What is a security key (physical security key)?
A security key — or physical security key — is a device the size of a USB stick that protects your accounts against phishing with absolute certainty. Unlike SMS or authenticator apps, a security key verifies the website's domain before responding: if the website is fake, it will not authenticate. According to Google, since implementing physical keys for its employees, phishing cases fell to zero (Google, 2019).
In this article, we explain how they work, what they are for, and which models make the most sense for your devices.
How does a security key work?
A security key is a second factor of authentication based on public-key cryptography. When you register it with a service, the device generates a unique pair of keys:
- A private key that never leaves the hardware
- A public key that is registered with the service
When you log in, the service sends a mathematical challenge that only your key can solve. Most importantly: the key verifies the domain before responding. If someone sends you to a fake website imitating your bank or Gmail, the key fails automatically, even if the attacker has your password.
What is a security key used for?
Security keys protect accounts on services compatible with FIDO2 and WebAuthn standards, which today include most major platforms. Common use cases include:
- Primary email and password manager
- Bank accounts and fintech (Revolut, PayPal, Wise)
- Cryptocurrency exchanges (Binance, Coinbase, Kraken)
- Corporate accounts with access to sensitive data
- SSH access to servers and cloud consoles (AWS, GCP, Azure)
If you handle sensitive information or accounts with financial value, a security key eliminates the most common attack vector: phishing.
Recommended security keys
These two YubiKey models are the most widely used. The only difference is the connector — choose based on your devices' ports.
Bestseller
YubiKey 5 NFC (USB-A)
Compatible with USB-A and NFC. Supports FIDO2, WebAuthn, OTP, and OpenPGP. No battery, no drivers required.
For modern laptops
YubiKey 5C NFC (USB-C)
Same features as the 5 NFC but with a USB-C connector. Also compatible with Android smartphones without an adapter.
Accessories for your YubiKey
Once you have your key, protecting it physically is just as important. These accessories are made in Spain and designed specifically for YubiKeys.
Keychain
Keychain with Lanyard
Protective case with an integrated lanyard. Protects against bumps and scratches from daily use. PLA+, made in Spain.
For your wallet
Card Format Tray
Same dimensions as a credit card. Fits into any wallet without adding bulk. PLA+, made in Spain.
If you carry your YubiKey on your keychain, the lanyard case is the most practical option. If you keep it in your wallet, the card format tray takes up exactly the same space as a credit card.
Security key vs other forms of 2FA
Not all second factors offer the same level of protection:
| 2FA Method | Protects against phishing | Requires battery | Approx. cost |
|---|---|---|---|
| Security key (FIDO2) | ✅ Yes | ❌ No | £25–£70 |
| Authenticator app (TOTP) | ❌ No | ✅ Yes (mobile) | Free |
| SMS with code | ❌ No | ✅ Yes (mobile) | Free |
| Email with link | ❌ No | ✅ Yes (mobile) | Free |
The critical difference is phishing protection. With SMS or TOTP, an attacker can capture the code in real-time. With a security key, the device validates the domain before responding — blocking the attack even if the attacker has your password.
The backup rule: always have two keys
This is the most common mistake when starting out: registering only one key. If you lose it or it breaks, you will be locked out of all the accounts where it was configured. The solution is simple: always register a second key as a backup and store it in a safe place.
Buy two keys from the start. Use the first one daily and keep the second as a backup. If a service does not allow you to register a second key, keep your recovery codes printed on paper.
Frequently Asked Questions
Does it work on a mobile?
Yes, if the key has NFC or a compatible USB-C connector. Both models recommended here include NFC — you simply tap the key against your phone to authenticate.
What happens if I lose it?
If you registered a second key or saved your recovery codes, you can restore access without any issues. This is why setting up a backup from the start is so important.
Does it work with Gmail, Outlook, and social media?
Yes. Google, Microsoft, GitHub, X, and most relevant platforms support FIDO2 and WebAuthn.
Does it have a battery?
No. It is powered by the USB port or the NFC field. It does not require charging or maintenance.
Do I need to install any drivers?
No. YubiKeys function as standard HID devices — they are recognised automatically on Windows, macOS, and Linux.
Where to start
A security key is the most effective way to protect online accounts against phishing and credential theft. If you have never used one, this is the recommended order: buy two keys (one for daily use, one for backup), register them first to your primary email and password manager, and store the recovery codes for each service on paper.
The cost of two keys — less than £100 — is low compared to the impact of losing access to a critical account.
