WordPress.com supports login verification with virtual and physical security keys using the WebAuthn standard. This guide will show you how to add and remove security keys.
In this guide
After entering your password, you can add an extra layer of security with two-step authentication by inputting a code sent via SMS or an app like Google Authenticator. Instead of that code, you can plug in a key, which can be:
- Virtual: Approve sign-in via your device’s fingerprint ID, face unlock, or password (also called passkeys).
- Physical: Plug in a USB key and press a button on that key to complete the verification and log in to your account.
Security Key Authentication is more secure because no one can log into your account without that physical key, even if they know the password. Your key is tied to the website/app it was created for (in this case WordPress.com), so you can’t be “phished” into using your key on a fake site.
Before you get started, set up two-step authentication with SMS or an authenticator app.
After setting up two-step authentication with an app or SMS, take the following steps:
- Click on your profile at https://wordpress.com/me.
- On the side, select the Security menu option.
- Click on “Two-Step Authentication“.
- Under “Security Key,” click on the “Register key” button: