What’s The Best Security Key to Buy?

Strong authentication is gaining traction with both consumers and corporations. Everyone agrees that we should protect ourselves better online. With dozens of security keys, authenticator apps, and password managers available, friends and customers often ask me what devices they should use (although, to be honest, they should be asking me a lot more!). Today, I’m going to answer the question here!

If at any point you find yourself confused with all the terminology, check out my article on making sense of the security alphabet soup.

Yes, Get a Security Key

Security keys are the strongest practical authenticators today. They are simple to understand, durable, and portable. They can work cross-platform and can be used on any number of websites that support them.

Now, when I do tell my friends to go buy a couple of security keys, I tend to get a bit of pushback. Let’s address their top counter-arguments first!

How many security keys does one person need?

Why Not an Authenticator App?

How about both? You definitely want to use security keys when possible, because one-time passcodes from authenticator apps can be phished. Now, in my article on why WebAuthn & security keys are great, I attempted to add a security key to all websites important to me, but only 1 in 3 of the sites supported them. Of those sites where security keys weren’t an option, 1 in 4 supported authenticator apps. So, while authenticator apps aren’t as phishing resistant as security keys, they're certainly a lot better than nothing, which is why you’re likely to end up needing both.

How many authenticator apps does one person need?

Why Not a Password Manager App?

Yes, you should have a password manager, too! Passwords suck, but we’ll be stuck with them for a good while. I have hundreds of passwords, but using a password manager makes it easier and more secure. I’ve even gotten my family members—including my teenagers—to use password managers. Granted, there may have been some eye-rolling involved in the process 🙄.

As a bonus, you can use a password manager as an authenticator app, if you’d like! This helps limit the number of apps you have to shuffle, with the side benefit of better phishing resistance thanks to how autofill works in password managers.

Why Not Use Passwordless Webauthn?

Wouldn’t that be great! Just go to a site on your phone or computer, tap the fingerprint sensor or show your face, and you’re in! Unfortunately, despite the majority of browsers now supporting WebAuthn, very few websites have implemented the passwordless WebAuthn experience so far. Security keys give you most of the same security benefits and are more widely supported.

Why Not Just Use My Existing Device as an Authenticator?

It’s true; FIDO authenticators don’t have to be external security keys. They can be built into devices like phones and laptops and, when these on-device authenticators work, the user experience is great!

Unfortunately, not all browsers support these on-device a.k.a. platform authenticators yet (I’m looking at you, Safari). The same is true on mobile, so there are no FaceID logins to websites as of yet. 

Finally, many websites don’t support these on-device authenticators, leaving you hanging with a prompt asking you to plug in your security key to USB. One day these platform authenticators may work great, but today security keys are more consistently supported.

Which Security Key Should You Get? 

For the best experience do the following:

1. Make sure your keys support both the new FIDO2 and the older FIDO U2F protocols. This gives you the ability to leverage the future greatness of WebAuthn while remaining compatible with all existing U2F security key implementations. 
2. Buy at least two of them. Most sites (and all good ones) support setting up multiple security keys; this way you can always have one on you, and keep one as a backup in a secure place like your fire safe.

After using more than a dozen different security keys over the last couple of years, the easiest to recommend are the YubiKey 5 and Security Key series from Yubico. They come in a variety of form factors, some of which are pretty indestructible (plus Yubico discloses any security advisories). Remember, any time you plug a new USB device into your computer, you implicitly trust the security processes of its manufacturer, from the factory to your hand. 

Now, how do you choose which specific model is right for you? Turns out it can be very hard! I live in a relatively simple ecosystem: a number of different iOS, iPadOS, and macOS devices—nothing else.

My perfect security key would have two connectors, USB-A & USB-C for computers, as well as contactless support (NFC) for use with phones.  But this device doesn’t exist! My next-best security key would be a small USB-C key with NFC. This doesn't exist, either!

My current compromise is to use a USB-C YubiKey 5 that I use along with my MacBook Pro TouchID platform authenticator as my main security keys.I also have two NFC-enabled USB-A keys as secondary and fire-safe backups. Yes, I am a little paranoid, why do you ask?

If you want to read about other options, check out these articles.

Securing Your Work Accounts

In the workplace, there is more potential for quick improvement and universal adoption of security keys and Web Authentication than in the consumer world. The majority of businesses are putting access to applications behind SSO (Single Sign-On), which makes deploying modern authentication like security keys and Web Authentication much easier since you’re introducing a single control point for identity and authentication. You can see how we at Okta do it in our Dogfooding Chronicles. Of course, the devil is in the details, but that’ll need to be a different article.

Room for Improvement

If a security solution is not very easy to use, it will never gain universal adoption the way SMS 2FA has—despite the many problems of using SMS for authentication.. I expect security keys to remain a great option for people like me and you—nerds who would read an article like this. A security key is yet another thing you have to buy, carry, and keep track of. Also, websites have their security settings all in different places with different names; it’s sometimes hard to even find them. Usability remains a challenge—one researcher found that when they tasked study participants to secure a Facebook login with a security key, 70% believed they succeeded, but half of them had actually failed without realizing it!

As an industry, it is our job to give users more secure defaults and easier to understand security controls, in a place where they can be found. If we want to replace SMS with something stronger, our best hope today is getting universal support for smartphone-based FIDO2 (looking at you, Apple and Google) and getting websites to enroll users to it as the default option. Let’s keep pushing!

And until then, we have security keys.

Thanks for reading and stay safe!