Hardware security keys — small USB or NFC devices like YubiKey — are the strongest form of two-factor authentication available to consumers. They're completely immune to phishing, can't be remotely compromised, and cost less than $50. So why doesn't everyone use one?
How hardware keys work
A hardware key stores a cryptographic private key that never leaves the device. When you log in, the website sends a challenge; your key signs it with the private key and returns the signature. The website verifies the signature with your stored public key. Crucially, the key is cryptographically bound to the exact domain — it will not respond to phishing sites, even perfect clones of the real thing.
Why they're better than authenticator apps
- Phishing-proof — the key verifies the domain, so a fake login page gets nothing
- No codes to intercept — there's no 6-digit code an attacker could steal in real-time
- No software to compromise — malware on your computer can't extract the key
- Faster to use — one tap or plug-in, no code entry
Popular options
YubiKey 5 Series (~$50)
The industry standard. Works with USB-A, USB-C, NFC. Compatible with thousands of services. Extremely durable. Our top recommendation.
Google Titan Key (~$30)
Made by Google, solid security, available in USB-C and NFC versions. Good option if you're heavily invested in Google services.
Thetis FIDO2 (~$25)
Budget option, FIDO2 compliant, rotating protective cover. Good entry point if you want to try hardware keys without committing to a YubiKey price.
OnlyKey (~$47)
Open source hardware and firmware, PIN-protected, stores multiple credentials. Best for users who want maximum transparency and control.
Who should buy one?
Hardware keys are particularly valuable for: people who handle sensitive work data, journalists or activists at high risk of targeted attacks, anyone who has been phished before, and anyone who wants the highest possible security on their email and password manager accounts. For average users, an authenticator app is sufficient — but a key is never overkill.
⚠️ Buy two: Always buy at least two hardware keys and register both on each important account. If you lose or break your only key and have no backup, you could be locked out permanently.
✅ Getting started: Buy a YubiKey 5C NFC (~$55). Register it on your Google/email account and password manager first. Then work through your other accounts. Keep the second key somewhere safe as a backup.