The Best Security Key for Multi-Factor Authentication

While the most familiar form of 2FA is a one-time-use code texted to your phone, the most secure version is a physical security key that serves ... Weindependentlyrevieweverythingwerecommend.Whenyoubuythroughourlinks,wemayearnacommission.Learnmore›Updates We’veaddedanFAQsectionandcombedthroughthisguidetoensureit’suptodate.Nopickshavechanged.Agoodpasswordmanageristhefirststeptoonlinesecurity,butnotthelast.Whentwo-factorauthentication(2FA)isavailable,youshouldusethatwithyouronlineaccounts,too.Whilethemostfamiliarformof2FAisaone-time-usecodetextedtoyourphone,themostsecureversionisaphysicalsecuritykeythatservesthatpurposeinstead.Withasecuritykey,nobodycangetintotheaccountswhereyousetitupunlesstheyhavebothyourpasswordandphysicalaccesstothekey.TheYubicoSecurityKey,whichisavailableforbothUSB-AandUSB-Cports,hasthebestcombinationofcompatibility,usability,andsecurityofanykeywetested.OurpickYubicoSecurityKeyThebestsecuritykeysYubico’sSecurityKeyseriesoffersstrongaccountsecurityandexcellentdocumentationfornewcomers.It’savailableforUSB-AandUSB-Cports(andbothversionsworkwithNFCdevicessuchasphones),butitdoesn’tsupportadvancedprotocolsthatsomeaccountsmayrequire,soit’slessfuture-proofthanourupgradepick.BuyingOptions$25fromAmazon(USB-A)$25fromYubico(USB-A)TheYubicoSecurityKeyseriessupportsawidearrayofprotocolsandiscompatiblewithmostoftheonlineservicesthatpeopleuse,includingGoogle,GitHub,andDropbox.It’savailableforUSB-CportsastheYubicoSecurityKeyCNFCandforUSB-AportsastheYubicoSecurityKeyNFC.Thesekeysoffermostofthesamebenefitsasourupgradepick,theYubiKey5Series,atafractionoftheprice.AfteryearsoftestingtheSecurityKeysandkeepingthemonourkeychains,we’vefoundthemdurableandreliable.Yubicoalsoprovidesthebestdocumentationwe’veseenfromanysecuritykeymaker,anditsexcellentintroductoryexperienceeasestheprocessfornewcomers.TheYubicoSecurityKeysdon’tsupportmoreadvancedprotocolssuchasOpenPGP,smartcard,andOTP,butifyoudon’tknowwhatthoseprotocolsare,youprobablydon’tneedthem.AdvertisementUpgradepickYubicoYubiKey5SeriesMorefeatures,buttwicethepriceTheYubiKey5Serieshasversionstofiteverymoderndevice,aswellaspremiumfeaturesforadvanceduse.BuyingOptionsBuyfromAmazonBuyfromYubicoTheYubicoYubiKey5SeriessupportsawiderarrayofsecurityprotocolsthantheSecurityKeyseries,whichmakesitcompatiblewithmoreonlineaccounts.Comparedwithnearlyeveryothersecuritykey,the5Seriesalsooffersmoreconnectionoptions,includingUSB-A,USB-C,USB-CwithNFC,andadual-headedUSB-CandLightning-portmodel.Theyalsocomeasthumbnail-sizednanokeysmeanttoliveinyourcomputermorepermanently,incontrasttothestandardkeyshape,whichsticksoutoftheport.Overyearsoftesting,they’veproventobeasdurableastheSecurityKeys,andtheyhavethesameexcellentdocumentation.TheYubiKey5SeriesmodelscanbemorethantwicethepriceoftheYubicoSecurityKeys,buttheirrobustcompatibilitywithmoredevicesandaccountsmakesthemworththehigherprice.EverythingwerecommendOurpickYubicoSecurityKeyThebestsecuritykeysYubico’sSecurityKeyseriesoffersstrongaccountsecurityandexcellentdocumentationfornewcomers.It’savailableforUSB-AandUSB-Cports(andbothversionsworkwithNFCdevicessuchasphones),butitdoesn’tsupportadvancedprotocolsthatsomeaccountsmayrequire,soit’slessfuture-proofthanourupgradepick.BuyingOptions$25fromAmazon(USB-A)$25fromYubico(USB-A)UpgradepickYubicoYubiKey5SeriesMorefeatures,buttwicethepriceTheYubiKey5Serieshasversionstofiteverymoderndevice,aswellaspremiumfeaturesforadvanceduse.BuyingOptionsBuyfromAmazonBuyfromYubicoWhyyoushouldtrustusWhothisisforHowwepickedandtestedOurpick:YubicoSecurityKeyFlawsbutnotdealbreakersUpgradepick:YubicoYubiKey5SeriesHowtosetupanduseasecuritykeyWhattolookforwardtoThecompetitionFrequentlyaskedquestionsSourcesWhyyoushouldtrustusWereadthrougharticles,reviewsites,customerreviews,andtechnicalpapersdissectingsecuritykeysandthesecuritystandardstheyuse.WealsointerviewedDrewPorter,founderandpresidentofsecurityconsultancyRedMesa,todiscusswhoneedshardware-basedsecuritykeys,whattolookforintheirsecurityprotocolsandpractices,andhowpastrecallsaffecttrustworthiness.AfterselectingYubico’skeysaspicksforthisguide,wespokewithYubico’schiefengineeringofficer,ChristopherHarrell,togetmoreinformationonthebenefitsofhardwaresecuritykeys,thelimitationsofspecificmodels,andthewaysinwhichtheecosystemischanging.ThorinKlosowskiisWirecutter’sprivacyandsecurityeditor.PriortoWirecutter,hewroteforLifehacker,andinbothpublicationshehassoughttomakecomplicatedtechnologyeasytounderstandanduse.YaelGrauerdidtheinitialtestingforthisguideandwrotetheoriginalrecommendationsinthespringof2020.ShehaswrittenaboutonlineprivacyandsecurityforWired,Vice,BreakerMag,TheIntercept,Slate/FutureTense,ArsTechnica,andmore,andshenowcoversthecategoryfortheConsumerReportsDigitalLab.ShecollaboratedwiththeElectronicsFrontierFoundationonitsStreet-LevelSurveillanceprojectandwrotecurriculaforTrollBusters,ajust-in-timerescueserviceforwomenwritersandjournalistswhoareexperiencingonlineharassment.Shehasalsoco-organizedevents,taughtworkshops,andspokenonpanelsaboutdigitalsecurityandsourceprotection.WhothisisforVideo:RozetteRagoIfyou’renewtomulti-factorauthentication,here’showthetypicalnew-loginprocessworkswhenyou’veregisteredasecuritykeywithawebsiteorapp:Youheadtothewebsiteorappandthentypeinyourusernameandpassword.Thesiteorappasksyoutoconnectyourkey.Youdosobyeitherpluggingthekeyintoaportonyourcomputerorphone,orholdingitnearthetopofyourphoneifitsupportsNFC.Youtriggerthekeybytappingapieceofcapacitivemetalorclickingabutton.Whetheryou’regoingonlinetoshop,bank,checkyouremail,orusesocialmedia,youshouldbeusingmulti-factorauthenticationtosecureyouraccounts.Addinganextralayer(orlayers)ofsecuritytoyouraccountsmakesitmoredifficultforanattackertocompromisethem.TheNationalInstituteofStandardsandTechnology(NIST)recommendsusingsomeformofmulti-factorauthentication,andyoumayalreadyhaveasecondfactor,suchasreceivingaone-timecodeviaSMSmessagesorusinganauthenticatorapplikeAuthy.Butwhenitcomestosecuringaccountsandpasswords,securitykeysofferthestrongestlayerofprotection.Akeyprovidesanincreaseinsecurityoverjustapassword,anditcanprotectagainstspecifictypesofphishingthattrytostealtwo-factorauthenticationcodes.Mostpeopleshoulduseasecuritykeyforasmanyaccountsthatsupportit,andthekeysinthisguideshouldworkforbothpersonalandbusinessaccounts(unlessyou’reagovernmentorregulated-industryemployee,inwhichcaseyou’lllikelyhavedifferentkeys,suchastheYubicoYubiKey5FIPSSeries).Multi-factorauthenticationworksbyrequiringthepresentationofmultiplelayersofevidence,orfactors,beforeallowingaccesstoanaccount.Whatthefactorsarecanvary,buttheygenerallyfitintooneofthreecategories:somethingyouknow(suchasapasswordorPIN)somethingyouhave(suchasasecuritykeyorphone)somethingyouare(biometricssuchasafingerprintreader,facescan,irisscan,orvoicerecognition)Securitycodessentbytextmessageshavetheirownsetofissues,andwhileauthenticatorappsarepreferabletoSMS,securitykeysprovidethestrongestprotectionagainstphishingattacks.Forexample,ifyouweretotaponaspoofedwebsitelinksenttoyouinatextmessage,anattackercontrollingthatsitemaygetyourusername,password,andauthenticationcodeafteryoutypeitallin—butthatcan’thappenwithaphysicalkey.Plus,securitykeysareeasiertouseatacomputerthanfussingwithyourphone.Somesecuritykeys,includingourpicks,alsosupport“passwordlesslogin,”whereyoudon’tevenneedapassword,justthephysicalkeyitself,tologin.ThemostnotablecompanythatcurrentlysupportsthistypeofloginisMicrosoft.“Itishardertocompromiseahardwaretokenthanadigitalphone,becausenoteveryonehasperfectinsighttoeverythingthat’shappeningorgoingonintheirphone,”saidDrewPorter,founderandpresidentofRedMesa.“Mostpeopledon’tmonitoreverythingthatishappeningontheirphone,andthereforetheycan’tknowwhethertheirphoneiscompromised.”Werecommendhavingatleastonebackupsecuritykeytouseincaseyouloseyourmainone.“PeopledoalotofcampaignsaroundphishingeducationandaroundteachingpeopletobecarefulabouttheURLbarinthebrowser,butitturnsoutwe’rehuman,”saidYubico’schiefengineeringofficer,ChristopherHarrell.“Wehaveotherpriorities,andourattentionislimited.”Securitykeysdotheheavyliftingofmakingsurethesitesyou’retryingtologintoareauthentic,soyoudon’thavetobeasmeticulousaboutnoticinganythingoff.Asanexample,Porternotedthatalotofpeoplemindlesslytapthrough“Didyousignin?”pushnotificationsontheirphonesevenwhentheyshouldn’t,anissuethatwouldn’tcomeupiftheywerelogginginusingasecuritykey.Werecommendhavingatleastonebackupsecuritykeytouseincaseyouloseyourmainone.Withmostservices,youcanregistermultiplekeys,whichyoushoulddoinadvance;thatway,ifyouloseyourmainkey,youcanloginwithabackup.Ifyoudon’thaveabackup,insomecasesyoucouldbelockedoutofanaccount.Differentsiteshavedifferentrecoverymechanisms,includingauthenticatorapps,SMS-basedrecoverykeys,andbackupcodes(one-timerecoverycodesyoucanstoresomewhere).Notallsitesandservicessupportsecuritykeys,but1Password,Bitwarden,Dropbox,Facebook,Google,Microsoft,andTwitterdo.Toseewhichservicesoffersecuritykeysasanauthenticationoption,lookforacheckmarkunder“HardwareToken”onthe2FADirectorysite.Althoughsecuritykeysaremoresecurethanauthenticatorapps,they’renotthebestchoiceforpeoplewhotendtolosethings.Mostpeopleshouldhaveatleasttwosecuritykeys:oneforeverydayuseandabackupkeythatcanstaysomewheresecure,suchasinasafe,ifyouloseyoureverydaykey.Somepeoplemaywantadditionalkeysfordifferentdevices.Additionally,thesecuritykeyecosystemhassomeroughedges.Noteverytypeofkeyworksseamlesslyonamobilephone,forexample,andsomeappsreverttoauthenticatorappsinsomecircumstances.Securitykeyscanbetrickytosetup,sopeoplewithoutthepatiencetodososhouldsticktoauthenticatorapps.Butoncesecuritykeysaresetupandinactualuse,we’vefoundthemtobemucheasiertouseinpracticethanauthenticatorappsbecausethere’snowonkycopyandpastingrequired,norisitnecessarytoscrollthroughcodestofindtheoneyou’relookingfor.Securitykeysaren’tperfect.Oneresearchpaper(PDF)showedhowahackercouldclonesomesecuritykeys,makingitsothattheycouldtheoreticallylogintoanyaccountsprotectedbytheoriginalkey.Theattackrequiresphysicalaccesstothekey,about$12,000worthofequipment,andatleast10hours,butitillustrateshoweventhemostsecureproductscanhaveissues.TheresearchersperformedtheirattackontheGoogleTitankeybutnoteintheirpaperthatotherhardwareusingthesamechipmayalsobevulnerable;thatgroupincludesanolderYubicomodel,theYubiKeyNeo,andseveralkeysmadebyFeitian.HowwepickedandtestedPhoto:RozetteRagoAsecuritykeydoesn’tneedtohavealotoffeaturestobeuseful,butonethat’sdesignedbadlycanbedifficulttouse.Followingarethefeaturesthatwefoundthroughourresearchtobemostimportant:Securityprotocols:Sincehardwarekeysareasecurityitem,wedugintoeachcompany’strackrecordonpreviousrecallsandlookedatwhetherthecompanyhadacoordinatedvulnerability-disclosureprogramtoallowsecurityresearcherstoreportbugs.Future-proofsupportformultiplestandards:Wefocusedonkeyssupportingthenewestsetofspecifications,suchasFIDO2.Thismeansthattheysupportmoreapplicationsandwebsites,anditsuggeststhattheyarelesslikelytoneedreplacing.Securitykeystypicallyhavenomovingpartsandaredurable,soyou’llprobablyusethesamekeysformanyyears.Consistencyandcompatibility:Welookedforsecuritykeysthatworkedasconsistentlyaspossiblewitheachoftheserviceswetestedthemwith.WepreferredsecuritykeysthatcamewithavarietyofconnectionoptionssotheycouldworkonbothAndroidandiOS,aswellasbothWindowsandmacOScomputers.Setupanduserexperience:Wewantedsecuritykeysthatwereeasytosetupanduse.Customersupport:Welookedatthetypesofsupporteachcompanyoffered,aswellashowmuchdocumentationwasavailableonitswebsitebothforsettingupkeysandfortroubleshooting.Wepreferredcompaniesthatwerewellknownandhadbeenaroundforawhile,anindicatorofcontinuedsupportinthefuture.Portabilityanddurability:Weputthekeyswetestedthroughthetypeofwearandtearthatcanbeexpectedoveranormaldayofuse,includingtossingthemaroundonakeychainanddroppingthemintothebottomofabag,andwelookedforanypartsthatseemedasiftheycouldeasilysnaporbreakofftooquicklywithuse.Welookedatwhetherthenecessarycomponentswerewellprotected.Somecompaniesalsomakesmaller,“nano”-sizekeysthatfitflushwithyourcomputer’sUSBport.Thesedesignsareusefulifyouworkonlyonacomputer,butthey’reapaintouseonmobiledevices.Mostpeoplearelikelytowantatleastoneportablekeywithakeychainloop.Cost:Securitykeyscancostanywherebetween$20and$70orso.Foraround$20to$40,yougetadurablekeythat’scompatiblewithmostservicesbutdoesn’tofferasmanyconnectivityoptions.Whenyoupaymore,youtypicallygetmoreconnectivityoptions,suchasUSB-CandLightning,alongsideaddedfeaturesliketheabilitytouseyourkeytologintoyourcomputer.Wedismissedsecuritykeysthathadlimitedownerreviewsorthatweredesignedspecificallyforgovernmentuse(suchastheYubicoYubiKey5FIPSSeries).Goingbytheabovecriteria,wetestedYubico’sSecurityKey,SecurityKeyNFC,SecurityKeyCNFC,andYubiKey5C,5CNFC,5Ci,and5NFC;Google’sTitanSecurityKeys(USB-A/NFCSecurityKeyandUSB-C/NFCSecurityKey);Thetis’sFIDOU2FandBLEU2FSecurityKeys;andSoloKeys’sSoloUSB-C,SoloUSB-A,SoloTapUSB-C,andSoloTapUSB-Amodels.Wetestedthesetupofeachkeywithvariousapps,notingissuesalongtheway.Weranoverallthekeysacoupleoftimeswithacartomakesuretheyweredurableenoughtowithstandsuchpunishment,andthenwetossedthemintoawashertomakesurethey’dstillworkincaseyouleaveyoursinyourpocket.OncewesettledonYubicokeysasourpicks,wereachedouttothecompanyforadditionaldetailsonfeaturesandcompatibility.Ourpick:YubicoSecurityKeyPhoto:RozetteRagoOurpickYubicoSecurityKeyThebestsecuritykeysYubico’sSecurityKeyseriesoffersstrongaccountsecurityandexcellentdocumentationfornewcomers.It’savailableforUSB-AandUSB-Cports(andbothversionsworkwithNFCdevicessuchasphones),butitdoesn’tsupportadvancedprotocolsthatsomeaccountsmayrequire,soit’slessfuture-proofthanourupgradepick.BuyingOptions$25fromAmazon(USB-A)$25fromYubico(USB-A)ThebestsecuritykeyformostpeopleistheYubicoSecurityKey,whichcomesintwoforms:theYubicoSecurityKeyNFC(USB-A)andtheYubicoSecurityKeyCNFC(USB-C).Thesesecuritykeysworkwithmostdevices,includingphonesandlaptops.Theyfeatureallthesecurityprotocolsnecessarytoworkwithawidearrayofwebservicesthatmostpeopleuse,including1Password,Bitwarden,Google,Microsoft,andplentymore.Yubico’sdocumentationandsupportisthebestwe’veseen,andthekeyshaveprovendurableoveryearsoftesting.Pricedunder$30,they’reaffordableenoughthatyoucanbuyacouple(whichwerecommend,soyouhaveabackup)withoutspendingtoomuch,especiallyconsideringthere’snoreasontheywon’tlastformanyyears.Insomecases,expertssuggest,programsandsecuritykeysthatuseopen-sourcesoftware,whichallowsanyonetoreviewtheprogram’scode,aremoresecure.AllYubicokeysareclosedsource,butthecompanyhasbuilttrustarounditssecuritypracticesinotherways,includinginternalandthird-partysecurityassessmentsofitscodeforeverymajorrelease.WhenYubicohadavulnerabilityinitsYubiKeyFIPSSeriesofkeys(usedbygovernmentagencies)inJune2019,thecompanyreplacedaffecteddevices.Italsoproactivelylistssecurityadvisoriesandmitigationsonitswebsite.Yubicohasvideosandlinkstoinstructionsforservicesthatyoumightwanttouseyoursecuritykeywith,includingalist(withvisuals)ofwhichkeyworkswiththeprogram.TheYubicoSecurityKeysmeetFIDO2standardsandsupportU2F,WebAuthn,andCTAP1and2,whichmakesthemcompatiblewithmostwebservicesthatsupportsecuritykeys,includingmoreforward-lookingfeaturessuchasMicrosoft’spasswordlesslogin.ThestandardSecurityKeysdon’toffersomeoftheoptionsforsuper-technicalfolkswhomightwantto,say,putaGPGkeyinhardware,orforenterpriseuserswhowantakeythatworkswithPIVsmartcardsforActiveDirectory,orforSSHorS/MIME.Ifyouaren’tfamiliarwiththoseterms,you’reunlikelytomisstheadvancedfeaturesofthemoreexpensive5Series.EachSecurityKeymodelfitseitheraUSB-AorUSB-Cport,andmostphonessupportNFC,sothekeysshouldworkfineformostdevices.Getwhicheverkeyfitsintotheportonyourcomputer.Ifyouneedmoreoptions,suchasLightningforaphysicalconnectiontoaniPhone(orcertainmodelsofiPad),orifyouwantthumbnail-sizedkeysthatdon’tstickout,gowiththeYubiKey5Series.YubicoSecurityKeyYubicoYubiKey5SeriesGoogleTitanSecurityKeysTOTPcodestorageNoYesNoPasswordlessloginsupportYesYesNoComputerloginsupportNoYesNoCertificationsFIDO(U2F),FIDO2FIDO(U2F),FIDO2FIDO(U2F)ProtocolsupportWebAuthn,CTAP1,CTAP2,U2FWebAuthn,CTAP1,CTAP2,U2F,smartcard,YubicoOTP,OATH(HOTP/TOTP),OpenPGP,securestaticpasswordsU2F,CTAP1VersionsUSB-A(NFC),USB-C(NFC)USB-A(NFC),USB-C(NFC),Lightning,USB-C,USB-A(Nano),USB-C(Nano)USB-A(NFC),USB-C(NFC)CountryoforiginUSA,SwedenUSA,SwedenChinaTheYubicoSecurityKeycanhandlethemajorityofonlineaccountsmostpeopleneed,butthe5Seriessupportsafewprotocolsformostadvanceduses.Inordertouseanysecuritykey,youhavetosetitupandpairitwitheachindividualonlineaccount.Setuponanaccounttakesonlyacoupleofminutes,butfindingtherightplacetodosocanrequiresomedetectivework.Helpfully,Yubico’sdocumentationisextensive:Inadditiontoasetuppage,Yubicohasvideosandlinkstoinstructionsforservicesthatyoumightwanttouseyoursecuritykeywith,includingalist(withvisuals)ofwhichkeyworkswiththeprogram,informationonsecurity-protocolsupport,desktopandlaptopplatformsupport,mobilesupport,browsersupport,andanyspecialoffers.Thisdocumentationisfarmorecomprehensivethanwhatwe’veseenfromthecompetition.Thekeyswerestillusableafterweranthemoverandputthemthroughthewashingmachine.Video:RozetteRagoMostofYubico’sfull-sizekeysarewaterresistantandcrushresistant.Likeotherkeyswetested,boththeYubicoSecurityKeysandthe5Seriesheldupwellforusinourregulartesting,andtheystillworkedfineafterweranthemoverwithacarandputthemthroughacycleinawashingmachine.Allofthemwereeasytocarryaroundonakeychain,too.Aftermorethantwoyearsofuse,thekeyshangingonourkeychainsstilllooknearlybrand-newandcontinuetowork.TheyhadthesamedurabilityresultsintestsconductedbyFreedomofthePressFoundationdigitalsecuritytrainerDavidHuerta.At$25andnearly$30fortheUSB-AandUSB-Cmodels,respectively,theYubicoSecurityKeysarecheaperthanGoogle’ssimilarlystyledTitanSecurityKeysandnearlyhalfthepriceofmostmodelsintheYubicoYubiKey5Series.TheYubicoSecurityKeyslackthenice-to-havefeaturesofthe5Series,suchasmultipleconnectionoptions,computerlogin,andsupportfortime-basedone-timepasswordsontheYubicoAuthenticatorapp.Butmostpeopledon’tneedthoseextrafeaturesenoughtojustifytheincreaseinpricefora5Seriesmodel.FlawsbutnotdealbreakersForthemostpart,wefoundtheexperienceofusingasecuritykeyonbothWindowsandMaclaptopsstraightforward,butcompatibilityissuesstillaffectcertainbrowsers,andsomesoftwaredoesnotsupportkeysdirectly,soyoutoomightrunintoissues.Supportonmobiledeviceshasexpandedoverthepastfewyears,butwestillencounteredquirkswithkeysonbothAndroidandiOS;forexample,onbothplatforms,youcanuseakeytologintoDropboxfromyoursmartphone’sbrowser,butnottheDropboxapp.We’veseenimprovementsinotherapps,though,suchasFacebook,whichnowfullysupportskeysinitsmobileapps,andTwitter,whichwillsoonallowyoutologinwithjustthekey,nopasswordneeded.Tocompoundtheconfusion,someappsandservicesmightsupportakeywhenit’spluggedinbutnotoverNFC.Thesesortsofmismatchescanbeannoying,especiallyconsideringthatevenwhenNFCissupported,youstillhavetoholdthekeyclosetoyourphoneandcrossyourfingersinhopesthatitregisters.IfyoureallydislikefutzingaroundwithNFC,theYubiKey5Seriesmaybeabetteroption.Upgradepick:YubicoYubiKey5SeriesPhoto:RozetteRagoUpgradepickYubicoYubiKey5SeriesMorefeatures,buttwicethepriceTheYubiKey5Serieshasversionstofiteverymoderndevice,aswellaspremiumfeaturesforadvanceduse.BuyingOptionsBuyfromAmazonBuyfromYubicoIfyou’relookingforextrafeaturesandyou’recomfortabletinkeringaroundwithmoreadvancedsettingsinwebapps,getakeyintheYubicoYubiKey5Series.The5Seriesencompassesseveralmodelsandisthuscompatiblewithmoredevicesthananyotherkey,includingYubico’sSecurityKeyline.The5SerieshasthesameexcellentYubicovideowalk-throughsandsetupinstructions,andthekeysthemselvesareportableanddurable,thoughtheycostnearlytwiceasmuchasourmainpick.Determiningwhich5Serieskeyisbestforyoudependsonwhichdevicesyouown.Yubicoprovidesaquiztohelpyoufindtherightkey,butthebreakdowngoessomethinglikethis:YubiKey5NFC(alsoavailableinnon-NFCnanoform):TheYubiKey5NFChasaUSB-Aplugandnear-fieldcommunication(NFC)support,soyoucanuseitforNFC-enableddevicessuchasmostsmartphones.Althoughwedidn’ttestnano-sizekeysforthisguide,thosemodelsarebetterifyouwanttoleaveyourkeyintheUSBportofyourcomputer.YubiKey5C(alsoavailableinnanoform):TheUSB-C–onlydesigniscompatiblewithAndroidphonesaswellassomenewertablets,desktopcomputers,andlaptops.ItisnotcompatiblewithiPhones.YubiKey5CNFC:WithUSB-CandNFC,thismodelisagoodoptionifyourcomputerhasaUSB-Cportandyoudon’tneedaLightningconnector.Itworkswithmostnewerdesktopcomputersandlaptops,withsometablets(includingseveraliPadmodels),andwithAndroidandiPhone(overNFC).YubiKey5Ci:The5Cihastwodifferentsides,aUSB-CconnectorandaLightningconnector,thelatterofwhichisusedbymostApplemobiledevices.SothiskeyisbestforpeoplereliantonApplehardware,includingiPhones,iPads,andlaptops,thoughwepreferredusingtheNFCkeysoverfiddlingwiththisone;it’sstillagoodoptionifyouhaveaniPadmodelwithaLightningport.The5Seriesoffersmoreportoptionsandcombinationsthantheselectionfromeveryothercompany,includingYubico’slessexpensiveSecurityKeylineandGoogle’sTitanSecurityKeys,whichdon’thaveaLightning-portoptionforiPhoneownersandinsteadrelyonNFC.Althoughthe5Serieshaswidercompatibilitywithsmartphoneportsthanotheroptions,itstillsuffersfromthesameseeminglyrandomquirksoftheYubicoSecurityKeys.Butevenso,the5Seriessupportsmultipleprotocols,includingFIDO2,U2F,PIV,YubicoOTP,andOATHHOTP,whichhelpsensurethatit’scompatiblewithasmanyservicesaspossibleinthefuture.LookingataSecurityKeyanda5Serieskeynexttoeachother,mostpeoplewouldn’tknowthedifferencebetweenthem.Photo:RozetteRagoTheYubiKey5Seriesismoreexpensivethancompetitors,andsomeversionsaretwiceasexpensiveasthebasicYubicoSecurityKey.Butformanypeople,it’sworththehighpricebecauseit’sfuture-proofanditaddsnice-to-haveextras.YubicoSecurityKeyNFC(USB-A/NFC)$25YubicoSecurityKeyCNFC(USB-C/NFC)$30YubiKey5NFC(USB-A/NFC)$45YubiKey5CNFC(USB-C/NFC)$55YubiKey5Ci(USB-C/Lightning)$70YubiKey5Nano(USB-A)$50YubiKey5C(USB-C)$50YubiKey5CNano(USB-C)$60EvenifyouoptforaYubiKeyasyourprimarykey,consideroneoftheSecurityKeymodelsasyourbackuptocutdownonthecost.PricesareaccurateasofNovember16,2021.AlthoughsomeoftheextrasintheYubiKey5Seriesaren’tthingsmostpeoplearelikelytoneedeveryday,theyarenicetohaveforanyoneseekingthehighestlevelofsecurity.Mostnotably,the5Seriescangeneratetime-basedone-timepasscodesforupto32accounts,similartohowtheAuthyandAuthenticatormobileappswork,butthecredentialsarestoredonthekey.ThisfeaturerequiresdownloadingtheYubicoAuthenticatorapp,anditworkswithservicesthatsupportotherauthenticationappssuchasAuthy.Whenyourunintoasitewithsoftwareauthenticationbutnotkeysupport,youcanstorethosecodesonthekey.TheYubicoappwillthendisplaythosecodesonlyifthekeyisconnected,soevenifsomeonemanagedtogetyourphone,they’dstillneedthekeytoaccesstheauthenticationcodes.Noneoftheotherkeyswetested,includingthoseinYubico’scheaperSecurityKeyline,havethisfunctionality.Butusingthisfeatureputstheonusonyoutosaveallthetwo-factorbackupcodesortostorecredentialsonasecondkey,somakesureyou’recomfortabledoingso.Althoughit’sdifficulttosetup,the5SeriesalsosupportscomputerloginonWindows,Mac,andLinuxsothatnoonecanaccessyourmachinewithoutinsertingthekeyafterthesystemboots.Mostotherkeys,includingtheYubicoSecurityKeymodels,can’tdothesame.LikeYubico’sSecurityKeymodels,the5Serieskeyshaveprovenresilientoverouryearsoftesting.Afterdanglingonakeychainforacoupleofyears,theystillworkandlooknearlybrand-new.HowtosetupanduseasecuritykeyVideo:RozetteRagoTosetupyoursecuritykey,it’sbesttostartonalaptopordesktop,assomemobileappswon’tallowyoutoregisterahardwarekeytoyouraccountonyourphone.Onceyouregisterakeyonyourcomputer,itshouldsimplyworkwithyourphone.Asanexample,hereishowtosetupakeywithourfavoritepasswordmanager,1Password.Theprocessisthesameforanysecuritykeyanappsupports:Logontoyour1Passwordaccountfromyourbrowser.ClickyourprofileinthetoprightandselectMyProfile.ClickMoreactionsandselectTwo-FactorAuthentication.SelectAddSecurityKey,namethekey,andclickNext.Whenprompted,insertyoursecuritykeyandtapthebuttonorgolddisk.Youshouldseeanoticesaying“Yoursecuritykeywasregistered.”Whenyou’redone,repeattheprocesswithyourbackupkey.YoushouldalsosetupanauthenticatorappsuchasAuthyifyouhaven’talready,incaseyourunintoaninstancewhereyoucan’tuseyourkeyonamobiledevice.Theprocessismoreorlessthesameforothersupportedservices.Oncethekeyisenabled,itshouldworkautomaticallywithyoursmartphoneifthetwohaveaphysicalconnection.OnAndroidandiPhonehandsets,youcanloginusinganNFCkeybyholdingittothebackofyourphoneuntilthephonestopsbuzzing.Onaday-to-daybasis,youmaynotberequiredtouseyourhardwarekeyallthatoften.Servicesoftenconsiderdifferentriskfactorstodeterminewhethertorequireit.Somesitesmayaskyoutoinsertitwhenyou’remanagingwhatkindofauthenticationyou’reusing,whileothersmayaskyoutouseyourkeyonlywhenyou’relogginginfromanewcomputer.WhattolookforwardtoSoloKeysannouncedaredesignofitsnextgenerationofsecuritykeysthatditchesthepush-buttondesignwestruggledwithinfavoroftouch-sensitivesidebuttonssimilartothoseonYubicoandGooglekeys.SoloKeysalsohasplanstoimproveNFCperformance,addwaterproofing,andmore.Weplantotestthenewkeyswhentheybecomeavailable.ThecompetitionGoogle’sTitanSecurityKeysincludeUSB-AandUSB-Cmodels,bothwithNFCsupport.TheTitankeyssupportonlyU2F,notFIDO2,whichiscurrentlyusedbyserviceslikeMicrosoftandmaybeusedbypotential“passwordless”accountsinthefuture.Google’skeysworkwithitsAdvancedProtectionProgram,whichisusefulforactivists,journalists,political-campaignteams,orexecutives,butitsincreasedsecurityinvolvessomeusabilitytrade-offs.WhatlittledocumentationGoogleprovidesisn’tuseful,andevenjustfiguringoutwhichprotocolsandstandardsthekeymeetsrequiressignificantresearch.BothTitankeysareverysimilartoYubico’sSecurityKeymodels,thoughwefoundtheirwhiteplasticmorepronetoaccumulatingdirtwhenthekeyswereattachedtoakeychain.TheTitankeysarefineifyoualreadyhaveone,butallofYubico’soptionsaremorefuture-proof.FeitiansecuritykeyscomewithmostofthesamesecurityfeaturesandprotocolsastheYubicooptionsdo,andtheyofferavarietyofconnectivitychoices,includingUSB-CandNFCandevenafingerprintoption.FeitianisalsothecompanythatmakesGoogle’skeys.Butitsdocumentation,includingbasicinformationaboutfeaturesandsecurity,isn’tasgoodasYubico’s;somelinksonthecompany’ssiteevenleadtounfinishedpages.FeitiankeysareoftenhalfthepriceofthesimilarYubicooptions,though,andtheymaybeagood-enoughchoiceifyou’realreadyexperiencedwithsecuritykeys.BothGoogleandFeitiangotflackfromexpertsforalackoftransparencyintheproductionpipelineforthekeys,whicharemadeinChina.Wedidn’tfindanynewinformationabouttheproductionofthesekeys,noranynewsstoriessuggestingthishasbeenanissuesincethekeyswereintroducedin2018.SoloKeysarethefirstopen-sourceFIDO2securitykeys;theyallowdeveloperstocontributetotheprojectorfilebugreportsonGitHub.Buteachkeymerelyconsistsofacircuitboardandasoftsiliconecaseyouputonyourself,andinourteststhekeysdidn’tseemasdurableastheotherswetried.Plus,thecasesfortheUSB-Cversionsdidn’tfitthatwell:Insteadofjusttappingthekeytogetittowork,wehadtopressit,andwefoundthatpressingdidn’tworkeverytime.Yubico’sYubiKeyBioSeriescomesinbothUSB-CandUSB-Amodelsandfeaturesfingerprintrecognitioninsteadofasimpletouchauthentication.Thisdesignaddsanextrasecuritylayertoyourkeysinceifsomeonestealsit,theycan’tuseit.Butwithapricetagof$80to$85,theBiokeysarenotnecessaryformostpeople.WelikethephysicaldesignofThetiskeysbecauseit’saflip-outdesignthatprotectsthemainpartofthekey.Wetestedtwoofthecompany’sUSB-Akeys;bothkeys,butespeciallytheNFCkey,werebulkierthantheotherkeyswetested.Thetislacksgooddocumentation,andwecouldn’tfindanyinformationonthecompany’swebsiteregardinghowsecurityresearcherscouldreportvulnerabilities.FrequentlyaskedquestionsWhathappensifIlosemysecuritykey?Ifyouloseyoursecuritykeyyoumaybeunabletologintoanyaccountsthatrequireit.Thisiswhywerecommendregisteringtwokeys,aprimaryandabackup.Someservicesmayalsorequireanotherbackupmethod,likeanapp,textmessage,oremailauthentication.Whatsitessupportsecuritykeys?Themostpopularemailservicesandsocialnetworksallsupportsecuritykeysasasecondfactorofauthentication.Youcanfindafulllistofnearlyeverywebsitethatsupportsthemhere.WhatshouldIuseifawebsitedoesn’tsupportsecuritykeys?Ifsecuritykeysaren’tanoption,wesuggestusinganappinsteadoftextmessagesoremail,wheneverpossible.Text-messageverificationcanbecircumventedviaSIMswappingwhensomeoneusessocialengineeringtogetyourphonenumberassignedtoanewSIMsothattheycaninterceptyourSMStokens),andemailverificationisonlysecureifyouhavestrongtwo-factorauthenticationonthatemailaccount,too.CanIuseasecuritykeywithmyphone?BothAndroidandiOSsupportsecuritykeysthroughaphysicalinput(USB-CorLightning),orNFC.Butnotallappssupportthekeysforlogin,soyoumaysometimesneedtouseanothermethodonyourphone,likeanappor,lesspreferably,textmessage.SourcesDrewPorter,founderandpresidentofRedMesa,phoneandemailinterviews,December12,2019ChristopherHarrell,chiefengineeringofficeratYubico,phoneandemailinterviews,January24,2020PaulStamatiou,Gettingstartedwithsecuritykeys,PaulStamatiou.com,October21,2019StefanEtienne,TheBestHardwareSecurityKeysforTwo-FactorAuthentication,TheVerge,February22,2019ChrisHoffman,HardwareSecurityKeysKeepGettingRecalled;AreTheySafe?,How-ToGeek,June14,2019TheBestSecurityKeyReview,KeylockGuide,June6,2019BradHill,U2FReviews,GitHub,September5,2018AboutyourguidesYaelGrauerYaelGrauerisaninvestigativetechjournalistbasedinPhoenix.HerworkhasappearedinTheIntercept,Wired,ArsTechnica,Motherboard,FutureTense,OneZero,andmore.Shelikescooking,hiking,playingpuzzlegames,listeningtobluegrassmusic,andspendingtimewithherhusbandandtheirrescuechiweenie.ThorinKlosowskiThorinKlosowskiistheeditorofprivacyandsecuritytopicsatWirecutter.Hehasbeenwritingabouttechnologyforoveradecade,withanemphasisonlearningbydoing—whichistosay,breakingthingsasoftenaspossibletoseehowtheywork.Forbetterorworse,heappliesthatsameDIYapproachtohisreporting.FurtherreadingBackUpandSecureYourDigitalLifebyHaleyPerryFrompasswordmanagerstobackupsoftware,herearetheappsandserviceseveryoneneedstoprotectthemselvesfromsecuritybreachesanddataloss.TheBestPasswordManagersbyAndrewCunninghamandThorinKlosowskiEveryoneshoulduseapasswordmanager,andafterresearchingdozensandtestingsix,werecommend1Passwordbecauseit’ssecureandeasytouse.Step1toSimpleOnlineSecurity:AlwaysUseStrongPasswordsbyThorinKlosowskiReusingpasswordsincreasesthelikelihoodofsomeoneelseaccessingyouraccounts.Herearesometipsformaintainingstrongpasswords.SimpleOnlineSecurityforSellingorDonatingDevicesbyThorinKlosowskiBeforeyougetridofphones,laptops,orothergadgets,makesureyou’renothandingyourdatatostrangers.EditDismiss