Skip to main content

The best hardware security keys for two-factor authentication

Keep your virtual life secure with a physical key

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Update May 15, 2019, 2:50PM ET: This article has been updated to include information on the vulnerability discovered in certain models of the Titan Key.

When it comes to protecting your data, SMS-based or app-based two-factor authentication using your smartphone is more secure than depending only on passwords. But it can also be time-consuming to set up and use. Hardware-based security keys provide a fast, no-fuss way to use two-factor authentication without having to mess around with your phone. They are based on the FIDO U2F standard, a security protocol that is difficult to intercept; it was developed by Google and security company Yubico, and is now administered by the FIDO Alliance.

While Yubico helped develop the standard, it is not the only company that produces security keys, so it’s wise to shop around. A lot of what makes buying a security key tricky is first figuring out which device(s) you plan to use it with. Yubico offers different keys for devices with USB-A, USB-C, or NFC connections, while Google offers one that uses Bluetooth. You should also check out whether your apps support the U2F standard. (Yubico has a list of apps that work with its key; since most keys use the same standard, they should also work with those services.)

Unfortunately, while you can use a key to authenticate a macOS system, there is not yet a key that will get you into Windows — unless you’re fond of the Edge browser. The new FIDO2 standard, which was built to enable password-free authentication, can use Windows Hello together with Microsoft’s Edge browser to authenticate Windows, if the key supports it.

Otherwise, it’s best to go with a security key that is simple to set up, convenient to carry, and will keep your various apps safe and secure.

The best security key for most people: YubiKey 5 NFC

Yubico’s YubiKey 5 NFC — which uses both a USB-A connector and wireless NFC — is the best key for logging into your online accounts, services, macOS computers, Android devices, and the iPhone 7 and up. I’ve never had any issues using it in a USB-A port, or with a mobile device using the NFC feature. The YubiKey 5 NFC supports a plethora of security standards, including OTP, Smart Card, OpenPGP, FIDO U2F, and FIDO2.

The key itself is “made in the USA and Sweden,” and comes packaged in a simple cardboard and plastic container. It has a single, easily identifiable gold disk for you to press when you want to confirm your sign-in and includes a keyhole ring to use with a keychain so you don’t lose your valuable security key. It’s also incredibly durable, waterproof, and crush resistant. I’ve been carrying this key around in my pocket, attached to a keychain, and bouncing around inside my backpack, and it hasn’t had any noticeable damage.

Yubcio sells the individual YubiKey 5 NFC keys individually, as part of a two-pack, a 10-pack, or a whole set of 50 if you need that many security keys for a team. It’s proven itself to work for logging into my social media and email accounts time and time again. This is definitely the best key for most users — my only complaint is that Yubico doesn’t sell a similar version for USB-C.

The best security key for USB-C users: YubiKey 5C

Yubico also makes a USB-C compatible security key that works with the same OTP, Smart Card, OpenPGP, FIDO U2F, and the FIDO2 standards as the USB-A version, but without the NFC connectivity. Another trade-off: the YubiKey 5C costs more than the NFC version. But if your desktop system or Android phone uses a USB-C port, this is your best option.

Unfortunately, the 5C doesn’t support iOS devices, which require a Lightning port. According to Yubico, the company is planning to release a Lightning security key sometime later this year.

The 5C key is water-resistant, but incredibly tiny and easily misplaced, so I’d recommend attaching it to a keychain.

The other contenders

These are the other security keys that I tested alongside the USB-A and USB-C winners. Some of these keys have other connectivity options and additional functions, adding more features to an already specialized product.

For example, the Kensington VeriMark Fingerprint security key functions both as a Windows Hello fingerprint scanner and a U2F security key. However, it requires downloading a software driver to use the fingerprint feature, so it’s less user-friendly out the box and requires additional setup to use all of its capabilities.

If you’re comfortable using Bluetooth for your security key, Google’s Titan Security Key bundle comes with a standard USB-A key (along with a USB-C adapter), and a second Bluetooth-enabled key. However, the fact that the Bluetooth key needs to be charged (via a Micro USB port) can be a problem.

Vox Media has affiliate partnerships. These do not influence editorial content, though Vox Media may earn commissions for products purchased via affiliate links. For more information, see our ethics policy.