What to Look for in a Hardware Security Key in 2023
If you’ve been on the internet, then you’ve probably heard of two-factor authentication, usually abbreviated as 2FA. Typically, 2FA involves receiving a code you have to insert after you enter your password correctly. You can receive this code either through an SMS message, an email, or an authenticator app.
These solutions can have problems though, especially since SMS messages can be intercepted through SIM-swapping attacks, emails can be broken into with social engineering, and authenticator apps lose their value if your phone is stolen or you forget it somewhere.
This is where security keys come in. Using Multi-Factor Authentication, or MFA for short, means using more than just one authentication vector, so 2FA is part of MFA.
Where physical security keys shine is that they don’t have the issues stated above regarding interception or breaking in. Of course, they can be stolen, but some keys have biometrics in them or require another PIN, making it a true MFA key so that even if it’s stolen, people can’t hack into your accounts.
So what should you look for when picking a hardware security key? Primarily, you want a key that supports the same protocols that your accounts use. For example, if you plan to secure your Twitter, Google, and Facebook accounts, you’ll need one that is compatible with them.
Currently, the most popular form of authentication is called FIDO2 and is almost universally supported. There’s also FIDO U2F, an earlier version of FIDO2, and most devices that support FIDO2 usually also support FIDO U2F. Backward compatibility is a good thing to have.
Then there are additional features that a hardware security key can provide, such as One-Time Passwords (OTP) through a protocol called OATH TOTP or Yubico OTP. There’s also OpenPGP, which encrypts emails and only allows you to unencrypt them if you have the correct OpenPGP key, adding another layer to secure emails.
As for what to choose exactly, that depends on your needs. If you don’t need OTPs or encrypted emails, then a key that uses FIDO2 is most likely going to cover 90%-100% of the stuff you need it for.
Also, it’s important to make sure you get a key that works with the devices you use. If you mostly want the key for mobile use, then getting one with NFC is the way to go. If you prefer to include biometrics for use with something like Windows Hello, you’ll want a security key with a fingerprint scanner.
So, let’s get into what the best hardware security keys are.
Frequently Asked Questions
Why should I use a hardware security key?
–
Hardware security keys offer some of the best device security due to something called the “possession factor.” This means that the means of access to a device or service is only in your possession, not entrusted to a third party.
Should I use a hardware security key over 2FA?
+
Two-factor Authentication has its place, but it still relies on a third party for access and can be breached. A hardware security key has the potential to provide better security for your devices and accounts, and often also includes a 2FA option should you need it.
What are the security key certifications?
+
Security key certifications are a range of security levels, showing how secure a device is. This Evaluation Assurance Level (EAL) is based on a Common Criteria security test, a standard for digital security tools. They run from the least secure, EAL 1, to the most secure, EAL7.
What do I do if I lose my hardware security key?
+
Most hardware security keys prompt you to set up recovery methods in the event of loss or failure. This could be through a companion app, for example. You should always set these methods up before you begin securing devices with your key. If you didn’t, you will need to remove the key as an authentication device on your accounts.
Best Overall Security Key: Yubico FIDO Security Key NFC
Pros
- ✓ Affordable yet still has all the security features most people will need
- ✓ Has FIDO U2F and FIDO 2 which is used by most of the big names
- ✓ Protocol support for WebAuthn, CTAP 1, CTAP 2, U2F
- ✓ Includes NFC
Cons
- ✗ Doesn’t have support for more advanced protocols
The Yubico Security Key NFC manages to balance all the important bits when it comes to a security key. It doesn’t cost too much, it works with both PCs and mobile devices through NFC, and it supports most MFA systems. There is even a USB-C version for those who need it.
In terms of protocol support, it can handle FIDO U2F and FIDO2, both of which are supported by Google, Twitter, and Microsoft, and a variety of password managers. It’s relatively easy to double-check what it works with before jumping in by checking a database or Googling if the website or service you want to use supports them.
The only real downside is that it doesn’t have the broader support of other security keys on this list. Granted, most people are unlikely to need these features, as the FIDO protocols will cover the most popular sites. In exchange for less advanced protocol support, you get the key cheaper, and that’s a fair trade-off for most.
This key is both crush-resistant and water-resistant, too, so it won’t be easily broken.
Best Overall Security Key
Yubico Security Key NFC
Yubico’s affordable security key exchanges wider protocol support for a lower price. Its supported protocols are used by most sites, software, and services, so that’s a good trade-off for this excellent security key.
Best Premium Security Key: YubiKey 5 NFC USB-A
Pros
- ✓ Wide-range of protocol support
- ✓ Several port versions available
- ✓ IP67-rated and with no moving parts makes it very sturdy
Cons
- ✗ Expensive for those who don’t need the added features
Where the YubiKey 5 NFC shines is near-universal protocol support, meaning you aren’t likely to find a website or service that doesn’t work with it in some fashion. This security key is well-suited for those who tend to deal with heavy security and therefore need an all-encompassing key.
Beyond that, there are also some more advanced features that you can access by using the app, such as OpenPGP, a secure signature for authenticating communications, and an advanced form of a one-time password. With the YubiKey 5, you could send an encrypted email through ProtonMail using PGP—but, rather than relying on a public key, you can use the hardware key instead.
Besides that, it has an interesting ‘static password’ feature that essentially functions as an auto-complete when touching the button on the YubiKey 5. You can write in only a fraction of a 32-character password when in a text box and have the YubiKey do the rest of the work for you.
The only real downsides to the YubiKey 5 are its price and that it can be somewhat finicky to use on mobile. The higher price makes sense given the larger number of included features.
Problems with using the key on mobile devices come down to how apps and browsers function on mobile. It’s easy to use the key on a desktop browser—and it works pretty well in a mobile browser, too. However, many mobile apps force you to insert your passwords in an app instead of a browser, and that can cause some issues. However, this isn’t just an issue with the YubiKey 5.
Note: If you’re an iPhone user and want a YubiKey 5, there’s a specific security key made for you called the YubiKey 5Ci. It has both USB-C and Lightning connectors, so you can use it across all your Apple devices.
Best Premium Security Key
YubiKey 5 NFC USB-A
The YubiKey 5 provides the most comprehensive protocols of any security key out there, as well as some excellent additional features for those who are security conscious.
Best Security Key for Bio-authentication: Kensington VeriMark
Pros
- ✓ Excellent fingerprint reader
- ✓ Support for most popular forms of MFA
- ✓ Small and portable
Cons
- ✗ Use on non-Windows platforms can be difficult
- ✗ Lack of NFC
One thing that’s missing from YubiKeys that some might find important is a fingerprint scanner. While it may seem like the button on the YubiKey is a biometric one, it’s actually just checking if a human being is pressing the button, rather than some malicious software. In short, it’s similar to reCAPTCHAs that you need to do to prove you’re not a bot.
The Kensington VeriMark is different, however. At just under an inch long, the VeriMark essentially functions as a fingerprint key for your laptop, and there’s even a version made specifically for desktop fingerprint reading.
The VeriMark’s design makes it look like the key is meant to stay put rather than carried around. However, it does have a cap and can survive just fine in your pocket or on a keychain.
When it comes to protocols, it supports FIDO2, and you should be able to use it on most services and apps. It can also be used for Windows Hello—in fact, it seems made for the Windows operating system, considering that the VeriMark can be a bit difficult to get working on Linux and Mac. The instructions are also rather rough around the edges, which might put the less tech-savvy off.
In terms of security, your full fingerprints aren’t saved to the device’s memory. Instead, the Kensington VeriMark creates a template of your fingerprint and tries to match that. What’s especially impressive is that it seems to work from any angle, so Kensington certainly did a good job in both the sensor and its internal security.
The biggest downside of the VeriMark is the lack of NFC, which puts a lot of iPhone users out of its reach unless you go for the desktop version with a USB cable. If you do, though, you’ll likely have to use a Lightning-to-USB adaptor, and that adds a bunch of unnecessary steps.
Another issue is that it’s a bit on the expensive side, coming in at just under $60. While there’s a single-PC-use version for under $40, that’s a steep price for something tied to one device. We think it’s better to spend the extra money and be able to move around with it.
Best Security for Bio-Authentication
Kensington VeriMark Guard
The VeriMark offers the best balance of protocol support, cost, and most importantly, fingerprint scanning that works from nearly any angle.
Best Key & Password Manager Combo: OnlyKey
Pros
- ✓ Can bypass keyloggers
- ✓ Has a self-destruct emergency code
- ✓ Wide protocol support
Cons
- ✗ UI can be a bit obtuse
- ✗ Bulkier than other security keys
- ✗ Lack of NFC
The CryptoTrust OnlyKey is a bit unique among security keys because it includes a password manager as part of the key. That’s great because it circumvents the possibility of a keylogger getting access to your password since you input the characters for the password on the security key itself.
It’s made even simpler because you only need to press one of the six keys on the OnlyKey to input the password into a text field. In addition to that, you can do both long and short presses for each button, so you can store up to 12 different passwords on it.
If that wasn’t enough, you can even further protect each password with an additional PIN, making the OnlyKey one of the few, if not the only, security key that completely houses three-factor authentication.
As for its 2FA support, it can handle TOTP, Yubico OTP, and FIDO 2 U2F, which should cover the majority of sites and apps out there, as well as offer a bit of future-proofing. There’s also a self-destruct code you can set up. Sadly, the code doesn’t make it explode, but it does wipe the OnlyKey completely.
Unfortunately, it does have a significant downside, which is that the interface is very clunky. That means those who aren’t very tech-savvy might have a hard time when using it and setting everything up. While that may put some off, the advantage and unique features of the OnlyKey make up for any additional hassle you’d need to go through.
The OnlyKey is also lacking NFC and Bluetooth, and is a bit bulkier than the other choices on this list. These aren’t necessarily deal-breakers, but it is something to consider.
Best Key & Password Manager Combo
CryptoTrust OnlyKey
The OnlyKey is unique in that it can handle three-factor authentication completely internally through its onboard password manager. While it’s a bit bulky and the UI is clunky, it’s still an excellent security key.
Best Open-Source Security Key: Nitrokey 3A NFC
Pros
- ✓ NFC for remote security
- ✓ Wide range of security protocols
- ✓ Fully open-source
- ✓ Several advanced features and tools
Cons
- ✗ Fairly expensive
Choosing to use an open-source hardware security key has several attractive benefits, not least of which is the ability to view the source code to ensure you are happy with what’s going on under the hood. The Nitrokey 3A is not only fully open-source, but also packed with advanced features often found only in proprietary security keys.
The Nitrokey 3 supports a wide variety of security protocols, including FIDO2, WebAuthn, GnuPG, OpenPGP, and the older FIDO U2F. That means it covers most of the services that might need to be secured, including browsing and email.
Aside from the main security protocols, you can also access One-Time Passwords (OTP), Two-factor Authentication (2FA), and a built-in password manager. Not all of these will be available out of the box, but they can be easily added with a simple firmware update.
Unlike earlier versions of the Nitrokey, you also get NFC. This means you can use it to secure mobile devices without using a USB-A to USB-C/Lightning port adapter. The addition of NFC, as well as the hardware touch button, pushes up the price closer to that of some of the premium Yubikeys on this list, but there are non-NFC versions available if you don’t need the remote access capability.
If open-source is important to you in a hardware security key, and you don’t mind paying a bit more for those advanced features, the Nitrokey 3 is a brilliant choice for securing your desktop and mobile devices.
Best Open-Source Security Key
Nitrokey 3A NFC
A brilliant, open-source hardware security key which offers a wide range of security options, advanced features and remote access through NFC. If you want open-source, you can’t do much better than this.