Few things are more important than protecting your personal information online, but doing so is not always as easy as it sounds.
Sure, making up strong and varied passwords for each of your online accounts is a start, and two-factor authentication (2FA) can certainly make things considerably more secure. But nothing is perfect, and the mostly widely used 2FA options, including texted codes and authenticator apps, can still result in unexpected account takeovers.
- You're probably doing 2FA wrong: Here's the right way
- The best password managers to protect your online accounts
So how can you further improve your online security? The answer is to use a portable security key, also known as a USB security key or a hardware security key, as your second 2FA factor.
These small and discreet keys can be attached to a keychain, kept in a pocket or left plugged into a laptop, and they'll provide you with an extra layer of comfort and security. Microsoft even lets you replace your password with a USB security key.
In this guide, we're going to look at hardware security keys, their costs, which brands are offered and how to use them so that you can make an informed decision about which one is best for you.
What are USB security keys?
Security keys look like small USB drives and can be plugged into a wide collection of devices. Some are so small that they barely stick out when plugged into a laptop. Thanks to a chip inside that contains codes and protocols, each one of these physical keys can connect to online servers to verify that you are the person accessing whatever device you've plugged it into.
Though they're most typically plugged into a computer's USB-A or USB-C port, some security keys feature wireless Bluetooth or NFC capabilities to connect to mobile devices too. A couple have Lightning plugs to connect to iPhones and older iPads.
How USB security keys fit into two-factor authentication
Though a USB security key may sound redundant on paper, it brings major benefits. Here are some things to consider.
Passwords are easier to figure out than you'd think. Not only do many people use weak or similar passwords for every account, but advanced algorithms and powerful computers can figure out many “strong” passwords with enough time and effort.
Furthermore, if you reuse the passwords and usernames on multiple sites, you multiply the risk that those login credentials will be exposed in a data breach. It doesn’t matter how strong your password is if hackers can use "credential stuffing" to find other accounts where you use it. One data breach could result in many accounts being hijacked, even months or years later.
Aside from never reusing passwords, the best way to protect an online account is to use 2FA. When you log into a website from a new computer or mobile device, the login page will ask you to enter a second secret "factor" along with your password.
This factor is often a one-time passcode (OTP) sent to your phone via text message, email, "push" notification or voice call. Authenticator apps can also generate one-time passcodes for each account. The idea is that a hacker who has your password won't have your smartphone and thus can't receive or generate the correct one-time passcode.
Enter the passcode into the login page, and you're in. You can ask the site to "recognize" your new device so that you won't need to go through the 2FA process next time you log into the account.
Why do I need a hardware security key?
Yet phone-based 2FA isn't foolproof. Hackers can intercept texted codes by "porting" your phone number to another device or having your email messages secretly forwarded. Authenticator-app OTP codes can be "phished" by tricking the user into entering them into phony websites.
Hardware security keys provide the toughest 2FA factor available. They don't depend on any devices besides themselves. They are an exclusive access point; no one can access your data unless they have both your password and your physical security key.
A USB security key is an intelligent little device that recognizes websites, and because of this, it will stop you from entering information on a phishing site out to steal your passwords.
How would I use a USB security key?
Setting up a hardware security key is easy: Log into your website of choice and make sure 2FA is enabled and set up. It’s OK if you’ve already set up 2FA to work with texted codes or an authenticator app.
Find the part in the settings page that lets you add more factors to your 2FA enrollment. Click to add a new factor and see if there’s anything that resembles “USB Security Key,” “External Security Key” or the like.
If so, click it and follow the instructions. Some sites, like Facebook, want you to insert the key into your computer’s USB port right away. Others, like Google, want you to fill out a couple of more things first.
Once you plug the key in, the website will read it and ask you to give it a name. If you’re on a recent version of Windows 10 or Windows 11, Windows may ask you to add a passcode to the key as well.
From here on, you can use the USB security key as the second factor for any website on which the key is registered. For some sites, the key will become the default 2FA method. Other sites let you rank 2FA methods in order of priority.
Which websites support hardware security keys?
Most major websites and organizations support the most basic FIDO/U2F and FIDO2/WebAuthn security-key standards, including Dropbox, Facebook, Google, Microsoft, Twitter, Yahoo and YouTube, plus the password managers BitWarden, Dashlane, Keeper and 1Password.
For some other sites, you’ll need more advanced (and more expensive) keys, such as Yubico’s YubiKey series (except for the YubiKey Bio, which is U2F/WebAuthn only). These sites include, LastPass, Tesla and Twitch. You can also log into a computer using a YubiKey.
All major browsers support USB security keys, including Brave, Chrome, Edge, Opera and Safari.
What are the downsides of a USB security key?
There are some potential drawbacks to using a hardware security key.
First of all, you could lose it. While security keys provide a substantial increase in security, they also provide a substantial increase in responsibility. Losing a security key can result in a serious headache.
Most major websites suggest that you set up backup 2FA methods when enrolling a USB security key, but there's always a small but real chance that you could permanently lose access to a specific account if you lose your key. Security-key makers suggest buying more than one key to avoid this situation, but that can quickly get expensive.
Cost is another issue. A hardware security key is the only major 2FA method for which you have to spend money. You can get a basic U2F/WebAuthn security key standards for $15, but some websites and workplaces require specialized protocols for which compatible keys can cost up to $85 each.
Finally, limited usability is also a factor. Not every site supports USB security keys. If you're hoping to use a security key on every site for which you have an account, you're guaranteed to come across at least a few that won't accept your security key.
Which hardware security key is right for me?
There are a handful of important things to consider when deciding on which USB security key is best for you.
Prices for hardware security keys generally range between $15 and $60, and while even lower-end keys can be useful for simple protection, you do tend to get what you pay for in most cases.
The pricier options might include capabilities missing in the cheaper alternatives, such as NFC, Bluetooth, and higher durability — all of which could be very important if you'll be using the key in a variety of situations.
The trickier part of buying a USB security key is figuring out which authentication standard you need. Almost all security keys support FIDO/U2F and its successor FIDO2/WebAuthn. These are usable on most major sites, such as Google, YouTube, Twitter, Microsoft, Nintendo, Reddit and many more.
However, some websites and services, including LastPass, Tesla and many government accounts, require the additional standards.
If you can afford one, it’s never a bad idea to pick up a hardware security key that supports multiple standards to ensure you run into fewer problems.
Here are some popular USB security keys that should fit the needs of most consumers:
Yubico YubiKey 5 NFC is the most popular hardware security key for a good reason. Sporting a price tag of around $45, this key is small, durable, waterproof and supports NFC. It's only USB-A out of the box, but a USB-C adapter can fix that minor quibble (or you can get the $55 YubiKey 5C NFC). It also ranks among the most compatible keys since it supports Yubico's proprietary algorithms as well as other specialized protocols, which are required on certain sites like LastPass.
Yubico YubiKey 5ci is for Apple-only consumers. The $70 key combines a USB-C plug for Macs and newer iPads and a Lightning plus for iPhones and older iPads.
CryptoTrust OnlyKey can also be snagged for around $45, and it offers a few features that you won't find on many other hardware security keys. Most notably, it has a built-in password manager that can store your passwords securely or even generate strong ones for you to use. The user interface can be a little clunky, but for those with experience who want even more options, this one is great.
uQontrol Qkey Password Vault is among the most secure keys you can purchase thanks to its military-grade authentication. Unlike most keys, this one provides three-factor authentication using a security chip, a master password and a sensor that verifies the physical presence of its user. This one is a steal at only $30.
Google’s Titan Security Key costs $30 and comes in either USB-C or USB-A formats. Both have NFC support to connect with smartphones as well. It supports U2F and WebAuthn.
Yubico FIDO Security Key NFC is an inexpensive option at around $25. It's made by leading brand Yubico, but it's not a "Yubikey" since it lacks Yubico's proprietary algorithms alongside the standard U2F/WebAuthn algorithms. However, if you just need a cheap key that has NFC support, this is a great grab and is $5 cheaper than Google’s similar option.
SoloKey’s most basic USB-A key is U2F only, so there are some websites that won't support it, but you know what they say — you get what you pay for. In this case, though, $20 makes it a pretty solid deal for those on a budget or anyone simply looking for a decent backup key. Other Solo keys come with NFC and/or USB-C for a bit more.