I have always known about physical security keys, also called hard tokens, but never actually used one despite my curiosity. So, I was kind of excited when I got my hands on two cool things: a YubiKey 5 and a Google Titan security key.
Now that I have two kinds of security keys, I tested both on some platforms people use regularly to see what the fuss is about.
A quick intro to security keys: A security key can work in place of other forms of two-factor authentication such as receiving a code through SMS or pressing a button in an authentication app. Most keys are about the size of a thumb drive and can either be used by plugging into a computer or, in some cases, communicating over NFC (Near Field Communication) with a mobile device.
When logging into an account, you can simply plug the security key into your computer or mobile device and it will act as your second form of authentication. Then, you enter your password and that’s that. Alternatively, with both the Google Titan and the YubiKey, you can hold the key against the back of your mobile phone and that provides the same authentication as plugging it into the device.
The platforms I tested with these two security keys are Microsoft 365 (M365), Google, and Twitter. I looked into trying these out with some more platforms, but, unsurprisingly, services that support security keys are still the minority. Let’s hope to see some change in this department in 2024.
A quick caveat is that I tried to do my testing while having a password manager as an extension in my browser (Mozilla Firefox). I found that having the password manager enabled messed up the key registration process occasionally because it will try to store the key as it would a password.
For example, when I tried to register both the Google Titan and the YubiKey on M365, I would get an error if I rejected the password manager’s prompt to save the key.