PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

The Best Hardware Security Keys for 2024

Protecting your online accounts from being taken over by bad guys is critical, and a hardware security key is one of the best defenses. These are the best security keys for keeping your information private.

Related:

At PCMag, we've been reviewing hardware security keys since 2018, when they were new technology, and multi-factor authentication (MFA) was still a novel idea. Today, many major companies support account authentication using hardware security keys, including Apple and Google. Currently, the Yubico Security Key C NFC is our Editors' Choice winner because it's easy for first-time users to adopt and is priced to fit just about any budget. Keep reading to discover more of the best security keys we've tested, followed by an explanation and video of how they work, plus recommendations for choosing the right one for you.

You Can Trust Our Reviews

Since 1982, PCMag has tested and rated thousands of products to help you make better buying decisions. Read our editorial mission & see how we test.

Deeper Dive: Our Top Tested Picks

  • Yubico Security Key C NFC

    Yubico Security Key C NFC

    Best Overall
    5.0 Outstanding

    Why We Picked It

    The Yubikey Security Key C NFC is our top pick for most people. It features excellent build quality, and its USB-C connector means it works on just about every new device. It also has NFC support, which lets it authenticate on mobile devices that lack a USB port.

    Who It's For

    This is our recommended security key for first-time buyers and anyone who doesn't want to pay for the extra features of some other YubiKey models. It doesn't do everything; instead, it does exactly what someone new to security keys would want. It can authenticate your identity online and store up to 100 passkeys, which are accessible via Yubico's apps for desktop and mobile.

    • Pros

      • Inexpensive
      • Outstanding build quality
      • Wireless NFC
      • USB-A or USC-C compatibility
      • Stores passkeys
    • Cons

      • Fewer authentication protocols than other Yubico devices
    Get It Now
  • Yubico YubiKey C Bio

    Yubico YubiKey C Bio

    Best for Biometric Authentication
    4.5 Excellent

    Why We Picked It

    The YubiKey C Bio has Yubico's trademark build quality. This device can store passkeys and authenticate your identity like other security keys, but it adds a fingerprint scanner for additional security. In testing, we were able to register fingerprints easily, which is ideal.

    Who It's For

    What you're paying for with this device is its biometric protection. Make sure that's explicitly what you want before buying. The biometrics key supports the same authentication standards as the lower-priced, non-biometric Security Key C NFC from Yubico.

    • Pros

      • Built-in fingerprint authentication
      • Sleek design
      • Easy onboarding process
      • Supports widely used authentication standards
    • Cons

      • Expensive
      • Stores comparatively few passkeys
  • Yubico YubiKey 5C NFC

    Yubico YubiKey 5C NFC

    Best for Experts
    4.0 Excellent

    Why We Picked It

    The YubiKey 5 Series has the rugged build quality of all Yubico devices, and its USB-C connector and NFC support mean it works with just about every new device. Like the other YubiKey Series 5 devices, the 5C NFC does more than just MFA and password-less login; it can function as a Smart Card, store static passwords and Open PGP keys, and more. 

    Who It's For

    At $55, the YubiKey 5C NFC doesn't make sense for most people who just need to secure their online accounts or haven't used a security key before. It's a better choice for someone with very specific needs or who's savvy enough to learn how to use all its features.

    • Pros

      • Supports both USB-C and NFC
      • Rugged build
      • Supports many authentication protocols
    • Cons

      • Expensive
    Get It Now
  • Google Titan Security Key

    Google Titan Security Key

    Best for Google Loyalists
    3.5 Good

    Why We Picked It

    The only MFA hardware that Google is willing to put its name on is the Google USB-C/NFC Titan Security Key. It's an MFA device that's targeted at everyday and first-time users. The sleek, rounded Titan Security Key is perfect for anyone turned off by Yubico's square-edged utilitarianism.

    Who It's For

    The Titan Security Key is affordable and, most important, comes with Google's endorsement. Trust is important when it comes to authenticating your login sessions, so Google's recognizable name and massive online presence may hold a lot of weight for certain customers.

    • Pros

      • Available for USB-A and USB-C
      • Supports NFC
      • Stores 250 passkeys
    • Cons

      • Can't delete passkeys
      • Few features
      • Very little product documentation available
  • Nitrokey 3C NFC

    Nitrokey 3C NFC

    Best Open-Source Security Key
    3.0 Good

    Why We Picked It

    The Nitrokey 3C NFC key is a fine option for people looking for an open-source option with upgradable firmware (though that comes with some security risks). We like that it's is easy to use and affordable.

    Who It's For

    The Nitrokey 3C NFC's biggest selling points are updatable firmware and open-source hardware and firmware. If that appeals to you, then this key is a good choice.

    • Pros

      • Uses open-source firmware
      • Connects via USB-C and NFC
      • Can encrypt your data, such as emails
    • Cons

      • Expensive
      • NFC not recognized on Android
      • Disorganized product documentation

Buying Guide: The Best Hardware Security Keys for 2024


How Do You Use a Security Key?

While they can take many forms, most security keys are small, key-sized devices that uniquely identify themselves to sites and services. Your possession of the key is a way for the online account to prove that you are who you say you are, in addition to verifying your username and password. To use a security key, you first have to enroll it with each site or service you want to protect. Support for security keys is increasing, but don't be surprised if they're not accepted at every site you try.

Enrolling a key is slightly different for each key and online account, but it usually goes something like this: Somewhere in the online account's settings is an option to enroll a security key. Click it, insert the key, tap the key's button when prompted, and give the key's record a name so you know what it is. Some sites and services limit you to just one key, while others allow or even require more than one. Many sites require you to enable an alternate form of MFA or generate one-time-use security codes to act as backups to your key.

The next time you go to log in, you're prompted to present your security key after entering your username and password for an account. You connect the key through some kind of data transfer connection—typically USB-A or USB-C—and then press a button on the device to verify you're a real person and not a clever malware attack impersonating a key. If both the password and the key check out, you log in as normal.

Some hardware keys include wireless communication capabilities, usually through near-field communication (NFC), to interact with mobile devices. Other keys have biometric authentication for an added layer of protection.


Which Hardware Security Key Is Best for You?

The first thing to look at when choosing a security key is how the key literally fits with the rest of your devices. If you don't have any devices with USB-C, you should stick to keys with a USB-A connector. If you intend on using your key with mobile devices (and you should), select a key with either a connector that fits your phone or NFC if your phone supports NFC.

Consider any budget restrictions, too. The most expensive keys we've reviewed cost up to $95. If you're new to hardware security keys, we strongly recommend starting with a less expensive key and upgrading later. The Security Key C NFC from Yubico and the Google Titan Security Key work well for basic MFA and offer NFC for mobile devices. Either is great for first-time buyers.

Most security keys just authenticate you, and that's enough. But some go further with additional features. Kensington has a line of biometric keys that require the correct fingerprint to authenticate you. High-end YubiKeys have numerous additional features: the ability to play back a static password, work with a desktop or mobile app to provide app-generated passcodes, support PGP key management, and offer their own form of one-time passcodes. 

Other keys may have niche features or design perks that appeal to particular audiences. For example, Nitrokeys are built on open-source code and hardware, making them strong choices for the privacy-conscious consumer. In another example, Yubico and Nitrokey target very different audiences: the former blocks firmware changes on its devices to protect them from tampering, while the latter celebrates its updatable firmware. 


What Is Multi-Factor Authentication? 

Multi-factor authentication, sometimes called MFA, two-factor authentication, or 2FA, allows you to verify your identity using more than one kind of authentication. You should authenticate your login using at least two of these factors:

  • Something you know
  • Something you have
  • Something you are

Something you know is typically a password. It lives in your head and is ideally known only to you. Something you have could be a security key such as those we've listed here, an authenticator app on your phone, or a code sent via SMS to your phone. It's something not easy for a stranger to access or obtain. Finally, something you are is a physical characteristic that can be read with a biometric scan, such as a fingerprint or your face.

It's pretty unlikely that an attacker will have access to more than one of these forms of authentication, making it harder for bad guys to take over your accounts. It's been proven in the real world, too. When Google required employees to use hardware MFA keys, account takeovers effectively ceased.

Remember that MFA of any kind can't protect against all the security dangers the modern world presents. We strongly recommend using antivirus software as well as a password manager to create unique and complex passwords for each site and service you use.


How Do Hardware Security Keys Work?

The most widespread means of hardware security key authentication is based on the standards from the FIDO Alliance. All these standards do fundamentally the same thing: They use asymmetric cryptography to authenticate you to a site or service. 

Each device can generate any number of public keys from its private key without exposing the private key. That allows a single hardware key to be used for multiple sites and services, but most important, it means a failure or change at any one site or service won't affect the other. You can easily remove and enroll your hardware key as many times as you like.

When shopping for a hardware security key, look for at least FIDO U2F certification because it means the key works in just about every basic security key context. FIDO2/WebAuthn are the next-generation standards that support additional types of authentication. If you want to use a device for biometric MFA or passwordless login, you need FIDO2/WebAuthn. 


Are Security Keys Safe?

So what happens if your key is stolen or lost? In the theft scenario, it's unlikely someone would have the means to track down an individual user and steal their security key. Most cybercrime is committed en masse, with thousands or millions of compromised accounts. One security key isn't worth the effort.

That said, a determined attacker could use a stolen key to access your accounts. That's why you should keep your key safe but also use strong passwords secured in a password manager. If the thief gets the key but can't crack your password, they're still not getting in.

It's far more likely that you lose your key, and that can be a real problem. Yubico recommends enrolling a second key and storing it as a secure backup. Many services that support security keys also allow (and some require) you to enroll multiple MFA factors, so you could set up an authenticator app as a backup MFA option and use that if you don't have your key.

Services often let you generate backup codes you can write down offline or store in a password manager. These codes grant you access in emergencies. If none of that works, find a device where you are still logged in and unenroll the key or add a new MFA factor you do have. The bottom line is that losing your security key is not the end of the world.


Passkeys vs. Security Keys

Passkeys are a secure authentication system that may one day replace passwords. Several major players have thrown their weight behind this technology, making it far more likely to catch on than any other previous effort to replace passwords. Apple, Google, and Microsoft have all added support for passkeys to their platforms, so you're likely to start seeing them appear as an option soon. If you want to try using passkeys to log in, check out our instructions for creating passkeys for your Google or Apple account.

A super-secure authentication scheme might sound like a death knell for security keys, but not so! Some security keys can store passkeys, keeping them safe and separate from your phone or computer. The number of passkeys a security key can store will vary. After a recent firmware update, Yubico's YubiKey Bio keys now hold 100 passkeys each, while Google's Titan key has enough room for 250.


The Key to Better Online Security

Hardware security keys are the best, most secure method of MFA. We highly recommend them. But for some, the idea of paying for a key or having to fetch it for every login is too much bother, and that's just fine. What's most important is that you find an MFA scheme that works for you and that you use it.

Max Eddy contributed to this article.

Compare SpecsThe Best Hardware Security Keys for 2024
Our Pick
Editor's Rating
Editors' Choice
5.0 Outstanding
Review
4.5 Excellent
Review
4.0 Excellent
Review
3.5 Good
Review
3.0 Good
Review
Biometrics
Authentication Specifications
FIDO2, FIDO U2F, WebAuthn/CTAPFIDO U2F, FIDO2, WebAuthn/CTAPFIDO U2F, FIDO2, WebAuthn/CTAP, Smart Card, HOTP/TOTP, Open PGP, Static Password, Yubico OTPFIDO2FIDO2, FIDO U2F, WebAuthn/CTAP
Connector
USB-CUSB-CUSB-CUSB-C, USB-AUSB-C
Wireless Specification
NFCNoneNFCNFCNFC

About Kim Key