 2FA flag is enabled and they have opted for both TOTP (authenticator app) and Security Key, both options Use authenticator app and Use security key will be shown.

    • If 2FA is disabled, the login flow proceeds as it does now.

    • If the user has enabled only one method (for example, Authenticator App), then only that option will be visible during login.

  3. Select Use security key

  4. Browser prompts for activation:

    • Physical key: Insert and touch

    • Touch ID/Face ID: Use biometric

  5. System verifies key signature

  6. User gains access

Related Articles
Two-Factor Authentication
2FA FAQs for Researchers
2FA FAQs for Organizations
Hai for Hackers
Security Keys
Did this answer your question?