Hardware Security Keys Explained: YubiKey, Titan, and FIDO2
Hardware security keys are the most phishing-resistant second factor available. Here is how they work and which one to buy.
Why hardware security keys are the gold standard
A hardware security key makes phishing technically impossible for the accounts it protects. That's not marketing language — it's a cryptographic guarantee built into how the FIDO2 protocol works. When you register a YubiKey with a website, the key generates a unique cryptographic key pair for that site. The private key never leaves the hardware. Critically, the authentication response is cryptographically bound to the origin domain — a phishing site at evil-google.com cannot collect and replay a response intended for google.com. The math simply doesn't work.
Compare this to SMS 2FA, TOTP apps, or even push notifications — all of which can be intercepted in real time by a proxy phishing attack. Hardware keys cannot.
FIDO2 and WebAuthn: how it works
FIDO2 is the authentication standard. WebAuthn is the browser API that implements it. When you authenticate with a hardware key:
- The site sends a challenge (a random nonce)
- The key signs the challenge along with the site's origin using the private key stored in hardware
- The site verifies the signature using the public key registered at enrollment
- Access is granted — no password was transmitted at any point
Phishing fails because step 2 includes the origin. A response signed for google.com will fail verification on evil-google.com — and vice versa.
YubiKey vs Google Titan: a practical comparison
YubiKey 5 Series: The benchmark. Available in USB-A, USB-C, NFC variants. Supports FIDO2, U2F, TOTP (via Yubico Authenticator app), PIV, OpenPGP. Most compatible with services that support hardware keys. $50–$70 depending on model. Recommended for most users.
Google Titan: FIDO2 and U2F support, USB-C and NFC. Simpler than YubiKey — no TOTP or advanced protocols. $30. Good value if you only need basic FIDO2 and primarily use Google accounts.
Yubico Security Key: Budget version of YubiKey, FIDO2 only. $25. No TOTP, no PIV. Good for users who only need phishing-resistant MFA and nothing else.
Which accounts to protect with hardware keys
Priority order:
- Your primary email (recovery for everything else)
- Your password manager (1Password, Bitwarden)
- Banking and investment accounts that support it
- Work accounts with privileged access
- Crypto exchange accounts
Always register two keys — keep one as a backup. Losing your only hardware key and not having backup codes is a serious recovery problem.
When hardware keys and passwords still interact
Hardware keys don't eliminate passwords — they add a second factor. The password still needs to be strong: a hardware key protecting a weak password still leaves you exposed to server-side breaches (if the site stores passwords incorrectly). Generate strong passwords with PassGeni and store them in a password manager, then protect the manager itself with a hardware key.