When it comes to protecting your information online, you can never be too safe. While using strong passwords and software-based two-step verification (2FA) provide good protection, you can further strengthen your online security by using a hardware security key.
Hardware security keys are easy to use on both personal and business devices and accounts.
And don't worry - you don't need to be a technical expert to use a hardware security key. They're pretty easy to set up, and some can even hang in your keychain. A hardware security key is the perfect way to get some extra peace of mind and protect your most important and sensitive accounts, devices and information.
A physical security key for your computer
Physically, a hardware security key (also called a U2F key) is a type of hardware security that looks like a USB drive and plugs into one of your computer's USB ports. In practice, a hardware security key is a physical security device with a unique identity.
It contains a small chip with all the security protocols and code that allow it to connect to servers and verify your identity. It is used to ensure that you are the person who actually needs to access a website or service.
Some security keys even have NFC and/or Bluetooth built-in, making them perfect for use with newer Android and iOS smartphones. They work with a supported browser like Google Chrome and online services like Gmail, Facebook, Dropbox, 1Password, Twitter, GitHub, Microsoft and many others.
Security keys are another layer of two-factor security, not unlike the one-time passwords you receive via SMS or email when you log in to certain websites, or the biometric scans of your fingerprint or face used to unlock your laptop or smartphone.
But instead of sending you the password or scanning a body part, you connect the device to your computer and tap a sensor on it to make it give you access to what you're protecting.
Here's one way to describe the common extra layers of security you can put on your accounts:
- Little to no security: Using the same weak password that's easy to guess on every site. Anyone with enough motivation can access your information without much effort.
- Strong security: Using unique strong passwords for each of your accounts. This makes it incredibly difficult for a hacker or algorithm to guess the passwords. Here it is a good idea to use a password manager that stores and remembers the passwords for you.
- Stronger security: Set up software-based two-factor authentication for your accounts (where you receive a text code) or use authentication apps. This makes it even harder for a hacker to access your accounts, as they need to know your password and have your phone handy (or switch SIM cards) to gain access. Plus, in most cases you'll also receive the one-time code notification every time someone tries to access your account, giving you a heads up.
- Strongest security: Setting up physical two-factor authentication, also called a hardware security key, creates a single unique access point that can't be duplicated. In order for you or anyone else to access your connected accounts, you must use your password as well as the physical key.
Hardware security keys are so good, they even prevent you from entering your information on a spoofed website. So even if a hacker manages to trick you, they won't trick your security key. This hardware acts as your digital bodyguard, keeping unwanted users away from your information. And don't worry: no personal or account data is stored on the security key. In case you lose your key, or someone takes it, they still need to know your account names and passwords to get anywhere.
How do security keys work?
Security keys are just another way to confirm with a server you're trying to access that you are who you say you are. The keys support an open source universal standard called FIDO U2F, which was developed by Google and Yubico for physical authentication keys. Think of a security key as a hotel door. You check in at the front desk, pay the nightly fee and are issued your room key. So hypothetically, if you were to stand in front of the door to your assigned room and say "I'd like to come in", the door wouldn't just open. You would insert the key into the slot and allow it to connect to the hotel's system and confirm "Yes, this key is currently valid. Please give me the registered key code to open this room." It's the same principle.
Setting up and using a security key is also pretty easy. Once you have connected the devices and onlinenti you want to use the security key on, all you need to do at that time is plug in the key when you want to access the device or site, and press the sensor button.
Who needs hardware security keys?
The answer is anyone who wants to can use a security key, but it may be an excessive measure for some people. If you don't mind spending a little extra time to be securely logged into your connected accounts, it's a good idea to use a hardware security key.
We highly recommend security keys for those who regularly use public Wi-Fi, as traffic over Wi-Fi can be easily intercepted and using public Wi-Fi makes you more susceptible to hacking. When you use a security key, hackers won't be able to log into your accounts even if they intercept your data.
We also recommend security keys for anyone who deals with sensitive or confidential information online, such as financial information.
Disadvantages of using a hardware security key
The main selling point of a hardware security key is also its biggest weakness: it's the only access point for your accounts. So while it makes it virtually impossible for a hacker to access your accounts, it will also make it near impossible to access your own accounts in the event that you lose your security key.
If you are logged into one of your accounts for some reason, you can go in and remove your security key or create a new one; but if you can't, it can be very difficult to access your accounts.
Depending on the service you set up your security key with, such as Google, you may have a number of options for accessing your account, such as backup passwords. You can also technically buy a backup security key, but not all sites allow you to register two keys.
Another drawback is that not all sites and services support security keys as a 2FA option, especially smaller services. Most services, if they offer 2FA at all, will stick to SMS or email-based options. This means that for the time being you will be able to get protection for a limited number of sites, but the possibility of using hardware security keys for multiple sites can, and probably will, come in the future.
Which hardware security keys are the best?
There are several security keys to choose from. Yubico is one of the more popular manufacturers of hardware security keys and has various high quality models that you can purchase. Google also sells its own security key called Titan, and it includes an extra key with Bluetooth. Other good manufacturers of security keys include Kensington and Thetis
Here are some of the best security keys on the market right now (remember to research several different security keys before making your final choice):
- Yubikey 5 NFC (USB-A connector with wireless NFC)
- Yubikey 5C Nano (USB-C, compatible with Android)
- Yubikey 5C (USB-C)
- Yubikey 5 Nano (USB-A)
- Thetis Fido (USB-A)
- Google Titan (one USB-A and one Bluetooth)
- Thetis BLE (USB-A with Bluetooth)
Sofie Meyer is a copywriter and phishing aficionado here at Moxso. She has a master´s degree in Danish and a great interest in cybercrime, which resulted in a master thesis project on phishing.