How do I get a security key?

One of the greatest threats against your personal security is an attacker taking control of an online account. With it, a bad guy can do all sorts of nefarious deeds in your name, and if they get control of your email account they can use password recovery features to take control of even more of your accounts. Fortunately, multi-factor authentication (MFA) can protect against account takeovers. While there are many ways to do MFA, one of the best (and definitely the coolest) is with a security key—a tiny device that fits on your key chain.

How do I get a security key?

Yubico YubiKey 5C NFC

Best for Expert Authenticators

Bottom Line:

The YubiKey 5C NFC packs all the advanced features of the YubiKey line into an affordable package that will work with all your desktop and mobile devices. It's the most versatile security key we've yet reviewed and our Editors' Choice.

PROS

  • Supports both USB-C and NFC
  • No battery or moving parts
  • Crush and water resistant
  • Supports FIDO2 and U2F standards
  • Numerous advanced features

CONS

  • Expensive
  • Spotty support from sites and services

Read Our Yubico YubiKey 5C NFC Review

How do I get a security key?

Yubico YubiKey C Bio

Best for Biometric Authentication

Bottom Line:

The YubiKey C Bio puts biometric multi-factor authentication on your keyring. While somewhat limited in features, it is an excellent implementation of biometric technology that's very easy to use day-to-day.

PROS

  • Biometric multi-factor authentication
  • Slim, durable design
  • Supports widely used standards
  • Easy onboarding

CONS

  • Expensive
  • No NFC
  • Lacks authentication features found in other YubiKeys

Read Our Yubico YubiKey C Bio Review

How do I get a security key?

Yubico YubiKey 5 NFC

Best for PCs With USB-A Connections

Bottom Line:

Slightly cheaper than its USB-C cousin, the YubiKey 5 NFC has all the versatility we've come to expect from Yubico and will work with mobile devices via NFC. If you have older devices, or just prefer USB-A, this is the best choice for you.

PROS

  • Durable, reliable construction.
  • No batteries or moving parts.
  • NFC capable.
  • Different form factors.
  • Supports FIDO U2F, FIDO2.
  • Can generate six-digit one-time use passcodes with companion app.
  • Supports multiple protocols for different security roles.

CONS

  • Expensive.
  • Requires effort and education to fully realize its potential.
  • Limited iOS integration.

Read Our Yubico YubiKey 5 NFC Review

How do I get a security key?

Kensington VeriMark Guard USB-C Fingerprint Key

Best for Small Formfactor Biometrics

Bottom Line:

The teeny-tiny biometric security key with a very long name, the Kensington VeriMark Guard USB-C Fingerprint Key adds fingerprint authentication to the mix. This key shines in passwordless environments and is small enough to live full time attached to your device, even if onboarding is a bit of a pain.

PROS

  • Works with most popular multifactor standards
  • Integrated, optional, fingerprint sensor
  • Small, well-built design

CONS

  • Confusing onboarding
  • No NFC
  • Doesn't indicate when biometrics are in use
  • Biometrics not widely supported

Read Our Kensington VeriMark Guard USB-C Fingerprint Key Review

How do I get a security key?

Nitrokey FIDO2

Best for Open-Source Evangelists

Bottom Line:

The Nitrokey FIDO2 supports the most commonly used multifactor authentication standards and does it with open-source hardware and firmware. It's bulkier and slightly more expensive than Yubico's entry level key, but is another excellent choice for first-time buyers.

PROS

  • Open-source hardware and firmware
  • Affordable
  • Supports latest multifactor authentication standards
  • Durable and portable

CONS

  • No NFC support
  • Bulky
  • Lacks encryption features found in other Nitrokey devices

Read Our Nitrokey FIDO2 Review

How do I get a security key?

Security Key NFC by Yubico

Best for First-Time Multi-Factor Authenticators

Bottom Line:

The Security Key by Yubico has the durable design of Yubico, supports all the most common authentication standards, communicates with mobile devices via NFC, and is priced well into impulse-purchase territory. It lacks fancier features, but is the best choice for anyone looking to buy their first security key.

PROS

  • Affordable.
  • Supports FIDO2 and FIDO U2F, used by Google, Twitter, Facebook, and others.
  • Durable.
  • Supports NFC.

CONS

  • Limited by lack of support on mobile devices, especially iPhone.
  • Doesn't support other 2FA or encryption features.
  • Won't work with LastPass.

Read Our Security Key NFC by Yubico Review

How do I get a security key?

Yubico YubiKey 5Ci

Best for People With Both Android and Apple Devices

Bottom Line:

The double-headed design of the YubiKey 5Ci may give you pause, and its price tag may stop you flat, but for anyone who wants the flexibility of the YubiKey line but doesn't trust NFC it's a great choice.

PROS

  • Lightning connector works with nearly all iOS devices.
  • USB-C connects to Android, PCs.
  • FIDO2 U2F (WebAUTHN) compliant.
  • OTP support.
  • Small, durable, no batteries or moving parts.
  • Highly customizable with advanced options.

CONS

  • Expensive.
  • No NFC.
  • Limited support from Apple.
  • Very stiff USB-C plug.

How do I get a security key?

Yubico YubiKey Bio

Best for Biometrics in Legacy Environments

Bottom Line:

The Bio lacks the flexibility found in other YubiKeys, but is an excellent and well-designed way to add biometric MFA to your life.

PROS

  • Biometric multi-factor authentication
  • Sleek, durable design
  • Supports major authentication standards
  • Slightly cheaper than USB-C sibling

CONS

  • Comparatively expensive
  • USB-A incompatible with many devices
  • Limited use cases
  • No NFC

Read Our Yubico YubiKey Bio Review

How do I get a security key?

Google USB-C/NFC Titan Security Key

Best for Affordable, Durable Hardware

Bottom Line:

Highly affordable, Google's latest addition to the Titan line will work with just about every device you have. It uses older MFA technology, so it may not be as futureproof as other options.

PROS

  • Affordable
  • USB-C and NFC supported
  • Small, sturdy design
  • Trusted Google name

CONS

  • Older FIDO U2F protocol may limit its utility
  • Incomplete documentation

Read Our Google USB-C/NFC Titan Security Key Review

Buying Guide: The Best Security Keys for Multi-Factor Authentication


What Is Multi-Factor Authentication? 

The authentication method most of us are familiar with is being required to enter a username and password. But passwords have a lot of problems. For one thing, we're bad at remembering them and even worse at picking unique, complex passwords that can stand up to attacks. For another, people tend to reuse passwords, meaning that if one account is compromised, all the other accounts with the same password are also at risk.

Multi-factor authentication, sometimes called two-factor authentication or 2FA, seeks to change that by using more than one authentication factor. That doesn't mean a second password, but at least any two from a list of three possible factors:

  • Something you know;

  • Something you have; and 

  • Something you are.

Something you know is typically a password. It lives in your head and is ideally known only to you. Something you have could be a security key such as we are rounding up here, or it might an authenticator app your phone. It's something that's not easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan. That could be a fingerprint scan or facial recognition, although using the latter ranks among the worst mistakes in technology.

Because it's extremely unlikely an attacker will have more than one of these forms of authentication, MFA makes it much harder for bad guys to take over accounts. This has been proven in the real world. When Google required employees to use hardware MFA keys, account takeovers effectively vanished.


What Is a Security Key?

While they can take many forms, most security keys are small, key-sized devices that can uniquely identify themselves to sites and services. Remember, they are something you have.

To use a security key, you first have to enroll it with each site or service you want to protect. There's increasing support for security keys, but don't be surprised if they're not accepted at every site you try. Enrolling a key is slightly different for each key and site, but it usually goes something like this: Somewhere in the site or service settings you'll find an option to enroll your security key. Click it, insert the key, tap the key's button when prompted, and then give the key's record a name so you know which is which. Some sites and services limit you to just one key, others allow many more.

The next time you go to login, you're prompted to present your security key after entering your username and password for an account. You connect the key through some kind of data transfer connection—typically USB-A or USB-C—and then press a button on the device to verify that you're a real person and not a clever malware attack impersonating a key. If both the password and the key check out, you log in as normal.

Some hardware keys include wireless communication capabilities, usually through near field communication (NFC), to interact with mobile devices. Other keys have biometric authentication for an added layer of protection.


Not All Factors Are Created Equal

While two factors are always better than one, each MFA scheme has potential advantages and drawbacks.

Receiving one-time-passcodes via SMS text message is one of the oldest and most widespread forms of MFA. It's easy to understand, and since many sites and services already have your contact information, you may not even need to enroll in it. While convenient, SMS codes have two major drawbacks. First, they require a functioning phone. If your phone is dead or you can't afford your own phone, you can't log in.

Second, it's been proven that attackers can intercept SMS codes through a process called SIM jacking(Opens in a new window). As such, we advise readers to avoid SMS MFA wherever possible. Hopefully the FCC will be able to address this threat.

Another common form of MFA is to use an app that generates time-limited login codes. While there are many examples of authenticator apps, most people are probably familiar with Google Authenticator. This type of MFA is more secure than SMS codes and lets a single app provide codes for any number of sites and services.

While authenticator apps don't require a network connection, your phone does need to be available and powered. Mobile phones aren't purpose-made authenticators; they are highly connected devices that do all kinds of tasks. This means it's possible, although unlikely, that a malicious attack could get at your security codes.

Hardware-based security keys solve most of the problems of the other MFA schemes. Hardware keys have no batteries and require no network connection. They also have no moving parts, making them difficult to break. Because they work on purpose-made hardware, they're much harder to attack. Finally, it can be kind of fun to have a special tool for logging in.

There are downsides to using hardware keys for MFA, too. Unlike other types of MFA, hardware keys cost money—usually $20-$50. Hardware keys can also be lost and aren't as widely supported as app-based MFA codes.

If you're new to MFA, we recommend starting with app-generated codes. These are free, secure, and easy to use and understand. But if you're already familiar with MFA and are interested in upping your security game, hardware security keys are the next step.

That said, it's important to remember that MFA of any kind can't protect against all the dangers the modern world presents. We strongly recommend using antivirus software as well as a password manager to create unique and complex passwords for each site and service you use.


How Do Security Keys Work?

The most widespread means of hardware security key authentication is based on the standards from the FIDO Alliance(Opens in a new window). All these standards do fundamentally the same thing: use asymmetric key cryptography to authenticate you to a site or service. 

Each device can generate any number of public keys from its private key, without exposing the private key. That allows a single hardware key to be used for multiple sites and services but most importantly, it means that a failure or change at any one site or service won't affect the other. You can easily remove and reenroll your hardware key as many times as you like.

When shopping for a hardware security key, you should look for at least FIDO U2F certification because it means the key will work in just about every basic security key context. FIDO2/WebAuthn are the next generation standards, which support additional types of authentication. If you want to use a device for biometric MFA or passwordless login, you'll need FIDO2/WebAuthn. 


Are Security Keys Safe?

Going from a password that (ideally) is a complete secret to a little bauble like a security key can sometimes feel like being less secure. After all what happens if your key is stolen? Or you lose your key?

To the first point, it's extremely unlikely that someone would have the means to track down an individual user and steal their security key. Most cybercrime is committed en masse with thousands or millions of compromised accounts. One security key isn't worth the effort. Still, it's not impossible and a determined attacker could use a stolen key to access your accounts. That's why it's important to keep your key safe, but also to use strong passwords secured in a password manager. If the thief gets the key but can't crack your password, they're still not getting in.

It's far more likely that you will lose your key, and that can be a real problem. Yubico recommends enrolling a second key and storing it as a secure backup. Many services that support security keys also allow (and some require) you to enroll multiple MFA factors, so you could set up an authenticator app as a backup MFA option. Services often let you generate backup codes that you can write down offline or secure in a password manager, which grant you access in emergencies. If none of that works, find a device where you are still logged in and unenroll the key or add a new MFA factor you do have. The bottom line is that losing your security key is not the end of the world.


How to Choose a Security Key

The first thing to look at when choosing a security key is how the key literally fits with the rest of your devices. If you don't have any devices with USB-C, you should stick to keys with a USB-A connector. If you intend on using your key with mobile devices (and you should) you should select either a key with a connector that fits your phone or a key with NFC, if your phone supports NFC.

You also need to consider your budget. The most expensive keys we've reviewed cost up to $85, which is a significant chunk of change. If you're new to hardware security keys, we strongly recommend starting with a cheaper key and upgrading later. The Security Key NFC from Yubico works just as well for MFA as a more expensive key, offers NFC for mobile devices, and can fit USB-C with a cheap dongle. It's a great choice for first-time buyers.

Most security keys just authenticate you, and that's enough. But some go further with additional features. Kensington has a line of biometric keys that require the correct fingerprint to authenticate you. High-end YubiKeys have numerous additional features: the ability to playback a static password, working with a desktop or mobile app to provide app-generated passcodes, PGP key management, and its own form of one-time-passcodes. 

More obscure facets of each key may be significant to the most discerning buyer. NitroKeys and SoloKeys use all open-source code and hardware, making them a strong choice for a particular crowd. Yubico locks down all its devices from firmware changes to protect them from tampering, while NitroKey celebrates its updatable firmware. 


The Key to Security

Hardware security keys are the best, most secure method of MFA and we highly recommend them. But for some, the idea of paying for a key or having to fetch it each time they login is too much and that's just fine. What's most important is that you find an MFA scheme that works for you and that you actually use it. The best security doesn't work if it's ignored.

It's Surprisingly Easy to Be More Secure Online

How do I find my network security key?

On an Android phone, finding your network key takes simply a few seconds..
To access Wi-Fi, go to Settings > Connections > Wi-Fi..
Select your current network by tapping on it..
To see your Wi-Fi password, scan the QR code..

What happens if you lose your security key?

What happens if I lose my security key? If you lose your security key you may be unable to log into any accounts that require it. This is why we recommend registering two keys, a primary and a backup. Some services may also require another backup method, like an app, text message, or email authentication.

How do I get a security key for my phone?

Set up your phone's built-in security key.
Turn on 2-Step Verification and choose a second verification step. ... .
On your Android phone, go to myaccount.google.com/security..
Under "Signing in to Google," select 2-Step Verification. ... .
Scroll to "Security key" tap the Right arrow ..
At the bottom left, tap Add security key..

Can I make a security key?

You can create a new security key PIN for your security key. Open the Windows Settings app, select Accounts, select Sign-in options, select Security Key, and then select Manage. Insert your security key into the USB port or tap your NFC reader to verify your identity.