It supports a wide range of multi-factor authentication services and can be left in your computer.
It's so tiny, it's easy to lose.
It’s waterproof and crush-proof, so it will survive just about anything.
It’s a few inches long, so it sticks out pretty far from the average USB slot.
We purchase every product we review with our own funds — we never accept anything from product manufacturers.
Web security can be a scary thing. As we move more and more of our personal information into the cloud for convenience, it becomes increasingly important to make sure that our data is secure.
Unfortunately, a password is no longer enough. Sophisticated attacks and unexpected data breaches are so commonplace now that if you want to stay safe, you’ll need to take additional measures. Thankfully, the web security industry has created a new standard that anyone can use to protect their online accounts from unwanted intrusions: two-factor authentication (often referred to as 2FA).
Two-factor authentication creates another safeguard beyond your password. In a 2FA transaction, after entering your username and password, you’re prompted to confirm the access request through a different medium. For example, many banks use SMS-based 2FA, and text you a numeric code to enter to access your account after you’ve entered your password. In other cases, users can use smartphone apps as a second-factor device, so they can confirm logins with a single tap.
The most secure form of two-factor authentication is with a separate physical device, and the gadgets dedicated to the task are known as security keys.
Security keys work with hundreds of online account services, including Google’s Gmail, Facebook, Twitter, and Dropbox. The setup process for each will vary slightly, but in each case, you’ll need to research how to set up two-factor authentication and follow the provided instructions. Once you’ve successfully registered your security key as a second-factor device for your login, here is how logins work:
Enter your username and password, as always. This part stays the same, but it’s still important to remember the best practices of passwords: never use the same password on more than one account; use a random string of letters, numbers, and characters as your password whenever possible; and change all of your passwords regularly.
Insert your security key into an open USB port. Any open port on your computer will do.
Tap the security key to confirm your access request. Each security key has a physical sensor that’s waiting for you to tap it in order to get access. By tapping your security key, you’re essentially saying, “Yes, I confirm this is me.”
That’s it! With a security key, you’ve got an added layer of security – people with your password won’t be able to get in – and the only extra step is a single tap.
Some in the web security industry refer to security keys as U2F devices, which stands for Universal Second Factor. While the terminology may differ based on context, in reality, they’re the same thing.
Security keys aren’t super expensive, but they’re not all the same. Keep these price ranges in mind as you’re comparing models.
Inexpensive: You’ll find some good options for basic protection between $15 and $29. Models in this price range are a little flimsy and are sometimes missing bonus features like support for Smart Card networks. If you’re only protecting a handful of accounts, a cheaper model will suffice, but given that better models are only a few dollars more, it might be worth it to spring for a better one.
Mid-range: The best values in security keys fall between $30 and $49. Security keys in this price range are made with higher-quality materials, so they’re less likely to get scratched (and they work based on an exposed copper connection, so durability matters). Most users won’t need to spend more than $50 to get a security key that will function for years to come.
Expensive: You’ll encounter overpriced security keys costing between $50 and $75 that don’t offer anything more than other models, and they can sometimes be dangerous copycats. Some manufacturers rely on consumers thinking that more expensive models must be of higher quality, but that is definitely not the case with security keys.
As a further measure against identity theft, consider signing up with a credit monitoring service. These services alert you whenever someone tries to use your social security number, so you can short-circuit identity theft attempts.
Many web services offer support for two-factor authentication, although it can sometimes be difficult to locate. If you’re not sure if you can use your security key with a specific account, search their website or search for “how to set up 2FA with my account from ____.” If 2FA is supported, follow the instructions for setting everything up.
Use a password management service, and use only randomly generated passwords. This will help keep your online accounts even more secure. Don’t count on your brain to remember all of your passwords – there’s an app for that. Third-party password manager services like LastPass, Dashlane, or 1Password allow you to access your passwords when you need them with one master password. That’s not as scary as it sounds: you can use a security key to protect your password manager, and most password managers have built-in password generators, so you can update your existing passwords so they’re not guessable.
Buy a security key that matches your computer’s USB ports. Security keys are designed to occupy an available USB port on your computer, but USB standards are changing, so it’s important to verify compatibility before you buy. Most laptop and desktop computers have USB 2.0 or USB 3.0 ports, which have been the standard for years, but they’re slowly giving way to USB 3.1 ports, which use a completely different form factor. Before you start shopping, confirm if you’ll be using your security key in a USB 2.0, USB 3.0, or USB 3.1 port.
Q. What’s the difference between a security key and a fingerprint reader?
A. Both security keys and fingerprint readers are devices that require physical contact in order to give you access to an account, but the similarities end there. A fingerprint reader stores a copy of your fingerprint on your local machine, and then verifies that your finger is a match every time you log in. Fingerprint readers are used almost exclusively to give users physical access to their computers, while security keys are used with web services and online accounts. A security key relies on the user to tap it, and while it will accept a tap from anyone, it verifies access in the cloud.
Q. What happens if my security key gets lost, stolen, or damaged?
A. Most web services that support security keys will provide you with a set of backup codes during your initial set up. Backup codes are for instances when your security key isn’t available, so it’s important to keep them safe. If you lose access to your backup codes, you’ll need to go through access verification with the service in question – most will make you go through a lengthy process to prove who you are, but they can eventually restore your access.
Q. Can I use a security key with my computer login?
A. Yes. Many security key manufacturers, including Yubikey, make security keys that work with both the Windows 10 operating system and Apple’s OS X operating system, so you can make sure that no one is logging into your computer that shouldn’t be. To learn more, visit your security key manufacturer’s website.
BestReviews wants to be better. Please take our 3-minute survey,
and give us feedback about your visit today.