We read through articles, review sites, customer reviews, and technical papers dissecting security keys and the security standards they use. We also interviewed Drew Porter, founder and president of security consultancy Red Mesa, to discuss who needs hardware-based security keys, what to look for in their security protocols and practices, and how past recalls affect trustworthiness.

After selecting Yubico’s keys as picks for this guide, we spoke with Yubico’s chief engineering officer, Christopher Harrell, to get more information on the benefits of hardware security keys, the limitations of specific models, and the ways in which the ecosystem is changing.

Thorin Klosowski is Wirecutter’s privacy and security editor. Prior to Wirecutter, he wrote for Lifehacker, and in both publications he has sought to make complicated technology easy to understand and use.

Yael Grauer did the initial testing for this guide and wrote the original recommendations in the spring of 2020. She has written about online privacy and security for Wired, Vice, BreakerMag, The Intercept, Slate/Future Tense, Ars Technica, and more, and she now covers the category for the Consumer Reports Digital Lab. She collaborated with the Electronics Frontier Foundation on its Street-Level Surveillance project and wrote curricula for TrollBusters, a just-in-time rescue service for women writers and journalists who are experiencing online harassment. She has also co-organized events, taught workshops, and spoken on panels about digital security and source protection.

If you’re new to multi-factor authentication, here’s how the typical new-login process works when you’ve registered a security key with a website or app:

1. You head to the website or app and then type in your username and password.
2. The site or app asks you to connect your key. You do so by either plugging the key into a port on your computer or phone, or holding it near the top of your phone if it supports NFC.
3. You trigger the key by tapping a piece of capacitive metal or clicking a button.

Whether you’re going online to shop, bank, check your email, or use social media, you should be using multi-factor authentication to secure your accounts. Adding an extra layer (or layers) of security to your accounts makes it more difficult for an attacker to compromise them. The National Institute of Standards and Technology (NIST) recommends using some form of multi-factor authentication, and you may already have a second factor, such as receiving a one-time code via SMS messages or using an authenticator app like Authy.

But when it comes to securing accounts and passwords, security keys offer the strongest layer of protection. A key provides an increase in security over just a password, and it can protect against specific types of phishing that try to steal two-factor authentication codes. Most people should use a security key for as many accounts that support it, and the keys in this guide should work for both personal and business accounts (unless you’re a government or regulated-industry employee, in which case you’ll likely have different keys, such as the Yubico YubiKey 5 FIPS Series).

Multi-factor authentication works by requiring the presentation of multiple layers of evidence, or factors, before allowing access to an account. What the factors are can vary, but they generally fit into one of three categories:

• something you know (such as a password or PIN)
• something you have (such as a security key or phone)
• something you are (biometrics such as a fingerprint reader, face scan, iris scan, or voice recognition)

Security codes sent by text messages have their own set of issues, and while authenticator apps are preferable to SMS, security keys provide the strongest protection against phishing attacks. For example, if you were to tap on a spoofed website link sent to you in a text message, an attacker controlling that site may get your username, password, and authentication code after you type it all in—but that can’t happen with a physical key. Plus, security keys are easier to use at a computer than fussing with your phone. Some security keys, including our picks, also support “passwordless login,” where you don’t even need a password, just the physical key itself, to login. The most notable company that currently supports this type of login is Microsoft.

“It is harder to compromise a hardware token than a digital phone, because not everyone has perfect insight to everything that’s happening or going on in their phone,” said Drew Porter, founder and president of Red Mesa. “Most people don’t monitor everything that is happening on their phone, and therefore they can’t know whether their phone is compromised.”

“People do a lot of campaigns around phishing education and around teaching people to be careful about the URL bar in the browser, but it turns out we’re human,” said Yubico’s chief engineering officer, Christopher Harrell. “We have other priorities, and our attention is limited.” Security keys do the heavy lifting of making sure the sites you’re trying to log in to are authentic, so you don’t have to be as meticulous about noticing anything off. As an example, Porter noted that a lot of people mindlessly tap through “Did you sign in?” push notifications on their phones even when they shouldn’t, an issue that wouldn’t come up if they were logging in using a security key.

We recommend having at least one backup security key to use in case you lose your main one. With most services, you can register multiple keys, which you should do in advance; that way, if you lose your main key, you can log in with a backup. If you don’t have a backup, in some cases you could be locked out of an account. Different sites have different recovery mechanisms, including authenticator apps, SMS-based recovery keys, and backup codes (one-time recovery codes you can store somewhere).

Although security keys are more secure than authenticator apps, they’re not the best choice for people who tend to lose things. Most people should have at least two security keys: one for everyday use and a backup key that can stay somewhere secure, such as in a safe, if you lose your everyday key. Some people may want additional keys for different devices.

Additionally, the security key ecosystem has some rough edges. Not every type of key works seamlessly on a mobile phone, for example, and some apps revert to authenticator apps in some circumstances.

Security keys can be tricky to set up, so people without the patience to do so should stick to authenticator apps. But once security keys are set up and in actual use, we’ve found them to be much easier to use in practice than authenticator apps because there’s no wonky copy and pasting required, nor is it necessary to scroll through codes to find the one you’re looking for.

Security keys aren’t perfect. One research paper (PDF) showed how a hacker could clone some security keys, making it so that they could theoretically log in to any accounts protected by the original key. The attack requires physical access to the key, about $12,000 worth of equipment, and at least 10 hours, but it illustrates how even the most secure products can have issues. The researchers performed their attack on the Google Titan key but note in their paper that other hardware using the same chip may also be vulnerable; that group includes an older Yubico model, the YubiKey Neo, and several keys made by Feitian.

A security key doesn’t need to have a lot of features to be useful, but one that’s designed badly can be difficult to use. Following are the features that we found through our research to be most important:

• Security protocols: Since hardware keys are a security item, we dug into each company’s track record on previous recalls and looked at whether the company had a coordinated vulnerability-disclosure program to allow security researchers to report bugs.
• Future-proof support for multiple standards: We focused on keys supporting the newest set of specifications, such as FIDO2. This means that they support more applications and websites, and it suggests that they are less likely to need replacing. Security keys typically have no moving parts and are durable, so you’ll probably use the same keys for many years.
• Consistency and compatibility: We looked for security keys that worked as consistently as possible with each of the services we tested them with. We preferred security keys that came with a variety of connection options so they could work on both Android and iOS, as well as both Windows and macOS computers.
• Setup and user experience: We wanted security keys that were easy to set up and use.
• Customer support: We looked at the types of support each company offered, as well as how much documentation was available on its website both for setting up keys and for troubleshooting. We preferred companies that were well known and had been around for a while, an indicator of continued support in the future.
• Portability and durability: We put the keys we tested through the type of wear and tear that can be expected over a normal day of use, including tossing them around on a keychain and dropping them into the bottom of a bag, and we looked for any parts that seemed as if they could easily snap or break off too quickly with use. We looked at whether the necessary components were well protected. Some companies also make smaller, “nano”-size keys that fit flush with your computer’s USB port. These designs are useful if you work only on a computer, but they’re a pain to use on mobile devices. Most people are likely to want at least one portable key with a keychain loop.
• Cost: Security keys can cost anywhere between $20 and $70 or so. For around $20 to $40, you get a durable key that’s compatible with most services but doesn’t offer as many connectivity options. When you pay more, you typically get more connectivity options, such as USB-C and Lightning, alongside added features like the ability to use your key to log in to your computer.

We dismissed security keys that had limited owner reviews or that were designed specifically for government use (such as the Yubico YubiKey 5 FIPS Series). Going by the above criteria, we tested Yubico’s Security Key, Security Key NFC, Security Key C NFC, and YubiKey 5C, 5C NFC, 5Ci, and 5 NFC; Google’s Titan Security Keys (USB-A/NFC Security Key and USB-C/NFC Security Key); Thetis’s FIDO U2F and BLE U2F Security Keys; and SoloKeys’s Solo USB-C, Solo USB-A, Solo Tap USB-C, and Solo Tap USB-A models.

We tested the setup of each key with various apps, noting issues along the way. We ran over all the keys a couple of times with a car to make sure they were durable enough to withstand such punishment, and then we tossed them into a washer to make sure they’d still work in case you leave yours in your pocket. Once we settled on Yubico keys as our picks, we reached out to the company for additional details on features and compatibility.

Our pick

Yubico’s Security Key series offers strong account security and excellent documentation for newcomers. It’s available for USB-A and USB-C ports (and both versions work with NFC devices such as phones), but it doesn’t support advanced protocols that some accounts may require, so it’s less future-proof than our upgrade pick.

Buying Options

VIDEO: Is Bitwarden's 2FA Code a Security Risk?

Pro Tech Show

The best security key for most people is the Yubico Security Key, which comes in two forms: the Yubico Security Key NFC (USB-A) and the Yubico Security Key C NFC (USB-C). These security keys work with most devices, including phones and laptops. They feature all the security protocols necessary to work with a wide array of web services that most people use, including 1Password, Bitwarden, Google, Microsoft, and plenty more. Yubico’s documentation and support is the best we’ve seen, and the keys have proven durable over years of testing. Priced under $30, they’re affordable enough that you can buy a couple (which we recommend, so you have a backup) without spending too much, especially considering there’s no reason they won’t last for many years.

In some cases, experts suggest, programs and security keys that use open-source software, which allows anyone to review the program’s code, are more secure. All Yubico keys are closed source, but the company has built trust around its security practices in other ways, including internal and third-party security assessments of its code for every major release. When Yubico had a vulnerability in its YubiKey FIPS Series of keys (used by government agencies) in June 2019, the company replaced affected devices. It also proactively lists security advisories and mitigations on its website.

The Yubico Security Keys meet FIDO2 standards and support U2F, WebAuthn, and CTAP 1 and 2, which makes them compatible with most web services that support security keys, including more forward-looking features such as Microsoft’s passwordless login. The standard Security Keys don’t offer some of the options for super-technical folks who might want to, say, put a GPG key in hardware, or for enterprise users who want a key that works with PIV smart cards for Active Directory, or for SSH or S/MIME. If you aren’t familiar with those terms, you’re unlikely to miss the advanced features of the more expensive 5 Series.

Each Security Key model fits either a USB-A or USB-C port, and most phones support NFC, so the keys should work fine for most devices. Get whichever key fits into the port on your computer. If you need more options, such as Lightning for a physical connection to an iPhone (or certain models of iPad), or if you want thumbnail-sized keys that don’t stick out, go with the .

In order to use any security key, you have to set it up and pair it with each individual online account. Setup on an account takes only a couple of minutes, but finding the right place to do so can require some detective work. Helpfully, Yubico’s documentation is extensive: In addition to a setup page, Yubico has videos and links to instructions for services that you might want to use your security key with, including a list (with visuals) of which key works with the program, information on security-protocol support, desktop and laptop platform support, mobile support, browser support, and any special offers. This documentation is far more comprehensive than what we’ve seen from the competition.

Most of Yubico’s full-size keys are water resistant and crush resistant. Like other keys we tested, both the Yubico Security Keys and the 5 Series held up well for us in our regular testing, and they still worked fine after we ran them over with a car and put them through a cycle in a washing machine. All of them were easy to carry around on a keychain, too. After more than two years of use, the keys hanging on our keychains still look nearly brand-new and continue to work. They had the same durability results in tests conducted by Freedom of the Press Foundation digital security trainer David Huerta.

At $25 and nearly $30 for the USB-A and USB-C models, respectively, the Yubico Security Keys are cheaper than Google’s similarly styled Titan Security Keys and nearly half the price of most models in the Yubico YubiKey 5 Series. The Yubico Security Keys lack the nice-to-have features of the 5 Series, such as multiple connection options, computer login, and support for time-based one-time passwords on the Yubico Authenticator app. But most people don’t need those extra features enough to justify the increase in price for a 5 Series model.

For the most part, we found the experience of using a security key on both Windows and Mac laptops straightforward, but compatibility issues still affect certain browsers, and some software does not support keys directly, so you too might run into issues.

Support on mobile devices has expanded over the past few years, but we still encountered quirks with keys on both Android and iOS; for example, on both platforms, you can use a key to log in to Dropbox from your smartphone’s browser, but not the Dropbox app. We’ve seen improvements in other apps, though, such as Facebook, which now fully supports keys in its mobile apps, and Twitter, which will soon allow you to log in with just the key, no password needed. To compound the confusion, some apps and services might support a key when it’s plugged in but not over NFC. These sorts of mismatches can be annoying, especially considering that even when NFC is supported, you still have to hold the key close to your phone and cross your fingers in hopes that it registers. If you really dislike futzing around with NFC, the YubiKey 5 Series may be a better option.

Upgrade pick

The YubiKey 5 Series has versions to fit every modern device, as well as premium features for advanced use.

Buying Options

VIDEO: 5 things you didn't know your USB Flash Drive could do!

Liron Segev

If you’re looking for extra features and you’re comfortable tinkering around with more advanced settings in web apps, get a key in the Yubico YubiKey 5 Series. The 5 Series encompasses several models and is thus compatible with more devices than any other key, including Yubico’s Security Key line. The 5 Series has the same excellent Yubico video walk-throughs and setup instructions, and the keys themselves are portable and durable, though they cost nearly twice as much as our main pick.

Determining which 5 Series key is best for you depends on which devices you own. Yubico provides a quiz to help you find the right key, but the breakdown goes something like this:

• YubiKey 5 NFC (also available in non-NFC nano form): The YubiKey 5 NFC has a USB-A plug and near-field communication (NFC) support, so you can use it for NFC-enabled devices such as most smartphones. Although we didn’t test nano-size keys for this guide, those models are better if you want to leave your key in the USB port of your computer.
• YubiKey 5C (also available in nano form): The USB-C–only design is compatible with Android phones as well as some newer tablets, desktop computers, and laptops. It is not compatible with iPhones.
• YubiKey 5C NFC: With USB-C and NFC, this model is a good option if your computer has a USB-C port and you don’t need a Lightning connector. It works with most newer desktop computers and laptops, with some tablets (including several iPad models), and with Android and iPhone (over NFC).
• YubiKey 5Ci: The 5Ci has two different sides, a USB-C connector and a Lightning connector, the latter of which is used by most Apple mobile devices. So this key is best for people reliant on Apple hardware, including iPhones, iPads, and laptops, though we preferred using the NFC keys over fiddling with this one; it’s still a good option if you have an iPad model with a Lightning port.

The 5 Series offers more port options and combinations than the selection from every other company, including Yubico’s less expensive Security Key line and Google’s Titan Security Keys, which don’t have a Lightning-port option for iPhone owners and instead rely on NFC. Although the 5 Series has wider compatibility with smartphone ports than other options, it still suffers from the same seemingly random quirks of the Yubico Security Keys. But even so, the 5 Series supports multiple protocols, including FIDO2, U2F, PIV, Yubico OTP, and OATH HOTP, which helps ensure that it’s compatible with as many services as possible in the future.

The YubiKey 5 Series is more expensive than competitors, and some versions are twice as expensive as the basic Yubico Security Key. But for many people, it’s worth the high price because it’s future-proof and it adds nice-to-have extras.

Although some of the extras in the YubiKey 5 Series aren’t things most people are likely to need every day, they are nice to have for anyone seeking the highest level of security. Most notably, the 5 Series can generate time-based one-time passcodes for up to 32 accounts, similar to how the Authy and Authenticator mobile apps work, but the credentials are stored on the key. This feature requires downloading the Yubico Authenticator app, and it works with services that support other authentication apps such as Authy. When you run into a site with software authentication but not key support, you can store those codes on the key. The Yubico app will then display those codes only if the key is connected, so even if someone managed to get your phone, they’d still need the key to access the authentication codes. None of the other keys we tested, including those in Yubico’s cheaper Security Key line, have this functionality. But using this feature puts the onus on you to save all the two-factor backup codes or to store credentials on a second key, so make sure you’re comfortable doing so.

Although it’s difficult to set up, the 5 Series also supports computer login on Windows, Mac, and Linux so that no one can access your machine without inserting the key after the system boots. Most other keys, including the Yubico Security Key models, can’t do the same.

Like Yubico’s Security Key models, the 5 Series keys have proven resilient over our years of testing. After dangling on a keychain for a couple of years, they still work and look nearly brand-new.

To set up your security key, it’s best to start on a laptop or desktop, as some mobile apps won’t allow you to register a hardware key to your account on your phone. Once you register a key on your computer, it should simply work with your phone. As an example, here is how to set up a key with our favorite password manager, 1Password. The process is the same for any security key an app supports:

1. Log on to your 1Password account from your browser.
2. Click your profile in the top right and select My Profile.
3. Click More actions and select Two-Factor Authentication.
4. Select Add Security Key, name the key, and click Next.
5. When prompted, insert your security key and tap the button or gold disk.
6. You should see a notice saying “Your security key was registered.”

When you’re done, repeat the process with your backup key. You should also set up an authenticator app such as Authy if you haven’t already, in case you run into an instance where you can’t use your key on a mobile device. The process is more or less the same for other supported services.

Once the key is enabled, it should work automatically with your smartphone if the two have a physical connection. On Android and iPhone handsets, you can log in using an NFC key by holding it to the back of your phone until the phone stops buzzing.

On a day-to-day basis, you may not be required to use your hardware key all that often. Services often consider different risk factors to determine whether to require it. Some sites may ask you to insert it when you’re managing what kind of authentication you’re using, while others may ask you to use your key only when you’re logging in from a new computer.

Google’s Titan Security Keys include USB-A and USB-C models, both with NFC support. The Titan keys support only U2F, not FIDO2, which is currently used by services like Microsoft and may be used by potential “passwordless” accounts in the future. Google’s keys work with its Advanced Protection Program, which is useful for activists, journalists, political-campaign teams, or executives, but its increased security involves some usability trade-offs. What little documentation Google provides isn’t useful, and even just figuring out which protocols and standards the key meets requires significant research. Both Titan keys are very similar to Yubico’s Security Key models, though we found their white plastic more prone to accumulating dirt when the keys were attached to a keychain. The Titan keys are fine if you already have one, but all of Yubico’s options are more future-proof.

Feitian security keys come with most of the same security features and protocols as the Yubico options do, and they offer a variety of connectivity choices, including USB-C and NFC and even a fingerprint option. Feitian is also the company that makes Google’s keys. But its documentation, including basic information about features and security, isn’t as good as Yubico’s; some links on the company’s site even lead to unfinished pages. Feitian keys are often half the price of the similar Yubico options, though, and they may be a good-enough choice if you’re already experienced with security keys.

Both Google and Feitian got flack from experts for a lack of transparency in the production pipeline for the keys, which are made in China. We didn’t find any new information about the production of these keys, nor any news stories suggesting this has been an issue since the keys were introduced in 2018.

SoloKeys are the first open-source FIDO2 security keys; they allow developers to contribute to the project or file bug reports on GitHub. But each key merely consists of a circuit board and a soft silicone case you put on yourself, and in our tests the keys didn’t seem as durable as the others we tried. Plus, the cases for the USB-C versions didn’t fit that well: Instead of just tapping the key to get it to work, we had to press it, and we found that pressing didn’t work every time.

Yubico’s YubiKey Bio Series comes in both USB-C and USB-A models and features fingerprint recognition instead of a simple touch authentication. This design adds an extra security layer to your key since if someone steals it, they can’t use it. But with a price tag of $80 to $85, the Bio keys are not necessary for most people.

We like the physical design of Thetis keys because it’s a flip-out design that protects the main part of the key. We tested two of the company’s USB-A keys; both keys, but especially the NFC key, were bulkier than the other keys we tested. Thetis lacks good documentation, and we couldn’t find any information on the company’s website regarding how security researchers could report vulnerabilities.

What happens if I lose my security key?

What sites support security keys?

What should I use if a website doesn’t support security keys?

Can I use a security key with my phone?