Key Takeaways

  • Two-factor authentication (2FA) is crucial for protecting online accounts and requires solving two identity tests with information only you would know.
  • Hardware security keys provide a physical dongle that replaces the second factor of authentication on your phone, offering enhanced protection against security breaches.
  • Various manufacturers produce hardware security keys that work with popular web browsers, apps, and online services, making them easy to use and relatively inexpensive for added account security.

If you have an account online somewhere that's only being protected by a password, no matter how good it is, it just isn't enough in this day and age. That makes how you handle two-factor authentication more important than ever.

However, if you feel a personal security breach might have an outsized impact on not just your life, but the lives of your family, friends, or company, you might need to consider getting a hardware security key if you don't already have one. We explain what a hardware key is and what your options on the market are.

What exactly is two-factor authentication (2FA)?

2fa-google-authenticator-setup

Two-factor authentication - also known as 2FA - means you need to solve two identity tests with information only you would know to gain access to an account.

For the first element, nearly every platform defaults to the standard password, but some of them are starting to support passkeys. If you're not current on what a passkey is, we have an explainer for that.

The second element should be trickier; thus, the methods can vary widely. Google offers a whole bunch of second-factor methods that verify you're holding a phone that's already logged into your Google account while logging in somewhere else. In practice, most services will stick to just a few options, such as those one-time passcodes sent via text message to your mobile number or generated in an authenticator app.

The problem with a second factor that relies on information from your phone to authenticate logins is that if a malicious actor takes possession of your phone or can hack through and intercept data, your access to your accounts can easily be compromised.

What is a hardware security key?

hardware-security-key-examples
Google, Thetis, Yubico

That's where hardware security keys come into play.

Also known simply as security keys, universal second factor (U2F) keys, or physical security keys, they take the second factor of authentication off your phone and make it a physical (but tiny) dongle that plugs into the device of your choice when you are logging in - you'll find keys that connect via USB-A, USB-C, Lightning, NFC, and Bluetooth. You can hook them up to a keychain or a dark corner of your backpack and keep them on you wherever you are.

You can effectively use a single hardware security key for as many accounts as you wnat. Typically, you will either physically insert or wirelessly pair the security key to your desired device and then press a button on the key itself when prompted during the login process. Your web browser or app will then challenge the security key. It will cryptographically sign this challenge, verifying your identity and whatever it is you're trying to access.

Various manufacturers make hardware security keys and work with the most popular web browsers and hundreds of apps and online services. They can even help you log into your workstation. Overall, they're not hard to use and are relatively inexpensive. Pretty much any other form of two-factor authentication won't offer the same level of protection.

How do security keys work?

The first time you set up a service with your hardware security key, the two sides will randomly generate a public and private key pair - the public key will be sent to a server, but the private key will never leave your hardware key. Your hardware key will also send a random number called a nonce, which is used to generate your keys, and another number called a checksum, which identifies your specific hardware security key.

When you enter your login credentials into an online account, the server will send that nonce and checksum back to your hardware security key and a different number. The hardware physical key will use the nonce and checksum to regenerate its private key and then sign the number sent to it by the server, which ultimately verifies and unlocks your online account with your public key.

The overarching standards for how security keys store, present, and authenticate your credentials are decreed by the FIDO Alliance, a working group that includes tech firms like Amazon, Apple, Google, and Microsoft, companies that make password managers like 1Password and Dashlane, and even financial institutions like Bank of America and PayPal.

All this sounds complicated. But it happens in the background without your input, other than you inserting the hardware security key into your device. Hardware security keys also use the original domains of sites to generate their keys, which means phishing sites can't trick them.

We should also note that most hardware keys can also store and present static passwords and time-based one-time passcodes (like the ones from an authenticator app) for a limited number of services. The main standard you should look out for when it comes to the meat and potatoes of a hardware key is FIDO2.

Where can I use hardware security keys?

You can use hardware security keys to log in to many desktop and mobile devices running on ChromeOS, macOS, Windows, Android, iOS, and other operating systems. These same devices will also facilitate hardware key logins with supporting online services and applications, including X (formerly Twitter), Facebook, Google, Instagram, Reddit, GitHub, Dropbox, Microsoft account services, Nintendo, and others. Most web browsers like Google Chrome and Mozilla Firefox also support hardware keys.

You should look into whether your most-used online accounts and even whether your devices will support security keys before you invest in one. The FIDO2 standard on some security keys can also work with Windows Hello and Microsoft’s Edge browser.

What if I lose my hardware security key, or it gets stolen?

Your hardware security key works in addition to your account login credentials. So, if someone steals your key, they can't get into your accounts without knowing your username and password. Also, if you've lost your security key, you can always resort to a backup method of two-factor authentication. You can then gain access to your online account, remove your linked security key, and either add another or continue using a backup method.

How to set up a security key

As we've detailed above, all hardware security keys tend to work the same, but setting them up varies by app and device. To give you an idea of how one works with an online account, we've detailed the exact steps for pairing a security key with Facebook and then signing into your account:

  1. From either the app or website, select your profile picture at the top-right corner of the screen, then hit Settings and privacy, then Settings.
  2. You'll see a panel referring to the Meta Accounts Center. Select See more in Accounts center
  3. Select Password and security, then Two-factor authentication.
  4. Select the Facebook account you want to secure with a hardware key. You may be asked to re-enter your password.
  5. You'll then be provided with a list of 2FA options. Select Security keys and then hit Next.
  6. Select Register security key. Your device's operating system will then ask you for the type of security key you're pairing with - NFC, Bluetooth, or USB. Confirm your key type and then proceed to the next prompt.
  7. Connect your security key to your device and then tap the key's button. You should receive a confirmation message.

Which hardware security key is the best?

Yubico, which helps develop the FIDO U2F authentication standard, is one of the more popular names in the field of hardware keys and has different models available. Google has its own Titan key, which it refreshed in late 2023. Other security key manufacturers include Kensington and Thetis.

We have all of our specific picks for the best hardware security keys in a dedicated piece elsewhere on Pocket-lint.