A security key can be built into your phone, or can be an external physical key, just as you would have for your house or car. Whether it’s your phone or an external physical key, you have an object in your possession that a hacker isn’t likely to have, even if they know your password.
Advanced Protection requires a security key when you sign in to your account on a new device (or on your phone, if you sign out and then back in again). Accounts that require keys are much safer from attacks than accounts that only require a password.
You’ll need at least one security key to enroll in Advanced Protection, and we strongly recommend adding a second key as a backup during, or very soon after enrollment.
The security key built into your phone
The most convenient security key is the one built into your phone — software that allows your phone to act as a security key. We recommend this as your primary account key.
This built-in key can detect when the device you’re signing in on is nearby, which means it’s likely that you’re the one signing in. Unauthorized users might be able to get your password, but are much less likely to have your phone nearby when they try to sign in to your account from another device.
External physical keys
Your second, backup key will be an external one. This key will keep you from getting locked out of your account if you lose your phone (or other primary key).
There are many kinds of external keys. You might plug a USB key into your phone to sign in, keep a Bluetooth key nearby, or hold an NFC key close to your phone when you sign in.
You can purchase Google’s Titan Security Key or any key that supports the FIDO open standard. You’ll also have an opportunity to view recommended keys during enrollment.
If you don’t have a phone running Android 7 or later, or iOS 10.0 or later, you won’t be able to use your phone as one of your security keys. You’ll need to purchase an external key as your primary key in order to enroll. You should still order a second one as your backup.