Everything You Need to Know About Hardware Security Keys

From phishing to database breaches, protecting yourself online is becoming increasingly difficult these days. Hardware security keys are a viable solution that adds an extra layer of protection to your online accounts. This article will cover how hardware security keys work, their pros and cons, and common issues to help you decide if they’re the right device for you.

What is a hardware security key?

A hardware security key is a small, highly secure device that serves as an additional “factor” to a multi-factor authentication (MFA) setup. Similar to a traditional OTP, a hardware security key ensures that bad guys can’t access your online accounts even if they have your login information.

Hardware security keys typically come in the form of NFC- enabled smart cards or USB sticks that you can plug into your PC. Some keys, like the popular Yubikey 5 NFC, offer a combination of USB and NFC, allowing you to use the device on both your computer and your mobile device.

How hardware security keys work

Essentially, a hardware security key uses public key cryptography to authenticate your login credentials. When you first configure the key with a compatible website or app, it generates a pair of cryptographic keys specific to that service. The key stores the private portion of that key pair in its “security chip,” while the service takes the public portion and stores it on its servers.

After you successfully log in, your website or app will prompt you to plug the key into your device or detect the key via NFC. The service will send data to your key, which needs to be signed with your private key. The service will then take that data and verify that the data was correctly signed by your private key using its public key.

Do all services allow the use of hardware security keys?

For most major online services, hardware security keys should work. While support isn’t guaranteed outright, you can expect popular platforms like Google, Amazon, and X to support hardware security keys. For example, you can add Yubikey support in X by going to the Security and Account Access section of the Account Settings page .

Additionally, support is often on a case-by-case basis. This is because the platform itself is responsible for adding and providing support for hardware security keys. Therefore, you should consider the sites you visit and whether they support this MFA method before making a purchase decision.

Comparing hardware security keys to other MFA methods

Hardware Security Keys vs SMS and Email MFA

One benefit of using hardware security keys over traditional SMS and Email MFA is that it is a seamless way to verify your identity. It does not rely on OTP codes, meaning no user intervention is required to log in to your account. This not only prevents phishing attacks but also speeds up the login process.

However, this seamless approach comes at a steep price. Most hardware security keys today cost between $30 and $80, with the cheaper ones only being usable for specific applications. SMS and Email MFA, on the other hand, leverages devices you already have. This effectively brings the cost of SMS and Email MFA down to zero, making it a very affordable way to protect your accounts.

Hardware Security Keys vs. Authenticator Apps

Just like SMS and Email MFA, authenticator apps also suffer from the same core issues when compared to hardware security keys. It relies on OTP, which makes it vulnerable to phishing attacks.

However, most authenticator apps use the RFC 6238 (TOTP) standard, making it one of the most accessible MFA methods available today. This means that there is a good chance that the website you visit has an option to enable TOTP. This is also an advantage over hardware security keys, as not all websites may support their FIDO2 standard.

Hardware security keys vs. biometrics

While hardware security keys and biometric locks offer similar levels of security and convenience, they differ in a few important ways. First, biometric locks can only be used on the device where they are stored. Touch ID , for example, can only allow logins on your iPhone. This severely limits what a biometric lock can do, especially when compared to a hardware security key.

Biometric locks are also often more convenient and easier to use than hardware security locks. Biometric locks don’t involve any external devices and take advantage of what you already have. They also don’t rely on OTPs, making them resistant to phishing attacks.

What happens when you lose your hardware security key?

One of the strengths of a hardware security key is also its weakness. As a physical object, you can lose the key, which can be a concern if you rely on your hardware security key to log in to important things like online banking.

When this happens, it's important to remember that most locks have some protection against unauthorized access. For example, the Yubikey 5 requires the user to set a PIN and has a mechanism to erase itself after multiple incorrect PIN entries.

Additionally, hardware security keys do not store sensitive information like your username and password. They also store private keys on a secure chip, making it impossible for bad guys to extract them.