When it comes to protecting your online information, you can never be too safe. While using strong passwords and software-based two-factor authentication (2FA) is certainly a great start, you can further strengthen your online security by using a hardware security key. Plus, they are easy to use on both personal and business devices and accounts.
What is a USB Security Key?
Physically, a USB security key (also called a U2F key) is a type of hardware security that resembles a USB drive and plugs into one of the USB ports on your computer. In practice, a security key is a physical security device with a totally unique identity. It contains a small chip with all the security protocols and code that allows it to connect to servers and verify your identity. It is used to ensure that you are the person actually accessing a site or service.
Some security keys even have NFC and / or Bluetooth built-in, making them perfect for use with newer Android and iOS smartphones. The keys work with browsers such as Google Chrome, along with web services such as Gmail, Facebook, Dropbox, 1Password, Twitter, GitHub, Microsoft and many others.
Security keys are yet another layer of two-factor security, as are the one-time codes you receive via text message or email when logging in to certain sites or the biometric scans of your fingerprint or face used to unlock your laptop or smartphone. But instead of sending you a code or scanning a body part, connect the device to your computer and tap it with a sensor to give you access to everything that protects you.
Here’s another way to visualize the common layers of security you can put on your accounts:
- Little to no security: With the same weak password that is easy to guess on any site. Anyone with sufficient motivation can access your information without much effort.
- Strong security: Use unique strong passwords for each of your accounts. This makes it incredibly difficult (if not impossible) for a savvy hacker or algorithm to guess. No, they won’t be easy for you to remember (that’s what password managers are for), but because of their complexity, they are effective.
- Stronger security: Set up software-based two-factor authentication for your accounts (where you receive a text code) or use authentication apps. This makes it even more difficult for a hacker to guess as they need to know your password and keep your phone handy (or change the SIM card) to access it. Plus, in most cases, you’ll also receive the one-time code notification every time someone tries to access your account, so you’ll get a warning.
- Strongest Security: By setting up two-factor physical authentication, also known as a security key, a single point of access is created that cannot be duplicated. To give you or anyone else access to your connected accounts, you need both your password and the physical key – something even the best hacker can’t ignore.
Security keys are so good that they will even prevent you from entering your information on a fake website, so even if a hacker manages to trick you, they won’t trick your security key. This piece of hardware acts as your digital bodyguard and keeps unwanted users away from your information. And don’t worry – no personal or account information is stored on the security key. In the event that you lose your key or someone takes possession of it, they still need to know your account names and passwords to get anywhere.
How do security keys work?
Security keys are simply another way of verifying that you are who you say you are to a server you are trying to contact. The keys support an open-source universal standard called FIDO U2F developed by Google and Yubico for physical authentication tokens.
Think of a security key as a hotel door. You check in at the desk, pay the nightly rate and receive your room key. Then, hypothetically, if you were standing at the door of your assigned room and said “I want to come in”, the door wouldn’t open just like that. You will need to put the key in the slot and connect it to the hotel system and verify “Yes, this key is currently valid. Give me the registered key code to open this room. ” It is the same.
Setting up and using a security key is also quite easy. Once you have connected the devices and online accounts on which you want to use the security key, at that point, all you need to do is insert the key when you want to access the device or site and tap the sensor button. If you’re not sure how to associate your physical key with a device or website, check out this helpful guide from our sister site, How-to-Geek.
Who Should Use a Security Key?
Anyone who wants to can use a security key, but it can be an outrageous measure for some people. If you don’t mind the temporary inconvenience of securely logging in to your connected accounts, this is a great idea. After all, it’s better to be safe than sorry.
We highly recommend security keys to those who regularly use public Wi-Fi as traffic over Wi-Fi can be easily intercepted and using public Wi-Fi makes you more prone to hacking. By using a security key, you ensure that even if someone intercepts your information, they cannot log into your accounts. We also recommend security keys to anyone dealing with secure online information, such as financial information, and to celebrities and other important individuals who want an extra layer of security.
The drawbacks of relying on a security key
A security’s main selling point is also its biggest weakness – it’s the only entry point for your accounts. So where it makes it nearly impossible for a hacker to access your accounts, it also makes it nearly impossible to access your own accounts in case you lose your security key.
If you’ve opened another copy of your accounts somewhere, you can go in and delete your security key or set a new one; but if you don’t, you may be out of luck. However, depending on the service with which you set up your security key, such as Google, you have access to a range of options for accessing your account, such as backup access codes. You can also technically buy a backup security key, but not every site lets you register two.
The other notable drawback is that not every site and service supports security keys as a 2FA option, especially smaller services. Most services, if they offer 2FA support at all, adhere to SMS or email based options. This means you’ll only be cashing out for protection on a handful of sites for now, although support for more may come in the future.
Other options to consider
Security here is of course the name of the game and the most important part of a physical security key. However, there are a few extra features to keep in mind if you’re considering purchasing a security key.
- Price and configuration: Security keys have a pretty narrow price range, usually between about $ 20 and $ 50, so you don’t have to worry about losing a few hundred dollars on one or the other. The keys should also be super easy to set up and use on demand.
- Device and Account Compatibility: Every hardware key is not created equal. Some connect to your computer via USB-A or USB-C, while others only support Apple’s Lightning ports. Newer options can even support Bluetooth and NFC, making them compatible with smartphones. Make sure the key you choose works with all the devices you want to use it on, from macOS and Windows to Android and iOS.
- Durability: Since a security key is something you will potentially use every day, it is critical that it has a durable design that is made from quality materials. The metal connectors that connect to the one in your device’s USB port should be sturdy enough to withstand thousands of uses. The best security keys are resistant to drops (or something dropped on it) and are also water resistant.
Security keys we recommend
If you’ve decided you want a security key but aren’t sure what your options are, don’t worry – we’ve rounded up a few of the best picks below, including some premium keys and a budget-friendly one.
Best Overall Security Key: Yubico YubiKey 5 NFC
Yubico is a trusted name in the security key world as it helped develop the FIDO U2F standard along with Google. The YubiKey 5 NFC uses both NFC and a USB-A connector and is an ideal choice for logging into your online services and accounts as well as your macOS computers, Android devices and iPhone 7 or later models. It supports a variety of security standards, including FIDO U2F, FIDO2, Yubico OTP, OATH-HOTP, Open PGP and Smart Card. The key is resistant to water, spills and crushes.
Best Overall Security Key
Best Budget Pick: Thetis FIDO U2F Security Key
You don’t have to spend a ton to get a respectable security key, and the Thetis FIDO U2F security key is the best bang for your buck. The key works on both Chrome and Opera browsers on macOS, Windows and Linux operating systems. It skips Bluetooth and NFC connection options in favor of a USB-A port. The Thetis key does have a swivel mechanism that protects the USB port when not in use.
Best budget choice
Best Bluetooth Choice: Google Titan Security Key Bundle
Along with Yubico, Google helped develop the FIDO U2F standard these devices rely on, so it’s another great choice. The Google Titan Key Bundle comes in a set with one Bluetooth key and one USB-A key, allowing you to connect to computers and mobile devices as well as compatible web services. The keys have a hole at the top so that you can attach them to a key ring. Both keys support Google’s Advanced Protection Program, the company’s strongest security offering. Google also sells a great USB-C option, if it works better with your device’s ports.
One final note
Security keys are an easy and relatively inexpensive way to keep your important online information safe. While they may be overkill for the average person, the level of security they provide makes them worthwhile for anyone dealing with secure information, especially over a public Wi-Fi connection. They are also a good idea for celebrities and notable individuals to use. Also, don’t lose your security key.