Home > Tech Explained

Everything You Need to Know About Hardware Security Keys

By Ramces Red
An image of a person browsing the web on their laptop at night.

From phishing to database leaks, protecting yourself online is becoming increasingly difficult today. Hardware security keys are a viable solution that adds a layer of protection for your online accounts. In this article, I go through how hardware security keys work, their pros and cons, and common issues to determine if they’re the right device for you.

What Are Hardware Security Keys?

Hardware security keys are small, highly secure devices that serve as an additional “factor” for multi-factor authentication (MFA) setups. Similar to traditional OTP, hardware security keys ensure that bad actors can’t access your online accounts even if they have your login credentials.

A photograph of a Yubikey 5 hardware security key.

Hardware security keys usually come as an NFC-enabled smartcard or a USB stick that you can plug into your PC. Some, such as the popular Yubikey 5 NFC, offer a USB and NFC combo, allowing you to use the device on both desktop and mobile devices.

A screenshot showing the NFC scan prompt for a Yubikey in iOS.

How Hardware Security Keys Work

At their core, hardware security keys use public-key cryptography to authenticate your login credentials. When you first configure a key with a compatible website or app, it generates a cryptographic key pair specific to that service. The key stores the private portion of that keypair in its “secure chip,” while the service takes the public portion and stores it in its servers.

A screenshot showing the standard prompt screen for adding a security key in Discord.

Once you log in successfully, your website or app will prompt you to plug the key into your device or detect it through NFC. The service sends data to your key, which it needs to sign using the private key. The service then takes that data and verifies that it’s signed correctly by the private key using its public key.

On a side note: check out the best hardware security keys you can get today.

Do All Services Allow Hardware Security Keys?

For the most part, hardware security keys should work on major online services. While explicit support isn’t guaranteed, you can expect popular platforms such as Google, Amazon, and X to support hardware security keys. For instance, you can add Yubikey support in X by going to the Security and Account Access section of your Account Settings page.

A screenshot highlighting the option for Two-factor authentication in X.

Apart from that, support generally depends on a case-by-case basis. This is because the platform itself is responsible for adding and providing support for hardware security keys. As such, it’s good practice to consider the websites you go to and whether they support this MFA method before committing to a purchase.

Comparing Hardware Security Keys Against Other MFA Methods

Hardware Security Keys vs SMS and Email MFA

One benefit of using a hardware security key over a traditional SMS and Email MFA is that it’s a seamless way of verifying your identity. It doesn’t rely on OTP codes, meaning it doesn’t need any user intervention to log in to an account. Not only does this prevent phishing attacks, but it also speeds up the login process.

A screenshot showing the 2FA setup screen in Twitch.

However, this seamless approach also comes with a hefty price. Most hardware security keys today cost between $30 to $80, with the cheaper ones only usable for specific apps. On the other hand, SMS and Email MFA takes advantage of the devices that you already have with you. This effectively reduces the cost of SMS and Email MFA to $0, making it a very affordable way to secure your account.

Hardware Security Keys vs Authenticator Apps

Just like SMS and Email MFA, authenticator apps also suffer from the same core issues when compared to a hardware security key. It relies on an OTP, making it vulnerable to phishing attacks.

A screenshot showing the default screen for the Google Authenticator.

Having said that, most authenticator apps use the RFC 6238 (TOTP) standard, making them one of the most widely accessible MFA methods today. This means there’s a good chance that a website you go to has an option to enable TOTP. It’s also an advantage over hardware security keys since not all websites can support their FIDO2 standard.

Hardware Security Keys vs Biometrics

While hardware security keys and biometric keys offer similar levels of security and convenience, they differ in a couple of important ways. To start, biometric keys are only usable on the device where they’re stored. For example, Touch ID can only authorize logins on your iPhone. This severely limits what a biometric key can do, especially when compared against a hardware security key.

A screenshot showing the Touch ID prompt in iOS.

Biometric keys are also usually more convenient and easier to use than hardware security keys. A biometric key doesn’t involve any external device, and it takes advantage of what you already have. It also doesn’t rely on OTP, making it resistant to phishing attacks.

Good to know: want to learn more about authentication tech? Check out our article where we compared 2FA against Passkeys.

What Happens When You Lose a Hardware Security Key?

One of the strengths of a hardware security key is also its weakness. Being a physical object means that it’s possible to lose it. This can be nerve-wracking if you rely on your hardware security key for vital logins, such as your online bank.

When this happens, it’s important to keep in mind that most keys have protection for unauthorized access. For instance, Yubikey 5 requires its user to set a PIN and has a self-wipe mechanism after multiple bad PIN attempts.

A terminal showing the PIN entry prompt for the Yubikey in GPG.

Further, hardware security keys doesn’t store sensitive information such as your username and password. These keys also store the private keys on a secure chip, making it impossible for bad actors to extract them.

Preparing for Hardware Security Key Loss

The easiest way to protect yourself from potential loss is by enabling other MFA methods for your online accounts. This way, you can still use hardware security keys while having an alternate login method if you lose the device.

A screenshot showing the different MFA options in Github.

Similar to adding multiple MFA methods, it’s a good idea to enable passkeys if your service supports them. It uses your device’s biometric features to verify your identity. However, passkeys are only currently available for popular online platforms such as Microsoft and Google.

A screenshot showing the default screen for adding passkeys in a Google account.

Lastly, some platforms allow multiple hardware security keys on a single account. If your service supports it, it’s good practice to have an identical backup key on hand. Just make sure to perform “sanity tests” on your backup every few months to ensure that you’re prepared for any data loss.

Exploring what hardware security keys are, how they work, and how they stack against others is just a part of online security. Learn how you can further secure your online activities by checking out some of the best VPN services today.

Image credit: Grok via x.ai. All alterations and screenshots by Ramces Red.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ramces Red Avatar
Ramces Red
Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.

Read next

A woman intently looking at her smartphone while seated indoors, dim lighting.
Tristan Harris, Google’s former design ethicist, told the US Senate that the pull-to-refresh gesture on nearly every app works like the lever of a Las Vegas slot machine, and he has long warned that we now reach for our phones around 150 times a day without ever calling it gambling
In 1969, László Bélády and two IBM colleagues published a paging-machine anomaly showing FIFO could make four memory frames suffer ten page faults after three frames suffered nine, leaving generations of operating-systems students staring at the moment more memory became the wrong answer
When Bell Labs engineer Karl Jansky pointed a rotating antenna at the sky in 1932 looking for sources of transatlantic radio static, he kept picking up a faint hiss that peaked every 23 hours and 56 minutes, and he eventually realized he had become the first human to hear the center of the Milky Way.
The colour magenta does not exist anywhere in the spectrum of visible light, and your brain manufactures it on the spot whenever red and blue cones fire together, inventing a hue to fill a gap that physics never bothered to provide.
Macro view of a smartphone displaying Google and other app icons on the home screen.
On 28 May 2009, Google demoed a product called Wave on stage at I/O for 80 minutes and got a standing ovation from developers who had no idea what they had just watched, and 15 months later the company quietly shut it down because almost nobody could explain to a friend what it was actually for
When Clair Patterson set out in 1948 to measure the age of the Earth using lead in meteorites, his samples kept coming back contaminated, and the seven-year detour he took to find the source ended with him almost single-handedly forcing leaded gasoline out of American cars by 1986.
Close-up view of a vintage IBM circuit board and disk drive showcasing retro computer technology.
The IBM 305 RAMAC stayed in production until 1961, weighed more than a ton, stored five million characters on fifty spinning platters, and still drew customers because the alternative was a room full of punched cards
A close-up of a vintage vinyl record in black and white, emphasizing its grooves.
In 1977, Ann Druyan recorded an hour of her brainwaves and heartbeat two days after she and Carl Sagan agreed to marry, and NASA pressed the compressed minute onto Voyager’s Golden Record as a private love signal now more than 25 billion kilometres from Earth