YubiKeys and Hardware Security Keys
Summary
🔑 Key Takeaway for YubiKeys and Hardware Security Keys: Use FIDO2/WebAuthn security keys such as YubiKeys on high-value accounts, register at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it.
Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms, social accounts, and any admin or financial account that could be used to pivot into the rest of your organization.
This page is intentionally narrow: it focuses on using physical security keys to protect accounts, not on broader identity architecture or device management.
YubiKey-Specific Notes
YubiKeys are a common choice because they support several different modes. For most readers, the default priority should be:
- FIDO2 / WebAuthn security keys or passkeys stored on the key
- OATH TOTP on the key only when the service does not support phishing-resistant options
If you are buying new keys, choose models that match your devices. USB-C is the simplest default for modern laptops, while NFC is useful if you expect to authenticate on phones. Buy directly from a reputable seller and verify the setup prompt carefully so you do not accidentally register a weaker fallback method instead of the hardware key itself.
For Individuals
These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a hardware key.
Setup Checklist
- Buy at least two security keys from a reputable vendor such as Yubico
- Prefer keys that match your device mix:
- USB-C for modern laptops and phones
- NFC if you regularly authenticate on mobile
- Label one key Primary and the other Backup
- Register both keys on every critical account that supports them:
- Primary email
- GitHub and code hosting
- Registrar and DNS providers
- Cloud and deployment platforms
- Banking, custody, or treasury accounts
- Social and communication accounts
- Where offered, prefer:
- Security key
- Passkey on hardware key
- Other phishing-resistant WebAuthn/FIDO2 options
- Disable SMS as a recovery or second-factor method wherever the service allows it
- Save provider-issued backup or recovery codes offline
- Test both the primary and backup key after enrollment
Practical Use
- Keep the Primary key with you for normal logins
- Store the Backup key in a separate secure location, not in the same bag or drawer
- Maintain a short note in your password manager listing which critical accounts have which keys enrolled
- If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are operationally necessary
- Replace lost or damaged keys immediately and re-test the remaining enrolled key
Recovery Discipline
- Do not wait until you lose a key to learn how account recovery works
- Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk
- If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to a stronger provider or stronger configuration when possible
For Team Members
These guidelines apply to staff using security keys on shared work accounts or privileged individual accounts.
Team members should:
- Register hardware keys on their own high-risk work accounts
- Never share a physical key between multiple people
- Keep backup keys physically separate from daily-use devices
- Re-enroll a replacement key immediately if one is lost, stolen, or damaged
- Report any forced downgrade to SMS or weaker MFA to the relevant administrator
For Admins
These settings and practices apply to administrators responsible for protecting important organization accounts.
Program Checklist
- Require phishing-resistant MFA for high-privilege accounts wherever the platform supports it
- Require at least two registered security keys for every admin account
- Standardize on a small set of supported key types so setup and recovery stay simple
- Document which accounts require hardware keys and review that list regularly
- Document a recovery process that does not rely on SMS for privileged accounts
- Remove old or unrecognized security keys during periodic access reviews
- Revoke lost keys promptly and confirm a replacement key is enrolled
Operational Notes
- Hardware keys reduce phishing risk, but they do not replace strong passwords, session review, or app permission reviews
- For especially sensitive accounts, store backup keys with separate physical controls so one theft or travel incident does not remove both factors at once
- When a platform supports passkeys, confirm whether the passkey is being stored on a hardware key or synced software ecosystem before treating it as equivalent