When it comes to protecting your online information, you can never be too safe. While using strong passwords and software-based two-factor authentication (2FA) certainly make for a great start, you can further bolster your online security by using a hardware security key. Plus, they’re easy to use on both personal and business devices and accounts.
And don’t worry—you don’t have to be a tech wiz to use a security key. They are fairly easy to set up and some can even be stored on your keychain for convenience. A security key is the perfect way to gain some extra peace of mind in the name of protecting your most secure accounts, devices, and information.
What is a USB Security Key?
Physically, a USB security key (also called a U2F key) is a type of hardware security that resembles a USB drive and plugs into one of your computer’s USB ports. In practice, a security key is a physical security device with a totally unique identity. It houses a small chip with all of the security protocols and code that allows it to connect with servers and verify your identity. It’s used to ensure that you are the person actually accessing a site or service.
Some security keys even have NFC and/or Bluetooth built in, making them perfect for use with newer Android and iOS smartphones. The keys work with browsers like Google Chrome, along with web services like Gmail, Facebook, Dropbox, 1Password, Twitter, GitHub, Microsoft, and many others.
Security keys are yet another layer of two-factor security, not unlike those one-time codes you received via SMS or email when logging into certain sites or the biometric scans of your fingerprint or face used to unlock your laptop or smartphone. But instead of sending you a code or scanning a body part, you have to plug the device into your computer and tap a sensor on it to get it to grant you access to whatever you’re protecting.
Here is another way to visualize the common layers of security you can put on your accounts:
- Little to No Security: Using the same weak password that’s easy to guess on every site. Anyone with enough motivation could gain access to your information without expending much effort.
- Strong Security: Using unique strong passwords for each of your accounts. This makes it incredibly difficult (if not impossible) for a clever hacker or algorithm to guess. No, they won’t be easy for you to remember (that’s what password managers are for), but their complexity is why they’re effective.
- Stronger Security: Setting up software-based two-factor authentication for your accounts (where you receive a text code) or using authentication apps. This makes things even more difficult for a hacker to guess, as they’d have to know your password and have your phone on hand (or SIM swap it) in order to gain entry. Plus, in most cases, you’ll also receive the one-time code notification any time someone tries to access your account, giving you a heads up.
- Strongest Security: Setting up physical two-factor authentication, aka a security key, creates a single unique access point that can’t be duplicated. In order for you or anyone else to access your connected accounts, you’ll need your password as well as the physical key—something even the best hacker can’t work around.
Security keys are so good they’ll even prevent you from entering your information on a spoofed website, so even if a hacker manages to fool you, they won’t fool your security key. This bit of hardware acts as your digital bodyguard, keeping unwanted users away from your information. And don’t worry: no personal or account data is stored on the security key. In the event you lose your key or someone takes it, they’d still have to know your account names and passwords in order to get anywhere.
How Do Security Keys Work?
Security keys are just another way to verify with a server you’re trying to reach that you are who you say you are. The keys support an open-source universal standard called FIDO U2F, which was developed by Google and Yubico for physical authentication tokens.
Think of a security key like a hotel door. You check in at the front counter, pay the nightly fee, and are handed your room key. Then, hypothetically speaking, if you were to stand in front of the door of your assigned room and say “I want to come in,” the door wouldn’t just open. You’d have to insert the key into the slot and allow it to connect with the hotel’s system and verify “Yes, this key is currently valid. Give me the registered key code to open this room.” It’s the same thing.
Setting up and using a security key is also fairly easy. Once you’ve connected the devices and online accounts you want to use the security key on, all you have to do at that point is plug in the key when you want to access the device or site and tap the sensor button. If you aren’t sure how to link your physical key with a device or website, check out this helpful guide from our sister site, How-to-Geek.
Who Should Use a Security Key?
Anyone who wants to can use a security key, but it might be an excessive measure for some people. If you don’t mind the momentary inconvenience to get securely logged in to your connected accounts, it’s a great idea. After all, better safe than sorry.
We highly recommend security keys to those who regularly use public Wi-Fi, as traffic over Wi-Fi can be easily intercepted, and using public Wi-Fi makes you more susceptible to hacks. Using a security key makes it so that even if someone intercepts your data, they won’t be able to log in to your accounts. We also recommend security keys to anyone dealing with secure information online such as financial information, and to celebrities and other important persons who want an extra layer of security.
The Downsides of Relying on a Security Key
The main selling point of a security is also its biggest weakness: it’s the single point of access for your accounts. So where it makes it pretty much impossible for a hacker to access your accounts, it’ll also make it close to impossible to access your own accounts in the event you lose your security key.
If you have another instance of your accounts open somewhere, you could go in and remove your security key or set up a new one; but if you don’t, you might be out of luck. However, depending on the service you set up your security key with, like Google, you’ll have access to a series of options for accessing your account such as backup access codes. You could also technically buy a backup security key, but not every site allows you to register two.
The other noteworthy downside is that not every site and service supports security keys as a 2FA option, especially smaller services. Most services, if they offer 2FA support at all, will stick to SMS- or email-based options. This means you will be forking out cash for protection on only about a handful of sites for the time being, though support for more could come in the future.
Other Features to Consider
Obviously, security is the name of the game here and the most important part of a physical security key. However, there are a few additional features you should consider if you’re thinking of buying a security key.
- Price and Setup: Security keys have a fairly narrow price range, typically between about $20 and $50, so you don’t have to worry about dropping a few hundred bucks on one or anything. The keys should also be super easy to set up and use on demand.
- Device and Account Compatibility: Every hardware key is not created equal. Some connect to your computer via USB-A or USB-C, while others only support Apple’s Lightning ports. Newer options can even support Bluetooth and NFC, making them compatible with smartphones. Make sure that the key you choose will work with all the devices you want to use it on, from macOS and Windows to Android and iOS.
- Durability: Because a security key is something you’ll potentially be using every day, it’s critical that it has a durable design made of high-quality materials. The metal connectors that connect with those in your device’s USB port should be sturdy enough to stand up to thousands of uses. The best security keys can withstand being dropped (or having something dropped on it), and are water-resistant, too.
Security Keys We Recommend
If you’ve decided that you want to get a security key but aren’t sure what your options are, don’t fret: we’ve gathered a few of the best picks below, including some premium keys and a budget-friendly choice.
Best Overall Security Key: Yubico YubiKey 5 NFC
Yubico is a trusted name in the security key world, seeing as it helped develop the FIDO U2F standard, along with Google. The YubiKey 5 NFC uses both NFC and a USB-A connector, and is an ideal choice for getting logged in on your online services and accounts as well as your macOS computers, Android devices, and iPhone 7 or newer models. It supports a variety of security standards including FIDO U2F, FIDO2, Yubico OTP, OATH-HOTP, Open PGP, and Smart Card. The key is resistant to water, tampering, and being crushed.
Yubico - YubiKey 5 NFC - Two Factor Authentication USB and NFC Security Key, Fits USB-A Ports and Works with Supported NFC Mobile Devices - Protect Your Online Accounts with More Than a Password
Get maximum connectivity and security for your computers, mobile devices, and compatible websites and services.
Best Budget Pick: Thetis FIDO U2F Security Key
You don’t have to spend a ton to get a respectable security key, and the Thetis FIDO U2F Security Key offers the best bang for your buck. The key works on both Chrome and Opera browsers on macOS, Windows, and Linux operating systems. It skips Bluetooth and NFC connection options in favor of a USB-A port. The Thetis key does have a swiveling mechanism that protects the USB port when it’s not in use, though.
FIDO U2F Security Key, Thetis [Aluminum Folding Design] Universal Two Factor Authentication USB (Type A) for Extra Protection in Windows/Linux/Mac OS, Gmail, Facebook, Dropbox, SalesForce, GitHub
Connect to and protect your devices and online accounts without spending a small fortune. Works with Windows, macOS, and Linux systems.
Best Bluetooth Pick: Google Titan Security Key Bundle
Along with Yubico, Google helped develop the FIDO U2F standard these devices rely on, so it’s another good pick. The Google Titan Key Bundle comes in a set with one Bluetooth key and one USB-A key, so you can connect to computers and mobile devices as well as compatible web services. The keys have a hole-punch at the top so you can connect them to a keyring. Both keys support Google’s Advanced Protection Program, which is the company’s strongest security offering. Google also sells a great USB-C option, if that works better with your device ports.
One Final Note
Security keys are an easy and relatively inexpensive way to keep your important online information safe. While they might be overkill for the average person, the level of security they offer makes them worthwhile for anyone dealing with secure information, especially on a public Wi-Fi connection. They’re also a good idea for celebrities and noteworthy persons to use. Also don’t lose your security key.