Wed. Nov 29th, 2023

A hardware security key makes your online accounts even more secure. When you sign in, you’ll have to plug in your key and press a button—or touch it to your phone. They work on websites like Google, Facebook, and many more.

This Cybersecurity Awareness Week article is brought to you in association with Incogni.

UPDATE: 10/19/2023

We’ve reviewed our recommendations and have updated our best hardware security key overall.

What to Look for in a Hardware Security Key in 2023

If you’ve been on the internet, then you’ve probably heard of two-factor authentication, usually abbreviated as 2FA. Typically, 2FA involves receiving a code you have to insert after you enter your password correctly. You can receive this code either through an SMS message, an email, or an authenticator app.

These solutions can have problems though, especially since SMS messages can be intercepted through SIM-swapping attacks, emails can be broken into with social engineering, and authenticator apps lose their value if your phone is stolen or you forget it somewhere.

This is where security keys come in. Using Multi-Factor Authentication, or MFA for short, means using more than just one authentication vector, so 2FA is part of MFA.

Where physical security keys shine is that they don’t have the issues stated above regarding interception or breaking in. Of course, they can be stolen, but some keys have biometrics in them or require another PIN, making it a true MFA key so that even if it’s stolen, people can’t hack into your accounts.

So what should you look for when picking a hardware security key? Primarily, you want a key that supports the same protocols that your accounts use. For example, if you plan to secure your Twitter, Google, and Facebook accounts, you’ll need one that is compatible with them.

Currently, the most popular form of authentication is called FIDO2 and is almost universally supported. There’s also FIDO U2F, an earlier version of FIDO2, and most devices that support FIDO2 usually also support FIDO U2F. Backward compatibility is a good thing to have.

Then there are additional features that a hardware security key can provide, such as One-Time Passwords (OTP) through a protocol called OATH TOTP or Yubico OTP. There’s also OpenPGP, which encrypts emails and only allows you to unencrypt them if you have the correct OpenPGP key, adding another layer to secure emails.

As for what to choose exactly, that depends on your needs. If you don’t need OTPs or encrypted emails, then a key that uses FIDO2 is most likely going to cover 90%-100% of the stuff you need it for.

Also, it’s important to make sure you get a key that works with the devices you use. If you mostly want the key for mobile use, then getting one with NFC is the way to go. If you prefer to include biometrics for use with something like Windows Hello, you’ll want a security key with a fingerprint scanner.

So, let’s get into what the best hardware security keys are.

How Did We Research

Models Evaluated

Hours Researched

Reviews Analyzed




How-To Geek’s product recommendations come from the same team of experts that have helped people fix their gadgets over one billion times. We only recommend the best products based on our research and expertise. We never accept payment to endorse or review a product. Read More »

The Yubico Security Key C NFC
Image Credit: Yubico



✓ Affordable USB-C security key with the features most people will need

✗ Doesn’t have support for more advanced protocols

✓ Supports FIDO U2F and FIDO 2 protocols used by most of the big names

✓ Additional support for WebAuthn, CTAP 1, CTAP 2, U2F

✓ Includes NFC for securing mobile devices

The Yubico Security Key C NFC strikes an almost perfect balance between all the elements that matter most in a hardware security key. It works with Windows, macOS, ChromeOS, and Linux, can be used with mobile devices thanks to NFC capability, supports many of the most common MFA systems, and doesn’t cost a fortune.

In terms of protocol support, it can handle FIDO U2F and FIDO2, both of which are supported by Google, Twitter, and Microsoft, and a variety of password managers such as LastPass, 1Password, and Dashlane. If you want to ensure the key will work with the sites and services you use most, it’s easy to find a compatibility list online.

Although small and designed to fit easily onto a keyring, the Yubico key is water and crush-resistant, meaning it won’t be easily damaged. The USB-C connector makes it well-suited to work with a wide variety of modern devices, including physical connection to Android phones. If you need to protect older computers, there’s a USB-A version available, too.

It might not offer the breadth of protocol support found in some other keys, including our pick for Premium Key, but most people are unlikely to need those more advanced features. In exchange for a shorter protocol support list, you get the key cheaper, and that will be a fair and reasonable trade-off for most.

yubico security key C NFC

Yubico Security Key C NFC

Best Overall Security Key

The perfect way for the average computer or phone user to improve their digital security. The Yubico Security Key C NFC is compatible with a wide variety of devices, supports the most common protocols in FIDO U2F and FIDO2, and is robust enough to survive life on a keychain. All for less than thirty dollars. 

Person using YubiKey on computer



✓ Wide-range of protocol support

✗ Expensive for those who don’t need the added features

✓ Several port versions available

✓ IP67-rated and with no moving parts makes it very sturdy

Where the YubiKey 5 NFC shines is near-universal protocol support, meaning you aren’t likely to find a website or service that doesn’t work with it in some fashion. This security key is well-suited for those who tend to deal with heavy security and therefore need an all-encompassing key.

Beyond that, there are also some more advanced features that you can access by using the app, such as OpenPGP, a secure signature for authenticating communications, and an advanced form of a one-time password. With the YubiKey 5, you could send an encrypted email through ProtonMail using PGP—but, rather than relying on a public key, you can use the hardware key instead.

Besides that, it has an interesting ‘static password’ feature that essentially functions as an auto-complete when touching the button on the YubiKey 5. You can write in only a fraction of a 32-character password when in a text box and have the YubiKey do the rest of the work for you.

The only real downsides to the YubiKey 5 are its price and that it can be somewhat finicky to use on mobile. The higher price makes sense given the larger number of included features.

Problems with using the key on mobile devices come down to how apps and browsers function on mobile. It’s easy to use the key on a desktop browser—and it works pretty well in a mobile browser, too. However, many mobile apps force you to insert your passwords in an app instead of a browser, and that can cause some issues. However, this isn’t just an issue with the YubiKey 5.

If you’re an iPhone user and want a YubiKey 5, there’s a specific security key made for you called the YubiKey 5Ci. It has both USB-C and Lightning connectors, so you can use it across all your Apple devices.

yubikey 5 NFC

YubiKey 5 NFC USB-A

Best Premium Security Key

The YubiKey 5 provides the most comprehensive protocols of any security key out there, as well as some excellent additional features for those who are security conscious.

Best Security Key for Bio-authentication: Kensington VeriMark

person using Kensington verimark on laptop



✓ Excellent fingerprint reader

✗ Use on non-Windows platforms can be difficult

✓ Support for most popular forms of MFA

✗ Lack of NFC

✓ Small and portable

One thing that’s missing from YubiKeys that some might find important is a fingerprint scanner. While it may seem like the button on the YubiKey is a biometric one, it’s actually just checking if a human being is pressing the button, rather than some malicious software. In short, it’s similar to reCAPTCHAs that you need to do to prove you’re not a bot.

The Kensington VeriMark is different, however. At just under an inch long, the VeriMark essentially functions as a fingerprint key for your laptop, and there’s even a version made specifically for desktop fingerprint reading.

The VeriMark’s design makes it look like the key is meant to stay put rather than carried around. However, it does have a cap and can survive just fine in your pocket or on a keychain.

When it comes to protocols, it supports FIDO2, and you should be able to use it on most services and apps. It can also be used for Windows Hello—in fact, it seems made for the Windows operating system, considering that the VeriMark can be a bit difficult to get working on Linux and Mac. The instructions are also rather rough around the edges, which might put the less tech-savvy off.

In terms of security, your full fingerprints aren’t saved to the device’s memory. Instead, the Kensington VeriMark creates a template of your fingerprint and tries to match that. What’s especially impressive is that it seems to work from any angle, so Kensington certainly did a good job in both the sensor and its internal security.

The biggest downside of the VeriMark is the lack of NFC, which puts a lot of iPhone users out of its reach unless you go for the desktop version with a USB cable. If you do, though, you’ll likely have to use a Lightning-to-USB adaptor, and that adds a bunch of unnecessary steps.

Another issue is that it’s a bit on the expensive side, coming in at just under $60. While there’s a single-PC-use version for under $40, that’s a steep price for something tied to one device. We think it’s better to spend the extra money and be able to move around with it.

Kensington VeriMark

Kensington VeriMark Guard

Best Security for Bio-Authentication

The VeriMark offers the best balance of protocol support, cost, and most importantly, fingerprint scanning that works from nearly any angle.

Best Key & Password Manager Combo: OnlyKey

OnlyKey on yellow background



✓ Can bypass keyloggers

✗ UI can be a bit obtuse

✓ Has a self-destruct emergency code

✗ Bulkier than other security keys

✓ Wide protocol support

✗ Lack of NFC

The CryptoTrust OnlyKey is a bit unique among security keys because it includes a password manager as part of the key. That’s great because it circumvents the possibility of a keylogger getting access to your password since you input the characters for the password on the security key itself.

It’s made even simpler because you only need to press one of the six keys on the OnlyKey to input the password into a text field. In addition to that, you can do both long and short presses for each button, so you can store up to 12 different passwords on it.

If that wasn’t enough, you can even further protect each password with an additional PIN, making the OnlyKey one of the few, if not the only, security key that completely houses three-factor authentication.

As for its 2FA support, it can handle TOTP, Yubico OTP, and FIDO 2 U2F, which should cover the majority of sites and apps out there, as well as offer a bit of future-proofing. There’s also a self-destruct code you can set up. Sadly, the code doesn’t make it explode, but it does wipe the OnlyKey completely.

Unfortunately, it does have a significant downside, which is that the interface is very clunky. That means those who aren’t very tech-savvy might have a hard time when using it and setting everything up. While that may put some off, the advantage and unique features of the OnlyKey make up for any additional hassle you’d need to go through.

The OnlyKey is also lacking NFC and Bluetooth, and is a bit bulkier than the other choices on this list. These aren’t necessarily deal-breakers, but it is something to consider.


CryptoTrust OnlyKey

Best Key & Password Manager Combo

The OnlyKey is unique in that it can handle three-factor authentication completely internally through its onboard password manager. While it’s a bit bulky and the UI is clunky, it’s still an excellent security key.

Best Open-Source Security Key: Nitrokey 3A NFC

Nitrokey 3A NFC on keyring



✓ NFC for remote security

✗ Fairly expensive

✓ Wide range of security protocols

✓ Fully open-source

✓ Several advanced features and tools

Choosing to use an open-source hardware security key has several attractive benefits, not least of which is the ability to view the source code to ensure you are happy with what’s going on under the hood. The Nitrokey 3A is not only fully open-source, but also packed with advanced features often found only in proprietary security keys.

The Nitrokey 3 supports a wide variety of security protocols, including FIDO2, WebAuthn, GnuPG, OpenPGP, and the older FIDO U2F. That means it covers most of the services that might need to be secured, including browsing and email.

Aside from the main security protocols, you can also access One-Time Passwords (OTP), Two-factor Authentication (2FA), and a built-in password manager. Not all of these will be available out of the box, but they can be easily added with a simple firmware update.

Unlike earlier versions of the Nitrokey, you also get NFC. This means you can use it to secure mobile devices without using a USB-A to USB-C/Lightning port adapter. The addition of NFC, as well as the hardware touch button, pushes up the price closer to that of some of the premium Yubikeys on this list, but there are non-NFC versions available if you don’t need the remote access capability.

If open-source is important to you in a hardware security key, and you don’t mind paying a bit more for those advanced features, the Nitrokey 3 is a brilliant choice for securing your desktop and mobile devices.

Nitrokey 3A

Nitrokey 3A NFC

Best Open-Source Security Key

A brilliant, open-source hardware security key which offers a wide range of security options, advanced features and remote access through NFC. If you want open-source, you can’t do much better than this.


Why should I use a hardware security key?

Hardware security keys offer some of the best device security due to something called the “possession factor.” This means that the means of access to a device or service is only in your possession, not entrusted to a third party.

Should I use a hardware security key over 2FA?

Two-factor Authentication has its place, but it still relies on a third party for access and can be breached. A hardware security key has the potential to provide better security for your devices and accounts, and often also includes a 2FA option should you need it.

What are the security key certifications?

Security key certifications are a range of security levels, showing how secure a device is. This Evaluation Assurance Level (EAL) is based on a Common Criteria security test, a standard for digital security tools. They run from the least secure, EAL 1, to the most secure, EAL7.

What do I do if I lose my hardware security key?

Most hardware security keys prompt you to set up recovery methods in the event of loss or failure. This could be through a companion app, for example. You should always set these methods up before you begin securing devices with your key. If you didn’t, you will need to remove the key as an authentication device on your accounts.

Source link

By John P.

Leave a Reply

Your email address will not be published. Required fields are marked *