What Are Security Keys?

You’ve probably seen us highlight the importance of multi-factor authentication (MFA). MFA ensures that even after the right password is entered during the login process, a secondary authentication measure is required to gain access to your account. That way, even if a bad actor learns your password, it’s useless without access to the secondary authentication method.

Usually, this authentication method takes the form of a code. That could be sent to you via SMS or email, or generated within an authentication app. The idea is, only you can access the smartphone that receives the SMS code or contains the authenticator app, or you are the only one who can check the email address where a code is sent.

These methods are far more secure than a password alone, but they are not infallible. If someone gains entry to your email address, they can intercept any MFA codes sent that way. If you leave your smartphone unlocked, a bad actor could access its content, and intercept SMS-based MFA codes, or access your authenticator app—assuming there isn’t a strong biometric authentication in place there as well. SMS-based MFA is particularly vulnerable to sophisticated hacking.

If you want to max out your MFA security, one option is a security key. A security key is a physical device that you connect to the device you’re logging into. Once connected, the key can communicate with the account you’re trying to access, confirm your identity, and grant you access. It essentially functions like an MFA code—present the code (or key), and you’re in.

Although the authentication protocols are quite similar between codes and hardware keys, there are some immediate security benefits to using security keys. First, there’s no risk of phishing: With codes, bad actors can try to trick you into sending over the digits, such as by posing as the company that runs your account, or use advanced techniques like SIM-swapping to hijack your phone number and intercept your SMS codes. Without the physical key, they have no leverage—and thus, no way to break into your account.

There’s also the convenience: With a security key, you can authenticate just by plugging the key into your computer’s USB port, or by tapping the key near your smartphone with NFC. You don’t need to wait for a code, or to open your smartphone’s authentication app and beat the clock on a timed code—the key does it for you.

When not to use a key

While security keys are great, they are also imperfect. First, they’re the only MFA option that requires you to pay. SMS-based codes and authenticator apps are generally free to use, but keys can cost anywhere from $30 to $90.

Plus, as convenient as they are, you do run the risk of losing or damaging them. In that case, you lose your secondary authentication method—and potentially are locked out of your accounts for good. That’s why it’s good practice to buy a backup key, which effectively doubles the price of the service. Some accounts, like Apple, require you to have two keys in order to use this method, since they don’t want you locking yourself out of your account should you misplace or break a key.

Finally, not all accounts support security keys. You’ll need to ensure that the accounts you want to access support security keys as an authentication method before committing to them—or else set up a separate authentication method for those accounts.

Which keys should you buy?

There are plenty of keys on the market for you to choose from, but the most important consideration is compatibility: Make sure whichever key you buy works with the most accounts possible.

As for specific recommendations, Wirecutter highlights two: the Yubico Security Key C NFC, which runs $29, and the Yubico YubiKey 5C NFC, which charges $55.