Securing Salesforce account with Token2 Security keys

Follow the instructions below to protect your Salesforce Account with Token2 FIDO Security keys. If you do not have a FIDO key, or you cannot use a USB port, or this option is not enabled for your organization, you can still use a hardware token to protect your Salesforce account. See our instructions here to learn how to use Token2 programmable TOTP tokens to protect your account.

Requirements 

• Admin access to enable security keys for the Salesforce organization (not required if security keys are already enabled)
• Modern browser supporting security keys
• A Token2 FIDO security key; both first generation (U2F) or second generation (FIDO2) can be used

Enable security key in your Salesforce org

Login to your Salesforce org using an administrative account, select Setup an then navigate to Settings ⟶ Security ⟶ Session Settings .

In the Session Settings page, enable 'Let users verify their identity with a physical security key (U2F)' option and save the changes.

Registering a security key for user accounts

After the Salesforce admin has allowed the use of Universal Second Factor (U2F) security keys, users can enroll their  own security key to connect it to their accounts. Anytime a user is challenged to verify the identity, including multifactor authentication (MFA) and device activations, he/she can insert the enrolled security key into the appropriate port on the computer or mobile device to complete the verification. 

• Have your U2F-compliant security key in hand so that you’re ready to insert it when prompted. If you wait too long, your registration attempt can time out.
• Click on your user avatar (right top corner) and select Settings
  
  
  
• From the user settings page, click on 'Advanced User Details', then on the right window, find Security key (U2F) 
  
  
  
  
• Click Register next to the Security Key (U2F) field. If you don’t see this option, your Salesforce admin has disallowed the use of security keys (refer to the previous section)
• For security purposes, you’re prompted to log in to your account.
• At the prompt, insert your security key into the appropriate port on your computer or mobile device. If it has a button, touch the button.
  
  
  
  
• After successful registration, click Continue to dismiss the confirmation message.
  
  
• To help keep your account secure, Salesforce will send an email notification after successful registration
  
  

Now the account ready to use this identity verification method. When Salesforce prompts you for your U2F security key, insert it, and touch the button if it has a button. The security key generates the required credentials, and the browser passes them on to Salesforce to complete the verification.