Skip to content
Logo

Hardware Security Keys

Security Specialist

Authored by:

Dickson Wu
Dickson Wu
SEAL
Louis Marquenet
Louis Marquenet
Opsek
Pablo Sabbatella
Pablo Sabbatella
SEAL | Opsek

Summary

🔑 Key Takeaway for Hardware Security Keys: Use FIDO2/WebAuthn security keys on high-value accounts, register at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it.

Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, social accounts, and any admin or financial account that could be used to pivot into the rest of your organization. This guide focuses on YubiKeys and similar FIDO2/WebAuthn hardware keys.

For Individuals

These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a hardware key.

Setup Checklist

  • Buy at least two security keys from a reputable vendor such as Yubico
  • Prefer keys that match your device mix:
    • USB-C for modern laptops and phones
    • NFC if you regularly authenticate on mobile
  • Label one key Primary and the other Backup
  • Register both keys on every critical account that supports them:
    • Primary email
    • GitHub and code hosting
    • Registrar and DNS providers
    • Cloud and deployment platforms
    • Banking, custody, or treasury accounts
    • Social and communication accounts
  • Where offered, prefer:
    • Security key
    • Passkey on hardware key
    • Other phishing-resistant WebAuthn/FIDO2 options
  • Disable SMS as a recovery or second-factor method wherever the service allows it
  • Save provider-issued backup or recovery codes offline
  • Test both the primary and backup key after enrollment

YubiKey Setup Notes

  • Register both your primary and spare YubiKeys during the same setup session whenever the service allows it
  • Set a PIN on the YubiKey or FIDO2 credential where the workflow supports it, and store that PIN separately from the key itself
  • If your YubiKey supports NFC and it is new, activate NFC before you rely on it for mobile logins
  • Prefer the service's Security key or Passkey option on a YubiKey over app-based OTP when phishing-resistant login is available
  • If a service only supports authenticator-app codes, Yubico Authenticator can keep those codes tied to the YubiKey, but treat that as a fallback rather than equivalent protection to WebAuthn security-key login

Practical Use

  • Keep the Primary key with you for normal logins
  • Store the Backup key in a separate secure location, not in the same bag or drawer
  • Maintain a short note in your password manager listing which critical accounts have which keys enrolled
  • For high-value accounts, avoid storing passkeys in a password manager; keep them on the hardware key or another dedicated phishing-resistant authenticator instead
  • If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are operationally necessary
  • Replace lost or damaged keys immediately and re-test the remaining enrolled key

Recovery Discipline

  • Do not wait until you lose a key to learn how account recovery works
  • If you lose your only key and do not have a second enrolled key or a usable recovery path, you can lock yourself out of critical accounts at the moment you most need them
  • Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk
  • If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to a stronger provider or stronger configuration when possible

Further Reading