The Best Security Keys for Multi-Factor Authentication (2022)

Our Experts Have Tested 130 Products in the Security Category This Year

Since 1982, PCMag has tested and rated thousands of products to help you make better buying decisions.See how we test.(Opens in a new window)

One of the greatest threats against your personal security is an attacker taking control of an online account. With it, a bad guy can do all sorts of nefarious deeds in your name, and if they get control of your email account they can use password recovery features to take control of even more of your accounts. Fortunately, multi-factor authentication (MFA) can protect against account takeovers. While there are many ways to do MFA, one of the best (and definitely the coolest) is with a security key—a tiny device that fits on your key chain.

The Best Security Keys for Multi-Factor Authentication (1)

Yubico YubiKey 5C NFC

Best for Expert Authenticators

4.5 Outstanding

Bottom Line:

The YubiKey 5C NFC packs all the advanced features of the YubiKey line into an affordable package that will work with all your desktop and mobile devices. It's the most versatile security key we've yet reviewed and our Editors' Choice.

PROS

  • Supports both USB-C and NFC
  • No battery or moving parts
  • Crush and water resistant
  • Supports FIDO2 and U2F standards
  • Numerous advanced features

CONS

  • Expensive
  • Spotty support from sites and services
Sold ByList PricePrice
Amazon$63.13$63.13See It(Opens in a new window)

Read Our Yubico YubiKey 5C NFC Review

The Best Security Keys for Multi-Factor Authentication (2)

Yubico YubiKey C Bio

Best for Biometric Authentication

4.0 Excellent

Bottom Line:

The YubiKey C Bio puts biometric multi-factor authentication on your keyring. While somewhat limited in features, it is an excellent implementation of biometric technology that's very easy to use day-to-day.

PROS

  • Biometric multi-factor authentication
  • Slim, durable design
  • Supports widely used standards
  • Easy onboarding

CONS

  • Expensive
  • No NFC
  • Lacks authentication features found in other YubiKeys
Sold ByList PricePrice
Yubico$85.00$85.00See It(Opens in a new window)

Read Our Yubico YubiKey C Bio Review

The Best Security Keys for Multi-Factor Authentication (3)

Yubico YubiKey 5 NFC

Best for PCs With USB-A Connections

4.0 Excellent

PROS

  • Durable, reliable construction.
  • No batteries or moving parts.
  • NFC capable.
  • Different form factors.
  • Supports FIDO U2F, FIDO2.
  • Can generate six-digit one-time use passcodes with companion app.
  • Supports multiple protocols for different security roles.

CONS

  • Expensive.
  • Requires effort and education to fully realize its potential.
  • Limited iOS integration.
Sold ByList PricePrice
Amazon$45.00$45.00See It(Opens in a new window)

Read Our Yubico YubiKey 5 NFC Review

The Best Security Keys for Multi-Factor Authentication (4)

Kensington VeriMark Guard USB-C Fingerprint Key

Best for Small Formfactor Biometrics

3.5 Good

Bottom Line:

The teeny-tiny biometric security key with a very long name, the Kensington VeriMark Guard USB-C Fingerprint Key adds fingerprint authentication to the mix. This key shines in passwordless environments and is small enough to live full time attached to your device, even if onboarding is a bit of a pain.

PROS

  • Works with most popular multifactor standards
  • Integrated, optional, fingerprint sensor
  • Small, well-built design

CONS

  • Confusing onboarding
  • No NFC
  • Doesn't indicate when biometrics are in use
  • Biometrics not widely supported
Sold ByList PricePrice
Kensington$69.99$69.99See It(Opens in a new window)

Read Our Kensington VeriMark Guard USB-C Fingerprint Key Review

The Best Security Keys for Multi-Factor Authentication (5)

Nitrokey FIDO2

Best for Open-Source Evangelists

3.5 Good

Bottom Line:

The Nitrokey FIDO2 supports the most commonly used multifactor authentication standards and does it with open-source hardware and firmware. It's bulkier and slightly more expensive than Yubico's entry level key, but is another excellent choice for first-time buyers.

PROS

  • Open-source hardware and firmware
  • Affordable
  • Supports latest multifactor authentication standards
  • Durable and portable

CONS

  • No NFC support
  • Bulky
  • Lacks encryption features found in other Nitrokey devices
Sold ByList PricePrice
NitrokeyVisit SiteVisit SiteSee It(Opens in a new window)

Read Our Nitrokey FIDO2 Review

The Best Security Keys for Multi-Factor Authentication (6)

Security Key NFC by Yubico

Best for First-Time Multi-Factor Authenticators

3.5 Good

Bottom Line:

The Security Key by Yubico has the durable design of Yubico, supports all the most common authentication standards, communicates with mobile devices via NFC, and is priced well into impulse-purchase territory. It lacks fancier features, but is the best choice for anyone looking to buy their first security key.

PROS

  • Affordable.
  • Supports FIDO2 and FIDO U2F, used by Google, Twitter, Facebook, and others.
  • Durable.
  • Supports NFC.

CONS

  • Limited by lack of support on mobile devices, especially iPhone.
  • Doesn't support other 2FA or encryption features.
  • Won't work with LastPass.
Sold ByList PricePrice
Amazon$32.86$32.86See It(Opens in a new window)

Read Our Security Key NFC by Yubico Review

The Best Security Keys for Multi-Factor Authentication (7)

Yubico YubiKey 5Ci

Best for People With Both Android and Apple Devices

3.5 Good

Bottom Line:

The double-headed design of the YubiKey 5Ci may give you pause, and its price tag may stop you flat, but for anyone who wants the flexibility of the YubiKey line but doesn't trust NFC it's a great choice.

PROS

  • Lightning connector works with nearly all iOS devices.
  • USB-C connects to Android, PCs.
  • FIDO2 U2F (WebAUTHN) compliant.
  • OTP support.
  • Small, durable, no batteries or moving parts.
  • Highly customizable with advanced options.

CONS

  • Expensive.
  • No NFC.
  • Limited support from Apple.
  • Very stiff USB-C plug.

Read Our Yubico YubiKey 5Ci Review

The Best Security Keys for Multi-Factor Authentication (8)

Yubico YubiKey Bio

Best for Biometrics in Legacy Environments

3.5 Good

Bottom Line:

The Bio lacks the flexibility found in other YubiKeys, but is an excellent and well-designed way to add biometric MFA to your life.

PROS

  • Biometric multi-factor authentication
  • Sleek, durable design
  • Supports major authentication standards
  • Slightly cheaper than USB-C sibling

CONS

  • Comparatively expensive
  • USB-A incompatible with many devices
  • Limited use cases
  • No NFC
Sold ByList PricePrice
Yubico$80.00$80.00See It(Opens in a new window)

Read Our Yubico YubiKey Bio Review

The Best Security Keys for Multi-Factor Authentication (9)

Google USB-C/NFC Titan Security Key

Best for Affordable, Durable Hardware

3.0 Average

Bottom Line:

Highly affordable, Google's latest addition to the Titan line will work with just about every device you have. It uses older MFA technology, so it may not be as futureproof as other options.

PROS

  • Affordable
  • USB-C and NFC supported
  • Small, sturdy design
  • Trusted Google name

CONS

  • Older FIDO U2F protocol may limit its utility
  • Incomplete documentation
Sold ByList PricePrice
Google Store$35.00$35.00See It(Opens in a new window)

Read Our Google USB-C/NFC Titan Security Key Review

Buying Guide: The Best Security Keys for Multi-Factor Authentication

What Is Multi-Factor Authentication?

The authentication method most of us are familiar with is being required to enter a username and password. But passwords have a lot of problems. For one thing, we're bad at remembering them and even worse at picking unique, complex passwords that can stand up to attacks. For another, people tend to reuse passwords, meaning that if one account is compromised, all the other accounts with the same password are also at risk.

Multi-factor authentication, sometimes called two-factor authentication or 2FA, seeks to change that by using more than one authentication factor. That doesn't mean a second password, but at least any two from a list of three possible factors:

  • Something you know;

  • Something you have; and

  • Something you are.

Something you know is typically a password. It lives in your head and is ideally known only to you. Something you have could be a security key such as we are rounding up here, or it might an authenticator app your phone. It's something that's not easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan. That could be a fingerprint scan or facial recognition, although using the latter ranks among the worst mistakes in technology.

Because it's extremely unlikely an attacker will have more than one of these forms of authentication, MFA makes it much harder for bad guys to take over accounts. This has been proven in the real world. When Google required employees to use hardware MFA keys, account takeovers effectively vanished.

What Is a Security Key?

While they can take many forms, most security keys are small, key-sized devices that can uniquely identify themselves to sites and services. Remember, they are something you have.

To use a security key, you first have to enroll it with each site or service you want to protect. There's increasing support for security keys, but don't be surprised if they're not accepted at every site you try. Enrolling a key is slightly different for each key and site, but it usually goes something like this: Somewhere in the site or service settings you'll find an option to enroll your security key. Click it, insert the key, tap the key's button when prompted, and then give the key's record a name so you know which is which. Some sites and services limit you to just one key, others allow many more.

The next time you go to login, you're prompted to present your security key after entering your username and password for an account. You connect the key through some kind of data transfer connection—typically USB-A or USB-C—and then press a button on the device to verify that you're a real person and not a clever malware attack impersonating a key. If both the password and the key check out, you log in as normal.

Some hardware keys include wireless communication capabilities, usually through near field communication (NFC), to interact with mobile devices. Other keys have biometric authentication for an added layer of protection.

Not All Factors Are Created Equal

While two factors are always better than one, each MFA scheme has potential advantages and drawbacks.

Receiving one-time-passcodes via SMS text message is one of the oldest and most widespread forms of MFA. It's easy to understand, and since many sites and services already have your contact information, you may not even need to enroll in it. While convenient, SMS codes have two major drawbacks. First, they require a functioning phone. If your phone is dead or you can't afford your own phone, you can't log in.

Second, it's been proven that attackers can intercept SMS codes through a process called SIM jacking(Opens in a new window). As such, we advise readers to avoid SMS MFA wherever possible. Hopefully the FCC will be able to address this threat.

Another common form of MFA is to use an app that generates time-limited login codes. While there are many examples of authenticator apps, most people are probably familiar with Google Authenticator. This type of MFA is more secure than SMS codes and lets a single app provide codes for any number of sites and services.

While authenticator apps don't require a network connection, your phone does need to be available and powered. Mobile phones aren't purpose-made authenticators; they are highly connected devices that do all kinds of tasks. This means it's possible, although unlikely, that a malicious attack could get at your security codes.

Hardware-based security keys solve most of the problems of the other MFA schemes. Hardware keys have no batteries and require no network connection. They also have no moving parts, making them difficult to break. Because they work on purpose-made hardware, they're much harder to attack. Finally, it can be kind of fun to have a special tool for logging in.

There are downsides to using hardware keys for MFA, too. Unlike other types of MFA, hardware keys cost money—usually $20-$50. Hardware keys can also be lost and aren't as widely supported as app-based MFA codes.

If you're new to MFA, we recommend starting with app-generated codes. These are free, secure, and easy to use and understand. But if you're already familiar with MFA and are interested in upping your security game, hardware security keys are the next step.

That said, it's important to remember that MFA of any kind can't protect against all the dangers the modern world presents. We strongly recommend using antivirus software as well as a password manager to create unique and complex passwords for each site and service you use.

How Do Security Keys Work?

The most widespread means of hardware security key authentication is based on the standards from the FIDO Alliance(Opens in a new window). All these standards do fundamentally the same thing: use asymmetric key cryptography to authenticate you to a site or service.

Each device can generate any number of public keys from its private key, without exposing the private key. That allows a single hardware key to be used for multiple sites and services but most importantly, it means that a failure or change at any one site or service won't affect the other. You can easily remove and reenroll your hardware key as many times as you like.

Recommended by Our Editors

Multi-Factor Authentication: Who Has It and How to Set It Up

Google to Auto-Enroll More Users in Two-Factor Authentication, Citing Decrease In Hacks

12 Simple Things You Can Do to Be More Secure Online

When shopping for a hardware security key, you should look for at least FIDO U2F certification because it means the key will work in just about every basic security key context. FIDO2/WebAuthn are the next generation standards, which support additional types of authentication. If you want to use a device for biometric MFA or passwordless login, you'll need FIDO2/WebAuthn.

Are Security Keys Safe?

Going from a password that (ideally) is a complete secret to a little bauble like a security key can sometimes feel like being less secure. After all what happens if your key is stolen? Or you lose your key?

To the first point, it's extremely unlikely that someone would have the means to track down an individual user and steal their security key. Most cybercrime is committed en masse with thousands or millions of compromised accounts. One security key isn't worth the effort. Still, it's not impossible and a determined attacker could use a stolen key to access your accounts. That's why it's important to keep your key safe, but also to use strong passwords secured in a password manager. If the thief gets the key but can't crack your password, they're still not getting in.

It's far more likely that you will lose your key, and that can be a real problem. Yubico recommends enrolling a second key and storing it as a secure backup. Many services that support security keys also allow (and some require) you to enroll multiple MFA factors, so you could set up an authenticator app as a backup MFA option. Services often let you generate backup codes that you can write down offline or secure in a password manager, which grant you access in emergencies. If none of that works, find a device where you are still logged in and unenroll the key or add a new MFA factor you do have. The bottom line is that losing your security key is not the end of the world.

How to Choose a Security Key

The first thing to look at when choosing a security key is how the key literally fits with the rest of your devices. If you don't have any devices with USB-C, you should stick to keys with a USB-A connector. If you intend on using your key with mobile devices (and you should) you should select either a key with a connector that fits your phone or a key with NFC, if your phone supports NFC.

You also need to consider your budget. The most expensive keys we've reviewed cost up to $85, which is a significant chunk of change. If you're new to hardware security keys, we strongly recommend starting with a cheaper key and upgrading later. The Security Key NFC from Yubico works just as well for MFA as a more expensive key, offers NFC for mobile devices, and can fit USB-C with a cheap dongle. It's a great choice for first-time buyers.

Most security keys just authenticate you, and that's enough. But some go further with additional features. Kensington has a line of biometric keys that require the correct fingerprint to authenticate you. High-end YubiKeys have numerous additional features: the ability to playback a static password, working with a desktop or mobile app to provide app-generated passcodes, PGP key management, and its own form of one-time-passcodes.

More obscure facets of each key may be significant to the most discerning buyer. NitroKeys and SoloKeys use all open-source code and hardware, making them a strong choice for a particular crowd. Yubico locks down all its devices from firmware changes to protect them from tampering, while NitroKey celebrates its updatable firmware.

The Key to Security

Hardware security keys are the best, most secure method of MFA and we highly recommend them. But for some, the idea of paying for a key or having to fetch it each time they login is too much and that's just fine. What's most important is that you find an MFA scheme that works for you and that you actually use it. The best security doesn't work if it's ignored.

Top Articles

Latest Posts

Article information

Author: Edwin Metz

Last Updated: 12/12/2022

Views: 6084

Rating: 4.8 / 5 (58 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Edwin Metz

Birthday: 1997-04-16

Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183

Phone: +639107620957

Job: Corporate Banking Technician

Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping

Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.