Everything You Need to Know About Hardware Security Keys

If your passwords are weak you’re probably going to get hacked and as it turns out passwords kind of suck. Firstly they can be easily broken and even if you don’t use a weak password chances are you share it across multiple accounts. In fact, according to LastPass, the average person has 85 online accounts all of those should have separate passwords but chances are you’re probably reusing passwords across accounts and if a hacker gets one password suddenly they get access to a bunch of your accounts this is called credential stuffing where hackers test one password on every website they can think of.

Maybe they want to access your online banking account, maybe they want to take free rides on your uber account, maybe they want to steal your entire identity but suddenly one password has unlocked a lot more than you counted on so that’s where two-factor authentication comes in.

The idea behind the two-factor is pretty simple you use something you know your password with, something you physically have like your phone that means the first time you log in from a new device you’ll need your password but you’ll also need a code which is either generated in an app on your phone like Google Authenticator or it’s sent to you via text. While it’s more secure than just a password, getting a code texted to your phone isn’t actually the best option either, it’s surprisingly easy for someone to remotely steal your phone number and move it to a new device, it’s called sim swapping but what if I told you there was a key to outsmarting hackers like a literal key, it’s called a hardware security key.

Why Do You Need a Security Key?

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level. Being sensible when it comes to passwords is important, and a crucial step to securing your online life.

However, some of your online accounts — for example, your Google Account or Dropbox — might be so important and contain such a wealth of information that you might want to take additional steps to protect them. There’s no better way to secure your online accounts than to use hardware-based two-factor authentication (2FA).

Security keys are easy to use, put an end to phishing attacks, cheap, and are less hassle and much more secure than SMS-based two-factor authentication. And the good news these days is that you can get security keys in a variety of formats: USB-A and USB-C, Lightning for iPhone users, and even keys that use Bluetooth.

What are Hardware Security keys?

Also called a “dongle,” it is a software copy protection device that plugs into the USB port of the computer. Upon startup, the application looks for the key and will run only if the key contains the appropriate code.

A hardware key is a small piece of hardware that generally connects to a laptop or desktop computer through a USB (Universal Serial Bus) connection. The hardware key is a general term for several kinds of items. Traditionally, the hardware key was used to authenticate a client for a piece of software.

Hardware-based security keys provide a fast, no-fuss way to use two-factor authentication without having to mess around with your phone. They are based on the FIDO U2F (Fast Online Identity — Universal 2nd Factor) standard, a security protocol that is difficult to intercept; it was developed by Google and security company Yubico and is now administered by the FIDO Alliance.

While Yubico helped develop the standard, it is not the only company that produces security keys, so it’s wise to shop around. A lot of what makes buying a security key tricky is first figuring out which device(s) you plan to use it with. Yubico offers different keys for devices with USB-A, USB-C, or NFC connections, while Google offers one that uses Bluetooth. You should also check out whether your apps support the U2F standard. (Yubico has a list of apps that work with its key; since most keys use the same standard, they should also work with those services.

Best Security Keys Available

Although there are numerous companies out there that have made their own security keys that work with different apps, services, and platforms. Here are some of the best security keys available out there.

Yubico YubiKey 5 NFC

YubiKey 5 NFC — which uses both a USB-A connector and wireless NFC — is the best key for logging into your online accounts, services, macOS computers, Android devices, and the iPhone 7 and up. I’ve never had any issues using it in a USB-A port, or with a mobile device using the NFC feature. The YubiKey 5 NFC supports a plethora of security standards, including OTP, Smart Card, OpenPGP, FIDO U2F, and FIDO2.

The key itself is “made in the USA and Sweden,” and comes packaged in simple cardboard and plastic container. It has a single, easily identifiable gold disk for you to press when you want to confirm your sign-in and includes a keyhole ring to use with a keychain so you don’t lose your valuable security key. It’s also incredibly durable, waterproof, and crush resistant. I’ve been carrying this key around in my pocket, attached to a keychain, and bouncing around inside my backpack, and it hasn’t had any noticeable damage.

Yubcio sells the individual YubiKey 5 NFC keys individually, as part of a two-pack, a 10-pack, or a whole set of 50 if you need that many security keys for a team. It’s proven itself to work for logging into my social media and email accounts time and time again. This is definitely the best key for most users — my only complaint is that Yubico doesn’t sell a similar version for USB-C.

Titan Security Key

Made by Google, this product is made up of two devices that, when used correctly, make it significantly harder for bad guys to break into your online accounts by requiring both a password and a physical key to log in to a website, service, or app.

As you can see in the image, Titan Security Key is not one device, but two: a slim USB key and a Bluetooth-powered key fob. Both the Bluetooth and USB-A keys are compliant with the FIDO Universal Two-Factor standard (U2F). This means they can be used as a 2FA option without additional software. This is the only protocol supported by the Titan keys, meaning they can’t be used for other authentication purposes.

Some of the key features of Titan Security Key includes:

• Provides phishing-resistant two-factor authentication (2FA) devices that help protect high-value users and works on cryptographic proof that users are interacting with the legitimate service that they originally registered their security key with and that they are in possession of their security key.
• Works with popular devices, browsers, and a growing set of apps that support FIDO standards. This ensures that users can have a seamless experience across a variety of platforms and services.
• Designed with a focus on user privacy, ensuring that no personal data is shared or stored on the key. The sole purpose of the Titan Security Key is to verify the authenticity of the user.
• Built with a secure element hardware chip that includes firmware engineered by Google to verify the key's integrity. This ensures that even if the physical key is tampered with, it cannot be used maliciously.

Other Contenders There are other security keys that I tested alongside the USB-A and USB-C winners. Some of these keys have other connectivity options and additional functions, adding more features to an already specialized product.

The Kensington VeriMark Fingerprint Security Key

Functions both as a Windows Hello fingerprint scanner and a U2F security key. However, it requires downloading a software driver to use the fingerprint feature, so it’s less user-friendly out the box and requires additional setup to use all of its capabilities.

Thetis Fido U2F Security Key

Designed with a 360-degree rotating metal cover that shields the USB connector when not in use. Also, crafted from a durable aluminum alloy to protect the Key from drops, bumps, and scratches.

FIDO2 key is backward-compatible with U2F protocol and works with the newest Chrome browser with operating systems such as Windows, MacOS, or Linux. U2F can be supported and protected on all websites that follow U2F protocols.

CryptoTrust OnlyKey OnlyKey has some nifty features its rivals lack. Thanks to an onboard keypad that can bypass keyloggers that find their way onto computers, it can keep online accounts safe in the event that a computer or website is compromised. It supports multiple methods of 2FA including FIDO 2 U2F, Yubico OTP, and TOTP.

It also offers features such as encrypted backup, self-destruct (which wipes the device after a certain number of incorrect attempts), and the ability to update the firmware in order to access new features.

uQontrol Qkey Password Vault This security key from Qkey one-ups other offerings by using three-factor, military-grade authentication security. This comes in the form of a physical security key with a security chip, in addition to a master password that gains access to the key, and a smart sensor that confirms the user is physically present.

HyperFido K18

If you are prioritizing solid build quality above all else in your security key, this model from HyperFIDO is as tough as they come. It’s constructed with a near-indestructible titanium metal chassis that attaches to a keychain and features a single button and LED to indicate active status. Also, it only offers support for the U2F protocol and FIDO 2, meaning UAF and OTP do not feature.

Bottom Line

Security codes sent by text messages have their own set of issues, and although authenticator apps are preferable to SMS, security keys provide the strongest protection against phishing attacks. For example, if you were to click on a spoofed website link sent to you in a text message, an attacker controlling that site may get your username, password, and authentication code after you type it all in — but that can’t happen with a physical key. Plus, security keys are easier to use on a computer than fussing with your phone.

So grab yourself one of these if you want an extra layer of security for your online life.