Security Key FAQ

  • Updated on Mar 10, 2025
  • Published on Aug 31, 2022
  • 10 minute(s) read
  • Stephanie Schmidt
  • HR
  • Orianna Valentine
 Prev Next

What is this Security Key we keep hearing about?

A Security Key resembles a physical USB drive that connects with your device to prove identity and facilitate access to specific devices, online systems, and / or applications. It is a type of hardware security that plugs into one of your computer's USB ports. It houses a small chip with all of the security protocols and code that allows it to connect with servers and verify your identity to ensure that you are the person actually accessing a site, system, and / or application. During authentication, it requires you physically touch the Security Key to prevent remotely connected users from using your credentials.  Request new or additional keys.

Should I take the Security Key with me? How fragile is the Security Key?

The Security Key is associated with a specific User account and should remain in control of that User whenever possible. It is important that the User have the Security Key physically available to insert and touch when performing an authentication, even if working from home or a remote office. Remember that if the User logs into Beastro from a location that does not have an allowlisted IP address already defined in Beastro, their access to screens to perform any money movement transactions will be unavailable. There is also a username and password that are required prior to using the Security Key, allowing for a layered security approach to reduce or eliminate risk.

The Security Key is crush-, water-, and wear-resistant, and is specifically designed to be attached to a key chain. We have been using Security Keys on keychains for several years and have yet to have to replace one due to damage. There is no battery in the Security Key. It gets all the power it needs from the computer when it is inserted. Having no battery increases the durability, as if the device were to get wet there is no electrical short that can occur.

Physical security keys? Isn't that going technologically backwards?

Physical Security Keys are actually the most secure version of two-factor authentication. With a Security Key, nobody can get into the accounts where it is used unless they have both your PIN and physical access to the key. The protocols used in the Security Key and our authentication methods (FIDO2) position us for the future, including passwordless secure login. To quote the FIDO2 alliance: "FIDO2 cryptographic login credentials are unique across every website, never leave the user's device, and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft, and replay attacks."

Physical security keys are also more widely accepted as a security device. For example, some credit unions, by policy, prevent staff from having a cell phone in the building. Some credit union staff may refuse to mix work and personal devices and thus will not install any work applications on their personal phone. Requiring a credit union to provide a phone to a staff member to access our application seemed unreasonable.

Are there any options other than Security Keys? Our security is tight and all computers have USB locked down.

That is awesome and definitely best practice. The USB lockdown performed by almost all credit unions is just for mass storage devices (thumb drives, etc.). Devices like keyboards and mice are also USB and should continue to work when USB lockdowns are in place. The Security Key is not a mass storage device so it should act just like a keyboard / mouse / webcam when it comes to USB lock down policies.

To provide a consistent and secure login experience, we have limited the login process to the Security Key. We have discussed alternative options and may implement them in the future as long as they adhere to the current FIDO2 / passwordless requirements. Alternative methods will likely require that Users have access to a smart phone during the login process to complete authentication.

Our USB ports are not easily accessible, and I don't have any extra ports for another device.

No worries! We don't want you to have to crawl under your desk just to touch your security key to access Beastro. Retailers such as Amazon, Best Buy, or office supply stores offer USB Hub extension cables. USB Hub extension cables offer additional USB ports attached to an extension cable, typically from around 3 feet in length to over 10 feet in length.

If the plan is to go passwordless with FIDO2, why must I enter an email address and password, as well?

We know that we are building our application to confirm to the latest security standards and we are positioning ourselves for the future. However, we must also deal with the realities of today's limitations in technology and perceptions. Even with passwordless login provided by the Security Key, we must validate that a User is who they claim to be during initial enrollment. While a password is not required for FIDO2 passwordless validation, a password does add an extremely familiar authentication method to the process. Ideally, this calms fear or questions about a new authentication process without passwords that is unfamiliar to many Users. We are positioned to securely eliminate passwords in the future as the practice becomes mainstream and understood. In the short term we get the strong authentication provided by FIDO2 and the username and password that we are all familiar with.

What happens if I lose my Security Key?

A Security Key is required to authenticate to access the Beastro application. You may contact your corporate to request a new one, acquire a new one on your own, or reuse a key from someone else that is no longer using it, such as a prior employee. Note that only one User can use a key at a time, and the key must be reset / erased when transferring use to a new staff member.

Help! I forgot my PIN for the Security Key!

If you have exhausted all other options of remembering the PIN, the only other option is to reset the Security Key. There are two parts that must be completed - one by a User Administrator in Beastro and one by the you, the User. It does not matter which is completed first, but both parts must be reset prior to the next login attempt.

You, the User, may follow the instructions below:

  1. In Windows Search bar, type Sign-in Options
  2. Click Security Key
  3. Click Manage
  4. Follow on-screen directions
    1. Touch security key
  5. Under Reset Security Key click Reset
  6. Click Proceed
  7. Unplug security key
  8. Follow on-screen directions to plug in the security key
  9. Touch security key twice within ten seconds
  10. Click Done
  11. User will be prompted to create a PIN for and re-register the security key at the next login 

A User Administrator reset the Security Key within Beastro, as the application will still be expecting the certificates and IDs from the now-erased Security Key. 

  1. Navigate to Member Details
  2. Select the Contacts tab
  3. Search for and select the contact
  4. Click the Reset Security Key button at the bottom of the page
  5. Click Reset Security Key in the pop-up
  6. User will be prompted to re-register the security key at the next login

Is there any software that needs to be installed on my PC for the Security Key or Beastro to work?

There is no special software that is required for the Security Key or Beastro to function other than what is likely already installed on your PC. For example, a modern web browser (Edge or Chrome) and if exporting data, you may need an office application such as Word or Excel. You can see the system requirement located here for specific details.

I move from device to device (workstation to workstation) throughout the day - can the Security Key move with me?

Yes! the Security Key is assigned to a User - not a device. In the past, our VIP software was most commonly installed on each device, and when you moved from device to device it could cause issues. Not the case with the Security Key. It is assigned to the user and can be used for authentication on the device that the User is using. Note that the User must be directly connected to the device, as a Security Key will not work over a remote desktop connection.

Does the Security Key work over Remote Desktop or Terminal Server?

The security is built for the highest level anti-phishing capabilities possible. With that, the current operating system limitations dictate that the Security Key must be physically present in the device that is being used for authentication. If you are using a Remote Desktop or Terminal Server, you will see an error message as soon as you press the authenticate button after entering your valid username and password. It is required that you access the site from a local PC.

Does the Security Key read my fingerprint?

No. The Security Key just looks for capacitive touch to make sure you physically have access to the key. This is the same type of touch that is used to control the keyboard on your smartphone. Your body gives off a certain electrical signal that is used to ensure that you are human. When prompted, you can touch the Security Key with any part of any finger as part of the authentication process. This requirement is in place to prevent a hacker from being able to authenticate as you even if they had remote access to your computer.

My Credit Union already has a Security Key (Yubikeys or other similar brands) - can we use them for Beastro?

While we cannot speak to all brands of modern Security Keys, as long as the Security Key supports FIDO2, more specifically WebAuthN protocols, those Keys will work. While we have not tested the site with all of the Yubikey models, we have yet to come across one that does not work with the site. Please note that our support for that device may be limited as it is not used exclusively for our application. You may also use the provided security key for sites other than Beastro, if you wish. Note that we are unable to support you with sites other than those provided by your Corporate.

I have a Security Key from the Federal Reserve. Can I use that?

The Federal Reserve uses a more traditional smart card design that does not have the anti-phishing capabilities that we take advantage of in the more modern protocols. In other words, you may NOT use the Federal Reserve Security Key as part of the Beastro login process.

How come my Security Key is not recognized when I insert it into the computer?

Try flipping the Security Key over. It is possible to insert it upside down. If upside down, the metal contacts are not making contact with the computer contacts. If you are still having issues, please try it in a different computer or contact us for assistance.

Can I leave my Security Key in my computer all the time? If not, when should I insert it as part of the login process?

Technically, you can leave the Security Key in the computer all the time, but for security reasons we do not recommend it. The data on the Security Key is encrypted and you must enter the PIN to unlock it. Taking the Security Key out of the computer and keeping it with you prevents someone from trying to guess your PIN, or if they know your PIN, impersonating you within the system. It would be highly problematic if someone else were to perform unauthorized activities under your name. When you maintain control of the Security Key, you significantly reduce the risk of that occurring.

You can insert the Security Key at any point of the login process prior to it asking you to do so. You do not need to wait for the prompt. We have found that inserting the Security Key prior to entering your username and password is best so it is ready when required. The system will timeout if the Security Key is not inserted fast enough when expected.

You may remove the Security Key from the system after login has completed. There are a few activities that may require the Security Key to be re-inserted into the system, such as password changes, but you will be prompted to insert the Security Key if required.

Can Security Keys be reused?

Yes, Security Keys can be reused. In some cases, issuing a new Security Key may be preferred.  Here are several considerations to keep in mind:

  1. Credential Management: Remove and reissue the credentials linked to the Security Key. If the Security Key has other credentials stored on it, ensure they are also removed to prevent unauthorized access.
  2. Tracking Systems: Update tracking systems to show the new user of the Security Key. Keep a record of who previously used it for efficiency.
  3. System Accuracy: Make sure all systems have the correct information.
  4. Certificate Management System (CMS): If you use a CMS to manage Security Keys, utilize it for the reuse process.
  5. Resetting the YubiKey: Allocate time to properly reset the Security Key, reset instructions are below.

Basic Reset Instructions for Windows:

  • Open the Settings application via the Start menu.
  • Go to Accounts > Sign-in options > Security Key and click Manage.
  • Follow the prompts and click the Reset button.
  • Complete the on-screen instructions to reset your Security Key.