How do authentication keys work

In practice, a security key is a physical security device with a totally unique identity. It houses a small chip with all of the security protocols and code that allows it to connect with servers and verify your identity. Security keys are yet another layer of two-factor security, not unlike those one-time codes you received via SMS or email when logging into certain sites or the biometric scans of your fingerprint or face used to unlock your laptop or smartphone.

This bit of hardware acts as your digital bodyguard, keeping unwanted users away from your information. Think of a security key like a hotel door. You check in at the front counter, pay the nightly fee, and are handed your room key. Give me the registered key code to open this room. Setting up and using a security key is also fairly easy.

Anyone who wants to can use a security key, but it might be an excessive measure for some people. After all, better safe than sorry. But depending on your needs and what computer you have access to, you may be able to use the cheaper budget pick as your backup. Once you register a key on your computer, it should simply work with your phone. As an example, here is how to set up a key with our favorite password manager, 1Password.

The process is more or less the same for other supported services. Once the key is enabled, it should work automatically with your smartphone if they have a physical connection. On Android and iPhone handsets, you can log in using an NFC key by holding it to the back of your phone until the phone stops buzzing. On a day-to-day basis, you may not be required to use your hardware key all that often.

Services often consider different risk factors to determine whether to require it. These models don't have all of the features of the 5 Series, lacking multiple connection options, computer login, and support for time-based one-time passwords on the Yubico Authenticator app. But if USB-A and NFC compatibility are all you need, or if you simply want to test out a key before committing to the more expensive version, this series offers most of the security benefits that the 5 Series does.

The Yubico Security Keys fit into USB-A ports, which are still common on laptops, and most phones support NFC , so they should work fine if you want to use them only with popular services. And you may need to replace yours sooner if you upgrade to a computer that lacks USB-A ports. These keys offer the same excellent setup experience and documentation we like in the 5 Series.

The Security Keys are portable and durable. They survived our crush and water tests just like the 5 Series, and they had the same durability results in tests conducted by Freedom of the Press Foundation digital security trainer David Huerta. We'll test all three in our next update. SoloKeys announced a redesign for their next generation of security keys that ditches the push-button design we struggled with in favor of touch sensitive side buttons similar to those used by Yubico and Google.

SoloKeys also has plans to improve NFC performance, add waterproofing, and more. We plan to test them when they become available. We found the Bluetooth key to be bulky and high-maintenance. For Android phones, it requires pairing, and for iOS, it requires the use of the Smart Lock app in addition to pairing; on top of that, the key is battery-powered and requires charging it was also recalled and replaced over a Bluetooth flaw in Feitian security keys come with most of the same security features and protocols as the Yubico options, and they include a variety of connectivity choices, including USB-C and NFC and even a fingerprint option.

Some links even lead to unfinished pages. Both Google and Feitian got flack from experts for a lack of transparency in the production pipeline for the keys, which are made in China. Solo Keys are the first open-source FIDO2 security keys, which allows developers to contribute to the project or file bug reports on GitHub. Both were bulkier than the other keys we tested, especially the NFC key. Thetis lacked good documentation on its website, and when we had difficulty pairing the keys on iOS and tried to consult the instruction page, it led to a not-found error.

Drew Porter, founder and president of Red Mesa , phone and email interviews, December 12, Christopher Harrell, chief engineering officer at Yubico , phone and email interviews, January 24, Paul Stamatiou, Getting started with security keys , PaulStamatiou. Yael Grauer is an investigative tech journalist based in Phoenix. She likes cooking, hiking, playing puzzle games, listening to bluegrass music, and spending time with her husband and their rescue chiweenie. There are downsides to two-factor authentication though.

If you lose your phone, or if it's breached by a hacker who's swapped your SIM or somehow gained access to your device, they'll obviously be able to retrieve your code and potentially use it to hack into your account especially if they also know your login credentials. Luckily, that's where hardware keys come in handy. Hardware security keys also called security keys, U2F keys, or physical security keys add an extra layer of security to your online accounts.

They protect against automated bots and targeted attacks by leveraging cryptography to verify your identity and the URL of a login page. They're therefore phishing-resistant, too, as they can ascertain whether you're trying to log into a legitimate service. Most of them use an open authentication standard, called FIDO U2F or the improved FIDO2 standard , and some even feature hardware that's designed to resist physical attacks aimed at extracting firmware and material from the key itself.

Hardware security keys are made by various manufacturers and work with the most popular web browsers, as well as hundreds of apps and online services. They can even help you log in to your workstation.

Overall, they're not hard to use and are relatively inexpensive. And all other forms of two-factor authentication texts, authenticator apps, and notifications don't offer the same level of protection. Several brand choices are available. The process is pretty similar for all hardware security keys, though. In order to use a security key with your Google account or any account , you need to have already set up two-factor authentication.

Subscribe to get the best Verge-approved tech deals of the week. Cookie banner We use cookies and other tracking technologies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audiences come from.

By choosing I Accept , you consent to our use of cookies and other tracking technologies. Cybersecurity Mobile Policy Privacy Scooters. Phones Laptops Headphones Cameras. Tablets Smartwatches Speakers Drones. Accessories Buying Guides How-tos Deals. Health Energy Environment. YouTube Instagram Adobe.