Hardware security keys: when, where and how
A hardware security key is the strongest second factor available to most people. It is phishing-resistant by design, requires no battery, and lasts ten years or more.
Hardware security keys: when, where and how
A hardware security key is the strongest second factor available to most people. It is phishing-resistant by design, requires no battery, and lasts ten years or more.
But it is not the obvious next step for everyone. This guide helps you decide when it makes sense, which accounts to enrol first, and how to set it up without operational risk.
When a hardware key actually makes sense
An authenticator app (TOTP) is already a strong choice for most readers. A hardware key adds something above TOTP, but that difference only matters in specific circumstances.
A hardware key is the right step if:
- you face elevated risk of targeted phishing — journalists, lawyers, politicians, IT administrators
- you manage access to other people’s systems and are therefore an attractive target
- your organisation requires passkey or FIDO2 for certain access paths
- you have SSH access to production systems and want the key to handle SSH authentication as well
A hardware key is overkill if:
- your most important accounts still have no 2FA at all — fix that first
- you are not yet sure how to handle backup codes safely — also fix that first
- you are buying one mainly because it “feels right” but there is no clear threat profile behind it
The baseline is: TOTP on all your critical accounts, backup codes stored securely. Hardware keys come after that.
What a hardware key does differently
The difference is not encryption — it is phishing resistance.
With TOTP you type a code into a website. If that website is fake, an attacker can relay that code to the real site in real time and still log in. This is called an adversary-in-the-middle attack.
A hardware key works differently: it checks the actual domain name of the site before granting authentication. A fake site gets nothing back from the key, even if you plug it in. This protection is built into the FIDO2 and WebAuthn protocol and cannot be bypassed by a phishing page.
This makes hardware keys fundamentally stronger than TOTP against phishing. TOTP protects well against weak attacks like credential stuffing. Hardware keys also protect against active, targeted attacks.
Which key to choose
Two options dominate for privacy-conscious users:
YubiKey 5 NFC — the proven standard. Broad compatibility with almost every service. Closed firmware, no updates possible. FIPS and CSPN variants have been externally certified; the standard retail model has not.
Nitrokey 3 NFC — open-source firmware, fully auditable. Firmware updates are possible. Slightly less compatible with obscure services.
For most readers the practical difference in daily use is small. YubiKey is the safe default when compatibility matters most. Nitrokey makes more sense if open-source firmware is a hard requirement, or if the lower price lets you buy two keys instead of one.
See the YubiKey vs Nitrokey review for a detailed comparison.
Always buy two keys. One as primary, one as backup. Keep the backup key somewhere separate — not in the same bag as the primary.
Which accounts to enrol first
Start with the accounts that do the most damage if taken over. These are usually not the accounts you use most often.
Priority 1 — Accounts that unlock other accounts
- your primary email account (password resets flow through this)
- your password manager (if it supports hardware keys)
- your work account or identity provider (Google Workspace, Microsoft Entra, Okta)
Priority 2 — Privileged and professional access
- GitHub, GitLab, or other code repositories
- cloud environments (AWS, GCP, Azure console — not just the CLI)
- servers, VPN access, admin interfaces
- accounts holding client or patient data
Priority 3 — Other critical accounts
- financial accounts that support hardware keys
- domain registrar and DNS management
- backup services and archives
Get Priority 1 solid before moving on. Most phishing attacks target email and identity providers, not obscure dashboards.
Setting up the backup key properly
The backup key is not a spare — it must work the moment the primary key disappears. That means enrolling it on the same accounts, in advance.
Workflow:
- Enrol the primary key on account A.
- Enrol the backup key on account A in the same session.
- Do this for each account before moving to the next.
- Store the backup key separately from the primary — different location, safe, or somewhere that does not share the same physical risk.
Do not enrol the backup key after the primary is already gone. At that point it is too late.
Also save backup codes for any account that generates them at enrolment. Store them as carefully as the keys themselves.
Hardware keys for SSH
For IT professionals, SSH authentication via a hardware key adds a physical presence requirement on top of the SSH key pair. It works through FIDO2-based SSH keys.
How it works:
- you generate a FIDO2 SSH key that is bound to the hardware key
- each connection requires the hardware key to be physically present and touched
- an attacker with only your SSH key file cannot log in without the physical key
Generate one:
ssh-keygen -t ed25519-sk -O residentThe -O resident flag stores the key on the hardware key itself, making it usable from multiple machines without copying a key file. Without resident the setup also works but requires the local key file to be present.
Limitations:
- Not all SSH servers support FIDO2 SSH keys — verify this before depending on it in production.
- OpenSSH 8.2+ required on the client; the server only needs to accept the
ed25519-skpublic key type, which is supported from OpenSSH 8.2 but may work with some older server configurations as well. - This replaces the passphrase protection of a normal SSH key pair, not the key pair itself.
What to do if you lose a key
If the primary key disappears:
- Log in using the backup key or a backup code.
- Remove the lost key from every account — do this account by account, not just in one place.
- Enrol a new primary key and register it on the same accounts.
- Reconsider whether the backup key’s storage location is still secure.
If you have no backup key and no backup codes, account recovery depends entirely on each service’s own recovery procedure. Some offer identity verification as a fallback; others do not. Do not rely on this.
Common mistakes
Buying only one key. The most common mistake. If that key is lost or damaged, you are locked out of every account it was enrolled on.
Not enrolling the backup key. An unregistered backup key is useless in a crisis. Register it alongside the primary at setup time.
Starting with an unimportant account. Enrol the key on accounts that actually matter first, not obscure test accounts.
Removing TOTP as soon as the hardware key works. Keep TOTP as a second login option until the backup key and backup codes are confirmed. After that, decide whether to keep TOTP as a fallback.
Assuming every service supports it. Check before purchasing which accounts in your workflow support FIDO2 or WebAuthn. Not every service does.
Next step
Choose your key
- YubiKey vs Nitrokey review — for the product decision once you know you want a hardware key
Get the basics right first
- Two-factor authentication guide — if TOTP is not yet solid on your critical accounts
- Which password manager should you choose? — if your password layer is still weak
Use this in context
- Profile: IT professional and sysadmin — if privileged access is the reason for hardware 2FA
- Profile: journalist or activist — if targeted phishing is the concrete risk
- Profile: high risk — if hardware keys are part of a broader OpSec approach