header banner

What is the best security key for two-factor authentication?

A good password manager is the first step to online security, but not the last. When two-factor authentication (2FA) is available, you should use that with your online accounts, too. While the most familiar form of 2FA is a one-time-use code texted to your phone, the most secure version is a physical security key that serves that purpose instead. With a security key, nobody can get into the accounts where you set it up unless they have both your password and physical access to the key. The Yubico Security Key, which is available for both USB-A and USB-C ports, has the best combination of compatibility, usability, and security of any key we tested.

Everything we recommend

VIDEO: How to Choose the BEST 2FA Key for Security (Yubikey)
All Things Secured

Our pick

Yubico’s Security Key series offers strong account security and excellent documentation for newcomers. It’s available for USB-A and USB-C ports (and both versions work with NFC devices such as phones), but it doesn’t support advanced protocols that some accounts may require, so it’s less future-proof than our upgrade pick.

Buying Options

VIDEO: Best Security Keys for Multi-Factor Authentication in 2023
Best Seller Products

Upgrade pick

The YubiKey 5 Series has versions to fit every modern device, as well as premium features for advanced use.

Buying Options

VIDEO: Here's Why I Moved to Security Keys for 2FA

Our pick

Yubico’s Security Key series offers strong account security and excellent documentation for newcomers. It’s available for USB-A and USB-C ports (and both versions work with NFC devices such as phones), but it doesn’t support advanced protocols that some accounts may require, so it’s less future-proof than our upgrade pick.

Buying Options

VIDEO: Setup a 2FA Key for MAXIMUM Online Security! (Yubikey Tutorial)
All Things Secured

The Yubico Security Key series supports a wide array of protocols and is compatible with most of the online services that people use, including Google, GitHub, and Dropbox. It’s available for USB-C ports as the Yubico Security Key C NFC and for USB-A ports as the Yubico Security Key NFC. These keys offer most of the same benefits as our upgrade pick, the YubiKey 5 Series, at a fraction of the price. After years of testing the Security Keys and keeping them on our keychains, we’ve found them durable and reliable. Yubico also provides the best documentation we’ve seen from any security key maker, and its excellent introductory experience eases the process for newcomers. The Yubico Security Keys don’t support more advanced protocols such as OpenPGP, smart card, and OTP, but if you don’t know what those protocols are, you probably don’t need them.

Upgrade pick

The YubiKey 5 Series has versions to fit every modern device, as well as premium features for advanced use.

Buying Options

VIDEO: Yubico Authenticator: The BEST Two Factor Authentication App! (PROTECT YOURSELF)

The Yubico YubiKey 5 Series supports a wider array of security protocols than the Security Key series, which makes it compatible with more online accounts. Compared with nearly every other security key, the 5 Series also offers more connection options, including USB-A, USB-C, USB-C with NFC, and a dual-headed USB-C and Lightning-port model. They also come as thumbnail-sized nano keys meant to live in your computer more permanently, in contrast to the standard key shape, which sticks out of the port. Over years of testing, they’ve proven to be as durable as the Security Keys, and they have the same excellent documentation. The YubiKey 5 Series models can be more than twice the price of the Yubico Security Keys, but their robust compatibility with more devices and accounts makes them worth the higher price.

The research

VIDEO: "Remove This Tiny Chip Before Using The Phone!" Edward Snowden

    We read through articles, review sites, customer reviews, and technical papers dissecting security keys and the security standards they use. We also interviewed Drew Porter, founder and president of security consultancy Red Mesa, to discuss who needs hardware-based security keys, what to look for in their security protocols and practices, and how past recalls affect trustworthiness.

    After selecting Yubico’s keys as picks for this guide, we spoke with Yubico’s chief engineering officer, Christopher Harrell, to get more information on the benefits of hardware security keys, the limitations of specific models, and the ways in which the ecosystem is changing.

    Thorin Klosowski is Wirecutter’s privacy and security editor. Prior to Wirecutter, he wrote for Lifehacker, and in both publications he has sought to make complicated technology easy to understand and use.

    Yael Grauer did the initial testing for this guide and wrote the original recommendations in the spring of 2020. She has written about online privacy and security for Wired, Vice, BreakerMag, The Intercept, Slate/Future Tense, Ars Technica, and more, and she now covers the category for the Consumer Reports Digital Lab. She collaborated with the Electronics Frontier Foundation on its Street-Level Surveillance project and wrote curricula for TrollBusters, a just-in-time rescue service for women writers and journalists who are experiencing online harassment. She has also co-organized events, taught workshops, and spoken on panels about digital security and source protection.

    If you’re new to multi-factor authentication, here’s how the typical new-login process works when you’ve registered a security key with a website or app:

    1. You head to the website or app and then type in your username and password.
    2. The site or app asks you to connect your key. You do so by either plugging the key into a port on your computer or phone, or holding it near the top of your phone if it supports NFC.
    3. You trigger the key by tapping a piece of capacitive metal or clicking a button.

    Whether you’re going online to shop, bank, check your email, or use social media, you should be using multi-factor authentication to secure your accounts. Adding an extra layer (or layers) of security to your accounts makes it more difficult for an attacker to compromise them. The National Institute of Standards and Technology (NIST) recommends using some form of multi-factor authentication, and you may already have a second factor, such as receiving a one-time code via SMS messages or using an authenticator app like Authy.

    But when it comes to securing accounts and passwords, security keys offer the strongest layer of protection. A key provides an increase in security over just a password, and it can protect against specific types of phishing that try to steal two-factor authentication codes. Most people should use a security key for as many accounts that support it, and the keys in this guide should work for both personal and business accounts (unless you’re a government or regulated-industry employee, in which case you’ll likely have different keys, such as the Yubico YubiKey 5 FIPS Series).

    Multi-factor authentication works by requiring the presentation of multiple layers of evidence, or factors, before allowing access to an account. What the factors are can vary, but they generally fit into one of three categories:

    • something you know (such as a password or PIN)
    • something you have (such as a security key or phone)
    • something you are (biometrics such as a fingerprint reader, face scan, iris scan, or voice recognition)

    Security codes sent by text messages have their own set of issues, and while authenticator apps are preferable to SMS, security keys provide the strongest protection against phishing attacks. For example, if you were to tap on a spoofed website link sent to you in a text message, an attacker controlling that site may get your username, password, and authentication code after you type it all in—but that can’t happen with a physical key. Plus, security keys are easier to use at a computer than fussing with your phone. Some security keys, including our picks, also support “passwordless login,” where you don’t even need a password, just the physical key itself, to login. The most notable company that currently supports this type of login is Microsoft.

    “It is harder to compromise a hardware token than a digital phone, because not everyone has perfect insight to everything that’s happening or going on in their phone,” said Drew Porter, founder and president of Red Mesa. “Most people don’t monitor everything that is happening on their phone, and therefore they can’t know whether their phone is compromised.”

    “People do a lot of campaigns around phishing education and around teaching people to be careful about the URL bar in the browser, but it turns out we’re human,” said Yubico’s chief engineering officer, Christopher Harrell. “We have other priorities, and our attention is limited.” Security keys do the heavy lifting of making sure the sites you’re trying to log in to are authentic, so you don’t have to be as meticulous about noticing anything off. As an example, Porter noted that a lot of people mindlessly tap through “Did you sign in?” push notifications on their phones even when they shouldn’t, an issue that wouldn’t come up if they were logging in using a security key.

    We recommend having at least one backup security key to use in case you lose your main one. With most services, you can register multiple keys, which you should do in advance; that way, if you lose your main key, you can log in with a backup. If you don’t have a backup, in some cases you could be locked out of an account. Different sites have different recovery mechanisms, including authenticator apps, SMS-based recovery keys, and backup codes (one-time recovery codes you can store somewhere).

    Although security keys are more secure than authenticator apps, they’re not the best choice for people who tend to lose things. Most people should have at least two security keys: one for everyday use and a backup key that can stay somewhere secure, such as in a safe, if you lose your everyday key. Some people may want additional keys for different devices.

    Additionally, the security key ecosystem has some rough edges. Not every type of key works seamlessly on a mobile phone, for example, and some apps revert to authenticator apps in some circumstances.

    Security keys can be tricky to set up, so people without the patience to do so should stick to authenticator apps. But once security keys are set up and in actual use, we’ve found them to be much easier to use in practice than authenticator apps because there’s no wonky copy and pasting required, nor is it necessary to scroll through codes to find the one you’re looking for.

    Security keys aren’t perfect. One research paper (PDF) showed how a hacker could clone some security keys, making it so that they could theoretically log in to any accounts protected by the original key. The attack requires physical access to the key, about $12,000 worth of equipment, and at least 10 hours, but it illustrates how even the most secure products can have issues. The researchers performed their attack on the Google Titan key but note in their paper that other hardware using the same chip may also be vulnerable; that group includes an older Yubico model, the YubiKey Neo, and several keys made by Feitian.

    An array of security keys, in a variety of sizes and colors, that we tested to find the best security key.
    Photo: Rozette Rago

    A security key doesn’t need to have a lot of features to be useful, but one that’s designed badly can be difficult to use. Following are the features that we found through our research to be most important:

    • Security protocols: Since hardware keys are a security item, we dug into each company’s track record on previous recalls and looked at whether the company had a coordinated vulnerability-disclosure program to allow security researchers to report bugs.
    • Future-proof support for multiple standards: We focused on keys supporting the newest set of specifications, such as FIDO2. This means that they support more applications and websites, and it suggests that they are less likely to need replacing. Security keys typically have no moving parts and are durable, so you’ll probably use the same keys for many years.
    • Consistency and compatibility: We looked for security keys that worked as consistently as possible with each of the services we tested them with. We preferred security keys that came with a variety of connection options so they could work on both Android and iOS, as well as both Windows and macOS computers.
    • Setup and user experience: We wanted security keys that were easy to set up and use.
    • Customer support: We looked at the types of support each company offered, as well as how much documentation was available on its website both for setting up keys and for troubleshooting. We preferred companies that were well known and had been around for a while, an indicator of continued support in the future.
    • Portability and durability: We put the keys we tested through the type of wear and tear that can be expected over a normal day of use, including tossing them around on a keychain and dropping them into the bottom of a bag, and we looked for any parts that seemed as if they could easily snap or break off too quickly with use. We looked at whether the necessary components were well protected. Some companies also make smaller, “nano”-size keys that fit flush with your computer’s USB port. These designs are useful if you work only on a computer, but they’re a pain to use on mobile devices. Most people are likely to want at least one portable key with a keychain loop.
    • Cost: Security keys can cost anywhere between $20 and $70 or so. For around $20 to $40, you get a durable key that’s compatible with most services but doesn’t offer as many connectivity options. When you pay more, you typically get more connectivity options, such as USB-C and Lightning, alongside added features like the ability to use your key to log in to your computer.

    We dismissed security keys that had limited owner reviews or that were designed specifically for government use (such as the Yubico YubiKey 5 FIPS Series). Going by the above criteria, we tested Yubico’s Security Key, Security Key NFC, Security Key C NFC, and YubiKey 5C, 5C NFC, 5Ci, and 5 NFC; Google’s Titan Security Keys (USB-A/NFC Security Key and USB-C/NFC Security Key); Thetis’s FIDO U2F and BLE U2F Security Keys; and SoloKeys’s Solo USB-C, Solo USB-A, Solo Tap USB-C, and Solo Tap USB-A models.

    We tested the setup of each key with various apps, noting issues along the way. We ran over all the keys a couple of times with a car to make sure they were durable enough to withstand such punishment, and then we tossed them into a washer to make sure they’d still work in case you leave yours in your pocket. Once we settled on Yubico keys as our picks, we reached out to the company for additional details on features and compatibility.

    Two Yubico Security Keys, one facing up and one reversed, our pick for the best security key for Multi-factor Authentication.
    Photo: Rozette Rago

    Our pick

    Yubico’s Security Key series offers strong account security and excellent documentation for newcomers. It’s available for USB-A and USB-C ports (and both versions work with NFC devices such as phones), but it doesn’t support advanced protocols that some accounts may require, so it’s less future-proof than our upgrade pick.

    Buying Options

    VIDEO: Is Bitwarden's 2FA Code a Security Risk?
    Pro Tech Show

    The best security key for most people is the Yubico Security Key, which comes in two forms: the Yubico Security Key NFC (USB-A) and the Yubico Security Key C NFC (USB-C). These security keys work with most devices, including phones and laptops. They feature all the security protocols necessary to work with a wide array of web services that most people use, including 1Password, Bitwarden, Google, Microsoft, and plenty more. Yubico’s documentation and support is the best we’ve seen, and the keys have proven durable over years of testing. Priced under $30, they’re affordable enough that you can buy a couple (which we recommend, so you have a backup) without spending too much, especially considering there’s no reason they won’t last for many years.

    In some cases, experts suggest, programs and security keys that use open-source software, which allows anyone to review the program’s code, are more secure. All Yubico keys are closed source, but the company has built trust around its security practices in other ways, including internal and third-party security assessments of its code for every major release. When Yubico had a vulnerability in its YubiKey FIPS Series of keys (used by government agencies) in June 2019, the company replaced affected devices. It also proactively lists security advisories and mitigations on its website.

    The Yubico Security Keys meet FIDO2 standards and support U2F, WebAuthn, and CTAP 1 and 2, which makes them compatible with most web services that support security keys, including more forward-looking features such as Microsoft’s passwordless login. The standard Security Keys don’t offer some of the options for super-technical folks who might want to, say, put a GPG key in hardware, or for enterprise users who want a key that works with PIV smart cards for Active Directory, or for SSH or S/MIME. If you aren’t familiar with those terms, you’re unlikely to miss the advanced features of the more expensive 5 Series.

    Each Security Key model fits either a USB-A or USB-C port, and most phones support NFC, so the keys should work fine for most devices. Get whichever key fits into the port on your computer. If you need more options, such as Lightning for a physical connection to an iPhone (or certain models of iPad), or if you want thumbnail-sized keys that don’t stick out, go with the .

    Yubico Security KeyYubico YubiKey 5 SeriesGoogle Titan Security Keys
    TOTP code storageNoYesNo
    Passwordless login supportYesYesNo
    Computer login supportNoYesNo
    CertificationsFIDO (U2F), FIDO2FIDO (U2F), FIDO2FIDO (U2F)
    Protocol supportWebAuthn, CTAP 1, CTAP 2, U2FWebAuthn, CTAP 1, CTAP 2, U2F, smart card, Yubico OTP, OATH (HOTP/TOTP), OpenPGP, secure static passwordsU2F, CTAP 1
    VersionsUSB-A (NFC), USB-C (NFC)USB-A (NFC), USB-C (NFC), Lightning, USB-C, USB-A (Nano), USB-C (Nano)USB-A (NFC), USB-C (NFC)
    Country of originUSA, SwedenUSA, SwedenChina
    The Yubico Security Key can handle the majority of online accounts most people need, but the 5 Series supports a few protocols for most advanced uses.

    In order to use any security key, you have to set it up and pair it with each individual online account. Setup on an account takes only a couple of minutes, but finding the right place to do so can require some detective work. Helpfully, Yubico’s documentation is extensive: In addition to a setup page, Yubico has videos and links to instructions for services that you might want to use your security key with, including a list (with visuals) of which key works with the program, information on security-protocol support, desktop and laptop platform support, mobile support, browser support, and any special offers. This documentation is far more comprehensive than what we’ve seen from the competition.

    The keys were still usable after we ran them over and put them through the washing machine. Video: Rozette Rago

    Most of Yubico’s full-size keys are water resistant and crush resistant. Like other keys we tested, both the Yubico Security Keys and the 5 Series held up well for us in our regular testing, and they still worked fine after we ran them over with a car and put them through a cycle in a washing machine. All of them were easy to carry around on a keychain, too. After more than two years of use, the keys hanging on our keychains still look nearly brand-new and continue to work. They had the same durability results in tests conducted by Freedom of the Press Foundation digital security trainer David Huerta.

    At $25 and nearly $30 for the USB-A and USB-C models, respectively, the Yubico Security Keys are cheaper than Google’s similarly styled Titan Security Keys and nearly half the price of most models in the Yubico YubiKey 5 Series. The Yubico Security Keys lack the nice-to-have features of the 5 Series, such as multiple connection options, computer login, and support for time-based one-time passwords on the Yubico Authenticator app. But most people don’t need those extra features enough to justify the increase in price for a 5 Series model.

    For the most part, we found the experience of using a security key on both Windows and Mac laptops straightforward, but compatibility issues still affect certain browsers, and some software does not support keys directly, so you too might run into issues.

    Support on mobile devices has expanded over the past few years, but we still encountered quirks with keys on both Android and iOS; for example, on both platforms, you can use a key to log in to Dropbox from your smartphone’s browser, but not the Dropbox app. We’ve seen improvements in other apps, though, such as Facebook, which now fully supports keys in its mobile apps, and Twitter, which will soon allow you to log in with just the key, no password needed. To compound the confusion, some apps and services might support a key when it’s plugged in but not over NFC. These sorts of mismatches can be annoying, especially considering that even when NFC is supported, you still have to hold the key close to your phone and cross your fingers in hopes that it registers. If you really dislike futzing around with NFC, the YubiKey 5 Series may be a better option.

    Four Yubico YubiKey 5 Series Keys, our upgrade pick for the best security key for Multi-factor Authentication.
    Photo: Rozette Rago

    Upgrade pick

    The YubiKey 5 Series has versions to fit every modern device, as well as premium features for advanced use.

    Buying Options

    VIDEO: 5 things you didn't know your USB Flash Drive could do!
    Liron Segev

    If you’re looking for extra features and you’re comfortable tinkering around with more advanced settings in web apps, get a key in the Yubico YubiKey 5 Series. The 5 Series encompasses several models and is thus compatible with more devices than any other key, including Yubico’s Security Key line. The 5 Series has the same excellent Yubico video walk-throughs and setup instructions, and the keys themselves are portable and durable, though they cost nearly twice as much as our main pick.

    Determining which 5 Series key is best for you depends on which devices you own. Yubico provides a quiz to help you find the right key, but the breakdown goes something like this:

    • YubiKey 5 NFC (also available in non-NFC nano form): The YubiKey 5 NFC has a USB-A plug and near-field communication (NFC) support, so you can use it for NFC-enabled devices such as most smartphones. Although we didn’t test nano-size keys for this guide, those models are better if you want to leave your key in the USB port of your computer.
    • YubiKey 5C (also available in nano form): The USB-C–only design is compatible with Android phones as well as some newer tablets, desktop computers, and laptops. It is not compatible with iPhones.
    • YubiKey 5C NFC: With USB-C and NFC, this model is a good option if your computer has a USB-C port and you don’t need a Lightning connector. It works with most newer desktop computers and laptops, with some tablets (including several iPad models), and with Android and iPhone (over NFC).
    • YubiKey 5Ci: The 5Ci has two different sides, a USB-C connector and a Lightning connector, the latter of which is used by most Apple mobile devices. So this key is best for people reliant on Apple hardware, including iPhones, iPads, and laptops, though we preferred using the NFC keys over fiddling with this one; it’s still a good option if you have an iPad model with a Lightning port.

    The 5 Series offers more port options and combinations than the selection from every other company, including Yubico’s less expensive Security Key line and Google’s Titan Security Keys, which don’t have a Lightning-port option for iPhone owners and instead rely on NFC. Although the 5 Series has wider compatibility with smartphone ports than other options, it still suffers from the same seemingly random quirks of the Yubico Security Keys. But even so, the 5 Series supports multiple protocols, including FIDO2, U2F, PIV, Yubico OTP, and OATH HOTP, which helps ensure that it’s compatible with as many services as possible in the future.

    Four security keys side by side that we tested to find the best security keys.
    Looking at a Security Key and a 5 Series key next to each other, most people wouldn’t know the difference between them. Photo: Rozette Rago

    The YubiKey 5 Series is more expensive than competitors, and some versions are twice as expensive as the basic Yubico Security Key. But for many people, it’s worth the high price because it’s future-proof and it adds nice-to-have extras.

    Yubico Security Key NFC (USB-A/NFC)$25
    Yubico Security Key C NFC (USB-C/NFC)$30
    YubiKey 5 NFC (USB-A/NFC)$45
    YubiKey 5C NFC (USB-C/NFC)$55
    YubiKey 5Ci (USB-C/Lightning)$70
    YubiKey 5 Nano (USB-A)$50
    YubiKey 5C (USB-C)$50
    YubiKey 5C Nano (USB-C)$60
    Even if you opt for a YubiKey as your primary key, consider one of the Security Key models as your backup to cut down on the cost. Prices are accurate as of November 16, 2021.

    Although some of the extras in the YubiKey 5 Series aren’t things most people are likely to need every day, they are nice to have for anyone seeking the highest level of security. Most notably, the 5 Series can generate time-based one-time passcodes for up to 32 accounts, similar to how the Authy and Authenticator mobile apps work, but the credentials are stored on the key. This feature requires downloading the Yubico Authenticator app, and it works with services that support other authentication apps such as Authy. When you run into a site with software authentication but not key support, you can store those codes on the key. The Yubico app will then display those codes only if the key is connected, so even if someone managed to get your phone, they’d still need the key to access the authentication codes. None of the other keys we tested, including those in Yubico’s cheaper Security Key line, have this functionality. But using this feature puts the onus on you to save all the two-factor backup codes or to store credentials on a second key, so make sure you’re comfortable doing so.

    Although it’s difficult to set up, the 5 Series also supports computer login on Windows, Mac, and Linux so that no one can access your machine without inserting the key after the system boots. Most other keys, including the Yubico Security Key models, can’t do the same.

    Like Yubico’s Security Key models, the 5 Series keys have proven resilient over our years of testing. After dangling on a keychain for a couple of years, they still work and look nearly brand-new.

    To set up your security key, it’s best to start on a laptop or desktop, as some mobile apps won’t allow you to register a hardware key to your account on your phone. Once you register a key on your computer, it should simply work with your phone. As an example, here is how to set up a key with our favorite password manager, 1Password. The process is the same for any security key an app supports:

    1. Log on to your 1Password account from your browser.
    2. Click your profile in the top right and select My Profile.
    3. Click More actions and select Two-Factor Authentication.
    4. Select Add Security Key, name the key, and click Next.
    5. When prompted, insert your security key and tap the button or gold disk.
    6. You should see a notice saying “Your security key was registered.”

    When you’re done, repeat the process with your backup key. You should also set up an authenticator app such as Authy if you haven’t already, in case you run into an instance where you can’t use your key on a mobile device. The process is more or less the same for other supported services.

    Once the key is enabled, it should work automatically with your smartphone if the two have a physical connection. On Android and iPhone handsets, you can log in using an NFC key by holding it to the back of your phone until the phone stops buzzing.

    On a day-to-day basis, you may not be required to use your hardware key all that often. Services often consider different risk factors to determine whether to require it. Some sites may ask you to insert it when you’re managing what kind of authentication you’re using, while others may ask you to use your key only when you’re logging in from a new computer.

    SoloKeys announced a redesign of its next generation of security keys that ditches the push-button design we struggled with in favor of touch-sensitive side buttons similar to those on Yubico and Google keys. SoloKeys also has plans to improve NFC performance, add waterproofing, and more. We plan to test the new keys when they become available.

    Google’s Titan Security Keys include USB-A and USB-C models, both with NFC support. The Titan keys support only U2F, not FIDO2, which is currently used by services like Microsoft and may be used by potential “passwordless” accounts in the future. Google’s keys work with its Advanced Protection Program, which is useful for activists, journalists, political-campaign teams, or executives, but its increased security involves some usability trade-offs. What little documentation Google provides isn’t useful, and even just figuring out which protocols and standards the key meets requires significant research. Both Titan keys are very similar to Yubico’s Security Key models, though we found their white plastic more prone to accumulating dirt when the keys were attached to a keychain. The Titan keys are fine if you already have one, but all of Yubico’s options are more future-proof.

    Feitian security keys come with most of the same security features and protocols as the Yubico options do, and they offer a variety of connectivity choices, including USB-C and NFC and even a fingerprint option. Feitian is also the company that makes Google’s keys. But its documentation, including basic information about features and security, isn’t as good as Yubico’s; some links on the company’s site even lead to unfinished pages. Feitian keys are often half the price of the similar Yubico options, though, and they may be a good-enough choice if you’re already experienced with security keys.

    Both Google and Feitian got flack from experts for a lack of transparency in the production pipeline for the keys, which are made in China. We didn’t find any new information about the production of these keys, nor any news stories suggesting this has been an issue since the keys were introduced in 2018.

    SoloKeys are the first open-source FIDO2 security keys; they allow developers to contribute to the project or file bug reports on GitHub. But each key merely consists of a circuit board and a soft silicone case you put on yourself, and in our tests the keys didn’t seem as durable as the others we tried. Plus, the cases for the USB-C versions didn’t fit that well: Instead of just tapping the key to get it to work, we had to press it, and we found that pressing didn’t work every time.

    Yubico’s YubiKey Bio Series comes in both USB-C and USB-A models and features fingerprint recognition instead of a simple touch authentication. This design adds an extra security layer to your key since if someone steals it, they can’t use it. But with a price tag of $80 to $85, the Bio keys are not necessary for most people.

    We like the physical design of Thetis keys because it’s a flip-out design that protects the main part of the key. We tested two of the company’s USB-A keys; both keys, but especially the NFC key, were bulkier than the other keys we tested. Thetis lacks good documentation, and we couldn’t find any information on the company’s website regarding how security researchers could report vulnerabilities.

    What happens if I lose my security key?

    VIDEO: 2FA is a Big Tech Scam! You Must Resist!
    Rob Braxman Tech

    If you lose your security key you may be unable to log into any accounts that require it. This is why we recommend registering two keys, a primary and a backup. Some services may also require another backup method, like an app, text message, or email authentication.

    What sites support security keys?

    Crypto Moose

    The most popular email services and social networks all support security keys as a second factor of authentication. You can find a full list of nearly every website that supports them here.

    What should I use if a website doesn’t support security keys?

    David Manning

    If security keys aren’t an option, we suggest using an app instead of text messages or email, whenever possible. Text-message verification can be circumvented via SIM swapping when someone uses social engineering to get your phone number assigned to a new SIM so that they can intercept your SMS tokens), and email verification is only secure if you have strong two-factor authentication on that email account, too.

    Can I use a security key with my phone?

    VIDEO: What’s the Best Two-Factor Authentication Option?
    Ask Leo!

    Both Android and iOS support security keys through a physical input (USB-C or Lightning), or NFC. But not all apps support the keys for login, so you may sometimes need to use another method on your phone, like an app or, less preferably, text message.

    1. Drew Porter, founder and president of Red Mesa, phone and email interviews, December 12, 2019

    2. Christopher Harrell, chief engineering officer at Yubico, phone and email interviews, January 24, 2020

    3. Paul Stamatiou, Getting started with security keys, PaulStamatiou.com, October 21, 2019

    4. Stefan Etienne, The Best Hardware Security Keys for Two-Factor Authentication, The Verge, February 22, 2019

    5. Chris Hoffman, Hardware Security Keys Keep Getting Recalled; Are They Safe?, How-To Geek, June 14, 2019

    6. The Best Security Key Review, Keylock Guide, June 6, 2019

    7. Brad Hill, U2F Reviews, GitHub, September 5, 2018

    Meet your guides

    Yael Grauer is an investigative tech journalist based in Phoenix. Her work has appeared in The Intercept, Wired, Ars Technica, Motherboard, Future Tense, OneZero, and more. She likes cooking, hiking, playing puzzle games, listening to bluegrass music, and spending time with her husband and their rescue chiweenie.

    Thorin Klosowski is the former editor of privacy and security topics at Wirecutter. He has been writing about technology for over a decade, with an emphasis on learning by doing—which is to say, breaking things as often as possible to see how they work. For better or worse, he applies that same DIY approach to his reporting.

    Further reading

    VIDEO: Passkeys are HERE and they're SECURE! Learn this today...
    Crosstalk Solutions
    • A Western Digital My Passport Ultra portable hard drive with a cord attached, sitting on a pink background.

      Back Up and Secure Your Digital Life

      VIDEO: Passkeys vs Hardware Keys - Which One Works Best For You?
      Shannon Morse

      by Haley Perry

      From password managers to backup software, here are the apps and services everyone needs to protect themselves from security breaches and data loss.

    • A close-up of the screen of a Macbook laptop on which the 1Password password manager app is being used.

      The Best Password Managers

      VIDEO: Hackers Bypass Google Two-Factor Authentication (2FA) SMS
      John Hammond

      by Andrew Cunningham and Thorin Klosowski

      Everyone should use a password manager, and after researching dozens and testing six, we recommend because it’s secure and easy to use.

    • Puzzle piece representing step one for simple online security.
    • An illustration of a jigsaw puzzle in which one of the pieces says “getting rid of devices with your data".


    Article information

    Author: Peter Mendez

    Last Updated: 1703127362

    Views: 907

    Rating: 4.6 / 5 (102 voted)

    Reviews: 83% of readers found this page helpful

    Author information

    Name: Peter Mendez

    Birthday: 1908-12-07

    Address: 93821 Miller Center Suite 020, Dawnport, FL 73680

    Phone: +4896847173059846

    Job: Article Writer

    Hobby: Juggling, Puzzle Solving, Amateur Radio, Arduino, DIY Electronics, Cycling, Woodworking

    Introduction: My name is Peter Mendez, I am a Open, esteemed, vibrant, spirited, expert, unreserved, unguarded person who loves writing and wants to share my knowledge and understanding with you.