The Best Hardware Security Keys for 2024

How Do You Use a Security Key?

While they can take many forms, most security keys are small, key-sized devices that uniquely identify themselves to sites and services. Your possession of the key is a way for the online account to prove that you are who you say you are, in addition to verifying your username and password. To use a security key, you first have to enroll it with each site or service you want to protect. Support for security keys is increasing, but don't be surprised if they're not accepted at every site you try.

Enrolling a key is slightly different for each key and online account, but it usually goes something like this: Somewhere in the online account's settings is an option to enroll a security key. Click it, insert the key, tap the key's button when prompted, and give the key's record a name so you know what it is. Some sites and services limit you to just one key, while others allow or even require more than one. Many sites require you to enable an alternate form of MFA or generate one-time-use security codes to act as backups to your key.

The next time you go to log in, you're prompted to present your security key after entering your username and password for an account. You connect the key through some kind of data transfer connection—typically USB-A or —and then press a button on the device to verify you're a real person and not a clever malware attack impersonating a key. If both the password and the key check out, you log in as normal.

Some hardware keys include wireless communication capabilities, usually through , to interact with mobile devices. Other keys have biometric authentication for an added layer of protection.

Which Hardware Security Key Is Best for You?

The first thing to look at when choosing a security key is how the key literally fits with the rest of your devices. If you don't have any devices with USB-C, you should stick to keys with a USB-A connector. If you intend on using your key with mobile devices (and you should), select a key with either a connector that fits your phone or NFC if your phone supports NFC.

Consider any budget restrictions, too. The most expensive keys we've reviewed cost up to $95. If you're new to hardware security keys, we strongly recommend starting with a less expensive key and upgrading later. The Security Key C NFC from Yubico and the Google Titan Security Key work well for basic MFA and offer NFC for mobile devices. Either is great for first-time buyers.

Most security keys just authenticate you, and that's enough. But some go further with additional features. Kensington has a line of biometric keys that require the correct fingerprint to authenticate you. High-end YubiKeys have numerous additional features: the ability to play back a static password, work with a desktop or mobile app to provide app-generated passcodes, support PGP key management, and offer their own form of one-time passcodes.

Other keys may have niche features or design perks that appeal to particular audiences. For example, Nitrokeys are built on open-source code and hardware, making them strong choices for the privacy-conscious consumer. In another example, Yubico and Nitrokey target very different audiences: the former blocks firmware changes on its devices to protect them from tampering, while the latter celebrates its updatable firmware.

What Is Multi-Factor Authentication?

Multi-factor authentication, sometimes called MFA, two-factor authentication, or 2FA, allows you to verify your identity using more than one kind of authentication. You should authenticate your login using at least two of these factors:

• Something you know

• Something you have

• Something you are

Something you know is typically a password. It lives in your head and is ideally known only to you. Something you have could be a security key such as those we've listed here, an on your phone, or a code sent via SMS to your phone. It's something not easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan, such as a fingerprint or your face.

It's pretty unlikely that an attacker will have access to more than one of these forms of authentication, making it harder for bad guys to take over your accounts. It's been proven in the real world, too. When Google required employees to use hardware MFA keys, .

Remember that MFA of any kind can't protect against all the security dangers the modern world presents. We strongly recommend using as well as a to create unique and complex passwords for each site and service you use.

How Do Hardware Security Keys Work?

The most widespread means of hardware security key authentication is based on the standards from the . All these standards do fundamentally the same thing: They use asymmetric cryptography to authenticate you to a site or service.

Each device can generate any number of public keys from its private key without exposing the private key. That allows a single hardware key to be used for multiple sites and services, but most important, it means a failure or change at any one site or service won't affect the other. You can easily remove and enroll your hardware key as many times as you like.

When shopping for a hardware security key, look for at least certification because it means the key works in just about every basic security key context. FIDO2/ are the next-generation standards that support additional types of authentication. If you want to use a device for biometric MFA or , you need FIDO2/WebAuthn.

Are Security Keys Safe?

So what happens if your key is stolen or lost? In the theft scenario, it's unlikely someone would have the means to track down an individual user and steal their security key. Most cybercrime is committed en masse, with thousands or millions of compromised accounts. One security key isn't worth the effort.

That said, a determined attacker could use a stolen key to access your accounts. That's why you should keep your key safe but also use strong passwords secured in a password manager. If the thief gets the key but can't crack your password, they're still not getting in.

It's far more likely that you lose your key, and that can be a real problem. Yubico recommends enrolling a second key and storing it as a secure backup. Many services that support security keys also allow (and some require) you to enroll multiple MFA factors, so you could set up an authenticator app as a backup MFA option and use that if you don't have your key.

Services often let you generate backup codes you can write down offline or store in a password manager. These codes grant you access in emergencies. If none of that works, find a device where you are still logged in and unenroll the key or add a new MFA factor you do have. The bottom line is that .

Passkeys vs. Security Keys

Passkeys are a secure authentication system that may one day replace passwords. Several major players have thrown their weight behind this technology, making it far more likely to catch on than any other previous effort to replace passwords. Apple, Google, and Microsoft have all added support for passkeys to their platforms, so you're likely to start seeing them appear as an option soon. If you want to try using passkeys to log in, check out our instructions for creating passkeys for your Google or Apple account.

A super-secure authentication scheme might sound like a death knell for security keys, but not so! Some security keys can store passkeys, keeping them safe and separate from your phone or computer. The number of passkeys a security key can store will vary. After a recent firmware update, Yubico's YubiKey Bio keys now hold 100 passkeys each, while Google's Titan key has enough room for 250.

The Key to Better Online Security

Hardware security keys are the best, most secure method of MFA. We highly recommend them. But for some, the idea of paying for a key or having to fetch it for every login is too much bother, and that's just fine. What's most important is that you find an MFA scheme that works for you and that you use it.

Max Eddy contributed to this article.