Security Keys
Last updated June 16, 2023
Security keys are small physical devices that are easy to use for multi-factor authentication (MFA) because there’s nothing to install and no codes to enter. If you’re unable to use a mobile device to log in to Heroku, security keys are an effective option.
Options for security keys include Yubikey or Google Titan Key.
Choosing a Security Key
You can use any USB, Lightning, or NFC security key that’s compatible with the FIDO WebAuthn (FIDO2) standard, including Yubico’s YubiKey or Google’s Titan Key.
Security keys require a supported browser such as Chrome™, Firefox®, Edge™, or Safari® to act as an intermediary between the key and Salesforce.
WebAuthn-compatible keys aren’t supported in non-Chromium versions of the Edge browser.
Heroku has verified security key functionality in multiple environments. To ensure compatibility, consult vendor documentation for specific questions related to security key support in your environment.
If you don’t have your primary method available, we strongly recommend that you configure a secondary MFA verification method such as recovery codes to avoid loss of access.
Registering a Security Key
To register a security key as an MFA verification method:
From Account Settings, select Setup Multi-Factor Authentication. Or if you already enable other verification methods, select Manage Multi-Factor Authentication.
On the next page, choose Add Security Key and follow the prompts to complete registration. Your registration experience can vary based on the browser and the form factor of the key in use. In general, registration involves these steps.
- To add a security key, click
Register. - When prompted, ensure that the security key is inserted in the appropriate port or connected via NFC, then activate it.
- Name your key, and complete registration.
MFA Verification with a Security Key
To log in with a security key:
- After entering your email and password, you’re prompted to verify your login with your security key.
- Insert or connect the key, then click
Verify. Your experience to complete logging can vary based on the browser and the key’s form factor.
