Table of Contents
At PCMag, we've been reviewing hardware security keys since 2018, when they were new technology and multi-factor authentication (MFA) was still a novel idea. Now many major companies support account authentication using hardware security keys, including Apple and Google. Currently, the Yubico Security Key C NFC is our Editors' Choice winner because it's easy for first-time users to adopt, and it's priced to fit just about any budget. Keep reading to discover the best security keys we've tested, followed by an explanation and video of how they work, plus recommendations for choosing the right one for you.
Our Top Tested Picks
Yubico Security Key C NFC
Yubico YubiKey 5C NFC
Yubico YubiKey C Bio
Kensington VeriMark Guard USB-C Fingerprint Key
Google Titan Security Key
Nitrokey FIDO2
Best Overall Security Key
Yubico Security Key C NFC
- Inexpensive
- Outstanding build quality
- Wireless NFC
- USB-A or USC-C compatibility
- Stores passkeys
- Fewer authentication protocols than other Yubico devices
The Yubikey Security Key C NFC is our top pick for most people. It features excellent build quality, and its USB-C connector means it works on just about every new device. It also has NFC support, which lets it authenticate on mobile devices that lack a USB port.
This is our recommended security key for first-time buyers and anyone who doesn't want to pay for the extra features of some other YubiKey models. It doesn't do everything; instead, it does exactly what someone new to security keys would want. It can authenticate your identity online and store up to 100 passkeys, which are accessible via Yubico's apps for desktop and mobile.
Best Security Key for Experts
Yubico YubiKey 5C NFC
- Supports both USB-C and NFC
- Rugged build
- Supports many authentication protocols
- Expensive
The YubiKey 5 Series has the rugged build quality of all Yubico devices, and its USB-C connector and NFC support mean it works with just about every new device. Like the other YubiKey Series 5 devices, the 5C NFC does more than just MFA and password-less login; it can function as a Smart Card, store static passwords and Open PGP keys, and more.
At $55, the YubiKey 5C NFC doesn't make sense for most people who just need to secure their online accounts or haven't used a security key before. It's a better choice for someone with very specific needs or who's savvy enough to learn how to use all its features.
Best Security Key for Biometric Authentication
Yubico YubiKey C Bio
- Built-in fingerprint authentication
- Sleek design
- Easy onboarding process
- Supports widely used authentication standards
- Expensive
- No NFC
- Stores comparatively few passkeys
The YubiKey C Bio has Yubico's trademark build quality. This device can store passkeys, and authenticate your identity like other security keys, but it adds a fingerprint scanner for additional security. In testing, we were able to register fingerprints easily, which is ideal.
What you're paying for with this device is its biometric protection. Make sure that's explicitly what you want before buying. The YubiKey C Bio costs nearly twice as much as the YubiKey 5C NFC, but it supports only a fraction of the authentication methods—the same, in fact, as the Security Key C NFC. It also lacks NFC, so it doesn't work with many mobile devices.
Best Budget Security Key for Biometric Authentication
Kensington VeriMark Guard USB-C Fingerprint Key
- Works with most popular multifactor standards
- Integrated, optional, fingerprint sensor
- Small, well-built design
- Confusing onboarding
- No NFC
- Doesn't indicate when biometrics are in use
- Biometrics not widely supported
It's a tiny biometric security key with a long name! The Kensington VeriMark Guard USB-C Fingerprint Key has fingerprint authentication capabilities and is easy to use for password-free authentication. The key is small enough to stay plugged into your device all the time, which may be a plus for some people.
If you're seeking a diminutive, reliable, and well-made security key, the VeriMark Guard Fingerprint Key is right for you. It costs significantly less than the biometric YubiKeys, making biometric MFA a little more accessible. Be advised that setting up this device is rather tricky, though.
Best Security Key for Google Loyalists
Google Titan Security Key
- Available for USB-A and USB-C
- Supports NFC
- Stores 250 passkeys
- Can't delete passkeys
- Few features
- Very little product documentation available
The only MFA hardware that Google is willing to put its name on is the Google USB-C/NFC Titan Security Key. It's an MFA device that's targeted at everyday and first-time users. The sleek, rounded Titan Security Key is perfect for anyone turned off by Yubico's square-edged utilitarianism.
The Titan Security Key is affordable and, most important, comes with Google's endorsement. Trust is important when it comes to authenticating your login sessions, so Google's recognizable name and massive online presence may hold a lot of weight for certain customers.
Best Open-Source Security Key
Nitrokey FIDO2
- Open-source hardware and firmware
- Affordable
- Supports latest multifactor authentication standards
- Durable and portable
- No NFC support
- Bulky
- Lacks encryption features found in other Nitrokey devices
The Nitrokey FIDO2 does everything Yubico's entry-level key does, but Nitrokey does it using only open-source hardware and firmware. The company touts the device's updatable firmware as a selling point (though whether it's a good thing or a risk is open for debate). We like how affordable the Nitrokey FIDO2 is, but we still prefer the design and build quality of the Security Key C NFC.
Nitrokey's biggest selling points are updatable firmware and open-source hardware and firmware. If either of those appeals to you, then this key is a good choice. It also has a very affordable price that will surely entice first-time buyers.
How Do You Use a Security Key?
While they can take many forms, most security keys are small, key-sized devices that uniquely identify themselves to sites and services. Your possession of the key is a way for the online account to prove that you are who you say you are, in addition to verifying your username and password. To use a security key, you first have to enroll it with each site or service you want to protect. Support for security keys is increasing, but don't be surprised if they're not accepted at every site you try.
Enrolling a key is slightly different for each key and online account, but it usually goes something like this: Somewhere in the online account's settings is an option to enroll a security key. Click it, insert the key, tap the key's button when prompted, and give the key's record a name so you know what it is. Some sites and services limit you to just one key, while others allow or even require more than one. Many sites require you to enable an alternate form of MFA or generate one-time-use security codes to act as backups to your key.
The next time you go to log in, you're prompted to present your security key after entering your username and password for an account. You connect the key through some kind of data transfer connection—typically USB-A or USB-C—and then press a button on the device to verify you're a real person and not a clever malware attack impersonating a key. If both the password and the key check out, you log in as normal.
Some hardware keys include wireless communication capabilities, usually through near-field communication (NFC), to interact with mobile devices. Other keys have biometric authentication for an added layer of protection.
Which Hardware Security Key Is Best for You?
The first thing to look at when choosing a security key is how the key literally fits with the rest of your devices. If you don't have any devices with USB-C, you should stick to keys with a USB-A connector. If you intend on using your key with mobile devices (and you should), select a key with either a connector that fits your phone or NFC if your phone supports NFC.
Consider any budget restrictions, too. The most expensive keys we've reviewed cost up to $95. If you're new to hardware security keys, we strongly recommend starting with a less expensive key and upgrading later. The Security Key C NFC from Yubico and the Google Titan Security Key work well for basic MFA and offer NFC for mobile devices. Either is great for first-time buyers.
Most security keys just authenticate you, and that's enough. But some go further with additional features. Kensington has a line of biometric keys that require the correct fingerprint to authenticate you. High-end YubiKeys have numerous additional features: the ability to play back a static password, working with a desktop or mobile app to provide app-generated passcodes, supporting PGP key management, and offering their own form of one-time passcodes.
Other keys may have niche features or design perks that appeal to particular audiences. For example, Nitrokeys are built on open-source code and hardware, making them strong choices for the privacy-conscious consumer. In another example, Yubico and Nitrokey target very different audiences, since the former blocks firmware changes on its devices to protect them from tampering, while the latter celebrates its updatable firmware.
What Is Multi-Factor Authentication?
Multi-factor authentication, sometimes called MFA, two-factor authentication, or 2FA, allows you to verify your identity using more than one kind of authentication. You should authenticate your login using at least two of these factors:
Something you know
Something you have
Something you are
Something you know is typically a password. It lives in your head and is ideally known only to you. Something you have could be a security key such as those we've listed here, an authenticator app on your phone, or a code sent via SMS to your phone. It's something not easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan, such as a fingerprint or your face.
What Is Two-Factor Authentication?
It's pretty unlikely that an attacker will have access to more than one of these forms of authentication, making it harder for bad guys to take over your accounts. It's been proven in the real world, too. When Google required employees to use hardware MFA keys, account takeovers effectively ceased.
Remember that MFA of any kind can't protect against all the dangers the modern world presents. We strongly recommend using antivirus software as well as a password manager to create unique and complex passwords for each site and service you use.
How Do Hardware Security Keys Work?
The most widespread means of hardware security key authentication is based on the standards from the FIDO Alliance. All these standards do fundamentally the same thing: They use asymmetric cryptography to authenticate you to a site or service.
Each device can generate any number of public keys from its private key without exposing the private key. That allows a single hardware key to be used for multiple sites and services, but most important, it means a failure or change at any one site or service won't affect the other. You can easily remove and enroll your hardware key as many times as you like.
When shopping for a hardware security key, look for at least FIDO U2F certification because it means the key works in just about every basic security key context. FIDO2/WebAuthn are the next-generation standards that support additional types of authentication. If you want to use a device for biometric MFA or passwordless login, you need FIDO2/WebAuthn.
Are Security Keys Safe?
So what happens if your key is stolen or lost? In the theft scenario, it's unlikely someone would have the means to track down an individual user and steal their security key. Most cybercrime is committed en masse, with thousands or millions of compromised accounts. One security key isn't worth the effort.
That said, a determined attacker could use a stolen key to access your accounts. That's why you should keep your key safe, but also use strong passwords secured in a password manager. If the thief gets the key but can't crack your password, they're still not getting in.
It's far more likely that you lose your key, and that can be a real problem. Yubico recommends enrolling a second key and storing it as a secure backup. Many services that support security keys also allow (and some require) you to enroll multiple MFA factors, so you could set up an authenticator app as a backup MFA option and use that if you don't have your key.
Services often let you generate backup codes you can write down offline or store in a password manager. These codes grant you access in emergencies. If none of that works, find a device where you are still logged in and unenroll the key or add a new MFA factor you do have. The bottom line is that losing your security key is not the end of the world.
Passkeys vs. Security Keys
Passkeys are a secure authentication system that may one day replace passwords. Several major players have thrown their weight behind this technology, making it far more likely to catch on than any other previous effort to replace passwords. Apple, Google, and Microsoft have all added support for passkeys to their platforms, so you're likely to start seeing them appear as an option soon. If you want to try using passkeys to log in, check out our instructions for creating passkeys for your Google or Apple account.
A super-secure authentication scheme might sound like a death knell for security keys, but not so! Some security keys can store passkeys, keeping them safe and separate from your phone or computer. The number of passkeys a security key can store will vary. Yubico's YubiKey Bio keys hold just 25 passkeys each, while Google's Titan key has enough room for 250.
The Key to Better Online Security
Hardware security keys are the best, most secure method of MFA. We highly recommend them. But for some, the idea of paying for a key or having to fetch it for every login is too much bother, and that's just fine. What's most important is that you find an MFA scheme that works for you and that you use it.
Max Eddy contributed to this article.
