Looking for a bargain? – Check out the best tech deals in Australia

Kensington VeriMark Guard USB-C Fingerprint Key

Kensington VeriMark Guard USB-C Fingerprint Key

Biometric protection in a tiny package

3.5 Good
Kensington VeriMark Guard USB-C Fingerprint Key - Kensington VeriMark Guard USB-C Fingerprint Key
3.5 Good

Bottom Line

Multifactor authentication is the best way to prevent account takeovers, and the tiny fingerprint-reading Kensington VeriMark Guard USB-C Fingerprint Key is up to the task. You don't get advanced features such as NFC connectivity, however.
Best Deal$99

Buy It Now

  • Pros

    • Works with most popular multifactor standards
    • Integrated, optional, fingerprint sensor
    • Small, well-built design
  • Cons

    • Confusing onboarding
    • No NFC
    • Doesn't indicate when biometrics are in use
    • Biometrics not widely supported

Kensington VeriMark Guard USB-C Fingerprint Key Specs

Authentication Specifications FIDO U2F
Authentication Specifications FIDO2
Authentication Specifications WebAuthn/CTAP
Connector USB-C
Wireless Specification None

Multifactor authentication (MFA) is the best way to keep bad guys from taking over your accounts, and using hardware security keys is the most secure MFA method. The Kensington VeriMark Guard USB-C Fingerprint Key works with the most widely accepted MFA standards and adds biometric protection. Its small, durable design means it can stand up to the rough life on a keychain, but at A$99, its price may be too high for first-time buyers and its list of advanced features too shoppers seeking the most capabilities.

Why Should You Use a Security Key?

"But what's MFA?" I hear you cry. MFA, sometimes called two-factor authentication or 2FA, is a method for verifying who you are with multiple (and different) factors. In other words, this doesn't mean simply using two passwords per account. MFA requires at least two of the following means of authentication:

  • Something you know, such as a password;
  • Something you have, such as a hardware authenticator; and
  • Or something you are, meaning biometric authentication such as fingerprint scans or facial recognition.

Notably, some login schemes combine all three, such as a biometric hardware MFA key with a password or PIN.

When you use MFA to protect an online account, you make it infinitely harder for a bad guy to seize control of it. Even if an attacker manages to get your password, they won't have access to your fingerprint or security key. This is especially important when you consider that passwords are insecure and that we're bad at using them. A quick glance at Have I Been Pwned shows well over 11 million breached accounts, demonstrating just how many exposed passwords are floating around.

There are several different ways to set up MFA, but not all of them are equally robust. Receiving one-time use codes via SMS is the weakest method because determined attackers can use SIM-jacking and other tricks to snag the codes. One-time codes from apps are much better but require a phone with a functioning battery. Hardware security keys, such as the Kensington VeriMark Guard USB-C Fingerprint Key, are harder to attack and don't require batteries or network connectivity. If you're not willing to make the jump to a hardware authenticator, authenticator apps are completely free. Given the limited support for hardware MFA, you will probably need to use one of these apps for some accounts anyway.

Whichever MFA method you choose, it's more important that you choose one you'll actually use. While you're at it, use a password manager to create and store unique, complex passwords for every site and service you use.

What's the Point of Biometrics?

Most other hardware MFA keys simply require that you tap a portion of the device as a liveness test—that is, testing to see if an actual human is using the device and not clever malware impersonating a device. But skeptical consumers might worry that anyone could simply steal their MFA key. While that's possible, it's exceptionally unlikely.

The Kensington VeriMark Guard is plugged into a laptop and a finger touches its sensor.

Adding biometric confirmation into the mix means that even if someone steals your VeriMark Guard, they can't use it without your finger (and all the potential dismemberment that implies). It also makes it that much harder to attack your accounts, using all three possible factors.

Kensington tells me that fingerprints are not stored on the VeriMark Guard. Instead, it holds what the company calls an "encrypted fingerprint template." The company says that the devices uses AES-256/SHA-256 encryption to secure its data. When you use the biometric sensor, the VeriMark Guard confirms that your fingerprint matches its template, and then securely sends the confirmation to your device and onward to the site or service you're accessing. This process keeps your data encrypted even on the VeriMark Guard.

Biometrics aren't much good if they can be tricked. Kensington says that the VeriMark Guard has a false-rejection rate of 2% and, importantly, a false acceptance rate of 0.001%.

What MFA Standards Does the VeriMark Guard Support?

The name "Kensington VeriMark Guard USB-C Fingerprint Key" is a real mouthful, but it tells you everything you need to know about the device. For convenience, I'll refer to it as the VeriMark Guard from here on, however. The VeriMark Guard is a USB-C hardware MFA key from peripheral manufacturer Kensington that features a fingerprint scanner for biometric authentication.

The VeriMark Guard supports the FIDO U2F, FIDO2, and WebAuthn/CTAP2 MFA standards. These are the most common ways to perform MFA across all devices and the VeriMark Guard's support for them means that it will work in nearly every place that supports hardware MFA keys. Note, however, that not all sites and services that support hardware MFA also support biometric MFA. In those instances, the VeriMark Guard functions as a regular tap-to-authenticate key.

The VeriMark Guard on a piece of Acacia wood

How Does the VeriMark Guard Compare With Other Hardware Keys?

At $69.99, the VeriMark Guard isn't an impulse purchase, but it compares well with other high-end keys. The Yubico YubiKey 5Ci, which includes both a USB-C and an Apple Lightning connector, costs $70. The YubiKey 5C Nano has a similar profile and costs $60, while the house key-sized YubiKey 5C NFC is just $50. Google's USB-A and USB-C variants of its Titan key each cost just $30. Kensington also offers a USB-A version of the VeriMark Guard for $64.99.

If you're willing to give up on USB-C, the price for a hardware key drops dramatically. There's the aforementioned Titan key, but the USB-A Yubico Security Key NFC sneaks in at just $24. For €29 ($34.26, at time of writing), the bulky-but-open-source NitroKey FIDO2 can be yours.

Many of these devices also support NFC, which the VeriMark Guard does not. NFC allows multifactor keys to communicate wirelessly with devices regardless of physical connector—for instance, you can use a USB-A or -C key with an iPhone, as long as the key has NFC. Because the VeriMark Guard has a USB-C connector but lacks NFC, it can work with some iPads but can't work with an iPhone, which may be a dealbreaker for some consumers.

What places the VeriMark Guard in an awkward spot is that while its price compares fairly with other high-end security keys, its list of features does not. The YubiKey 5 Series ranges in shape and price from the $45 YubiKey 5 NFC to the ultra-tiny YubiKey 5C Nano and the pricey YubiKey 5Ci, but all of them have the same extensive feature set. They support FIDO U2F, WebAuthn, and FIDO2 just like the VeriMark Guard, but also support use as smart cards (PIV), work with apps to generate time-based one-time passcodes (TOTP), can generate Yubico's own OTPs, work with OpenPGP, and even replay static passwords. These are advanced features, to be fair, but demonstrates the value these devices bring.

To date, the VeriMark Guard is the only biometric security key we've reviewed. Yubico has finally brought its long awaited biometric YubiKey to market for a whopping $80, and we look forward to reviewing it soon. The YubiKey Bio series does, like the VeriMark Guard, lack NFC and the advanced features of the YubiKey.

Physical Characteristics

The VeriMark Guard is 20.8mm from the end of its USB-C connector and measures only slightly taller with the included cap. Without the cap, it's just 5g, but it feels pleasantly hefty in the hand like a worry stone. The metal main body of the VeriMark Guard has a "K" engraved in a padlock on one side, which serves as an indicator LED. When it glows white, it's time to tap the key. On the opposite end from the USB-C connector is a smooth, black plastic panel. This serves as the fingerprint reader and tap button.

The tight-fitting plastic cap protects the USB-C connector and is secured with a thin cord and ring. I appreciate that Kensington rightly recognized that these caps are almost certainly doomed to be lost, but the ring is low quality and broke with only a moderate tug. I recommend getting yourself a more robust ring and lanyard.

The VeriMark Guard with its cap closed

The VeriMark Guard will certainly stand up to life in a pocket or on a key ring and protects its most delicate components. This is a different approach from many YubiKey models, which are larger, flatter, and feature a metal-reinforced hole so it can fit snugly against house keys. The VeriMark Guard design is, however, small enough that it could live semi-permanently in a device, similar to the Yubico Nano line of keys. I slightly prefer the flat YubiKey design, but it's mostly a matter of taste.

Hands On With the VeriMark Guard

One of the selling points of the VeriMark Guard is that it's supposed to be effortless to use on any platform. The biometric authentication is optional and will fail over to the normal tap-key-to-confirm MFA mode without any effort from the user. That's great in theory but I found it confusing in practice.

I started by enrolling the VeriMark Guard with Twitter as my MFA key. Twitter accepted the device, and I was able to log in to the service with the key via the Firefox browser both on my 13-inch 2020 MacBook Pro and my Pixel 3a. So far, so good.

Testing the biometric capability of the VeriMark Guard was more difficult. The company's onboarding documentation is confusing and scattered across a few sites. The documentation I found indicated I had to enroll fingerprints on the VeriMark Guard using the security settings in Windows 10. According to a note on Kensington's site, Windows 11 is still being tested for compatibility. Some competing products indicated that I could configure their devices with the latest version of the Google Chrome browser. Kensington confirmed that this was the case for the VeriMark Guard as the result of a new updated to Chrome. Onboarding with MFA keys has always been difficult, but Kensington really must do better.

The VeriMark Guard in a hand's palm

Once I understood what to do, setting up the VeriMark Guard was not difficult. I plugged it into an Intel NUC Kit NUC8i7BEH (Bean Canyon) desktop and followed the instructions (PDF link) from Kensington. It was similar to enrolling a fingerprint on an iPhone or Android where I touched the sensor repeatedly. The device can store up to 10 fingerprints. I find it useful to have right- and left-hand fingers enrolled so I can authenticate regardless of how I am holding the device. You'll also have to set a PIN for the VeriMark Guard in this process.

While Windows Hello supports biometric logins via fingerprint readers, the VeriMark Guard cannot fill that role. This limitation isn't Kensington's fault, but it's a preview of the confusion to come.

Enrolling a fingerprint through Chrome was also straightforward. Log in to the browser with your Google account, open the browser's Settings and then navigate to Privacy and Security > Security > Manage security keys. From here you can enroll or remove fingerprints, as well as add or remove a PIN. I prefer this method for setup since it doesn't require you to have specific hardware. In fact, I tested this method on a MacBook Pro, and then verified that the newly enrolled fingerprints worked by logging into my Microsoft Account without a password.

Biometric MFA support varies by service, browser, and platform. Using Kensington's guides to find services that supported biometric authentication, I enrolled the VeriMark Guard with Dropbox. When I logged into Dropbox on macOS with Firefox, it didn't matter what finger I tapped against the device; I was granted access after entering my password and tapping the device. This is normal behavior for an MFA key. Logging into Dropbox in Chrome on macOS, using the incorrect finger kicked up an error message but worked just fine with the finger I enrolled with the device.

The VeriMark Guard plugged into an Android phone, a finger touching its sensor.

I do not like how there is no way to tell whether the VeriMark Guard is using biometrics or not. It's good that the VeriMark Guard is smart enough to work seamlessly with and without biometrics, but it should be communicating this to me. If, for example, the indicator LED showed white for standard tap-to-authenticate and blue for biometric, I would know exactly what's going on.

Ahead of Its Time

The Kensington VeriMark Guard USB-C Fingerprint Key is a well-made, unobtrusive device that brings hardware MFA to most devices and seamlessly moves between biometric and traditional MFA authentication. Using it will, without question, make you safer, and may help alleviate the nagging worry that a lost key spells doom for your accounts. If someone tries to use your key, they'll be foiled by the fingerprint requirement.

Without NFC, however, the VeriMark Guard leaves out just about all iPhone users—a significant omission. It also advanced features found among competing devices. More broadly, Kensington needs to make it clearer how to set up and use the VeriMark Guard, as its documentation is rather scattered. I would prefer the device had an indicator to show when biometric authentication was in use, too.

However, the greatest challenge I encountered testing the VeriMark Guard wasn't from the device itself, but the numerous variables that dictate whether or not biometrics would be available. This is out of Kensington's hands, but I think it needs to be called out because the barrier to entry for MFA has always been confusion about what it is and how it works. Having to line up a seemingly magic array of devices, services, and browsers is a nightmare.

As long as support for biometric MFA remains limited, Kensington's VeriMark Guard is a better purchase for someone future-proofing their life rather than someone shopping for their first hardware MFA key. For that, the low-cost Yubico Security Key NFC is probably the best bet. Anyone ready to go all-in with MFA should instead look to the Editors' Choice winner Yubico YubiKey 5C NFC, which is cheaper than the VeriMark Guard, works with more devices, and supports a host of advanced features.

About Max Eddy