FREE WORLDWIDE SHIPPING 🌍 — All taxes & duties included
security keyfido2passkey

What Is a Security Key? FIDO2 Hardware Keys Explained

What hardware security keys actually do, how FIDO2 works under the hood, the four main types, and what to look for when you buy your first one.

MiixKey editorial team 9 min read
MiixKey hardware security key — overview hero image
A hardware security key is the simplest, strongest second factor you can buy. Here is how it works.

If you have ever logged into a Google account with a small USB stick that you tap to confirm “yes, this is really me” — that was a hardware security key. They are the strongest second factor on the consumer market, they cost less than a nice dinner, and they almost completely eliminate phishing as a way to break into your accounts.

This guide explains what they actually are, how they work, why software-based 2FA stopped being enough years ago, and what to look for when you buy your first one. No jargon dumps, no marketing copy. Just the parts that matter.

What is a security key?

A hardware security key is a small physical device — usually the size of a USB stick or a thick coin — that proves your identity to a website without ever sharing a password. You plug it in (or tap it via NFC), you confirm the action by touching a button or, on newer keys, a touchscreen, and the website logs you in.

What makes a security key different from a one-time code generator (Google Authenticator, Authy) is the cryptography. Instead of typing a six-digit code that an attacker on a fake login page could capture, the key signs a unique cryptographic challenge that includes the exact domain making the request. If you are on g00gle.com instead of google.com, the key produces a signature the real Google will reject. There is nothing for a phishing site to steal — the protection is mathematical.

That single property is why the FIDO Alliance, the industry consortium that publishes the standards, calls security keys “phishing-resistant by design.” It is also why CISA recommends hardware keys as the gold standard for high-value accounts.

How FIDO2 works under the hood

FIDO2 is the umbrella name for two specs working together: WebAuthn (the browser-side API) and CTAP2 (the protocol the browser uses to talk to your key). When you register a key with a new account, three things happen on the device:

  1. The key generates a brand-new public/private key pair, specific to that one website. The private key never leaves the device. The public key is sent to the website and stored in your account.
  2. The key writes a small credential ID that lets the website ask for “the credential you registered last Tuesday for this user.”
  3. The user touches the key (or, with biometric models, a fingerprint sensor) to prove a human is physically present.

When you log in later, the website sends a random challenge plus its own domain. The key signs the challenge with the private key it generated for that specific site, and only that specific site. If the domain does not match, the key refuses to sign. That is the entire phishing defense in one sentence.

Two things follow from this design. First, your security key is useless to a thief who does not also have your PIN — the device requires authentication before it will sign anything. Second, the same key works on every FIDO2 site without any per-site configuration on your end. You enroll it once per account, you tap it, you are in.

The 4 main types of hardware keys

The market has settled into four broad categories. Knowing which one fits your life makes the buying decision much easier.

USB-A button keys. The original form factor — a USB-A stick with a metal button. Cheap, small, and bombproof. Drawback: no NFC for phones, no biometrics, no display. You pair it with one PC and it lives there.

USB-C / NFC combo keys. The modern default. USB-C plugs into laptops and Android phones, NFC taps onto iPhones and access systems. Most current YubiKeys, Google Titan keys, and SoloKeys live here. Still no display, but the form factor covers 95% of phones and laptops shipping today.

Biometric keys. Same form factor as the USB-C combo, plus a fingerprint sensor on the body. The fingerprint replaces the PIN. Convenient if you authenticate often; expensive (typically €70-€90); not useful if you wear gloves at work.

Touchscreen smart keys. The newest category, where MiixKey lives. A small color screen on the device shows you the domain, the username, and the action being signed before you confirm it. The same hardware can also store passwords, NFC profiles, and OpenPGP keys, because the screen makes a vault navigable without a host app.

A side note on form: Yubico’s blog has good photo comparisons of every YubiKey shape. The shape matters more than people expect — a key that hangs awkwardly off your laptop is a key you will eventually leave at home.

Why software 2FA is no longer enough

For a decade, the standard answer to “how do I protect my email” was SMS codes, then authenticator apps. Both are still better than a password alone. Both are also bypassed routinely in 2026.

SMS-based 2FA is broken by SIM swap fraud. An attacker with your phone number and a few personal details calls your carrier, claims to have lost the SIM, and walks the agent through a port to a SIM card they control. Every code now goes to them. SIM swaps are not exotic — the FBI’s IC3 report has logged thousands of cases per year for the past five years.

Authenticator apps fixed the SMS hole, but they did not fix phishing. A convincing fake login page asks you for your password and your six-digit code. You type both. The phishing kit forwards them in real time to the real site, gets a session cookie, and is in. Modern phishing-as-a-service platforms automate this entire flow.

Hardware keys close the loop because the cryptographic signature is bound to the domain. A phishing page on a wrong domain cannot get a valid signature, no matter how many times you tap. The user does not need to spot the fake — the math does it for them.

Real attacks security keys defeat

Three concrete threat models, with what a hardware key changes:

Phishing. A well-crafted email links to login-microsoft365.support instead of login.microsoftonline.com. With a password and an authenticator app, you can absolutely fall for this on a tired Monday. With a FIDO2 key, the key refuses to sign for the wrong domain. There is nothing for the attacker to phish.

Credential stuffing. Attackers buy lists of leaked email/password combos and replay them against every popular site. If your Reddit password also happens to be your email password, a credential stuffing run cracks both. With a hardware key on your email, the leaked password is useless on its own — the second factor is something the attacker physically does not have.

SIM swap. Even if an attacker convinces your carrier to port your number, none of the FIDO2 sites you protected with the key are reachable. SMS-based 2FA stopped being a relevant target the moment you switched. Crypto exchanges, primary email, banking — all of these support FIDO2 now and benefit immediately.

Two attacks the key does not solve, in the interest of honesty: malware on the host that hijacks an already-authenticated session, and physical coercion (someone holding the key and forcing you to enter the PIN). Hardware keys are not magic — they are very good at the specific class of attacks they are built for.

Setting up your first key

The first time most people set up a security key, the hardest step is figuring out which menu to look in. The flow itself takes about four minutes per account.

Start with your highest-value account, which for most people is primary email. Sign in normally, find the security or 2FA settings, and look for “security key,” “passkey,” or “FIDO2” — sites use all three labels interchangeably. Click “add key.” The browser prompts you to insert and tap the key. Touch the button (or, on a touchscreen key, the screen). Give it a name like “Primary key — black YubiKey” so you can recognize it later in your account list.

Now do it again with your second key. Buy two from the start. Every security professional you ask will tell you the same thing — a single key is a single point of failure. The second key lives in a drawer at home, in a safe, or with a trusted person in another city. The minute you lose your daily key, the backup gets you back in without a 24-hour customer service nightmare.

Finally, print or write down the recovery codes the site offers, fold the paper, and put it somewhere physical. Not in your password manager, not in your email — a place that survives a stolen laptop. We cover the full step-by-step for the most popular sites in how to set up a security key with Google and GitHub.

Choosing the right key

Six features actually matter. Everything else is marketing.

Connector. USB-C is the safe default in 2026. USB-A is fine for an older desktop but limits you on new phones. Avoid Lightning-only keys.

NFC. Tap-to-authenticate on phones and access cards. Worth the small price bump for almost everyone.

Touchscreen or display. A screen confirms the domain before you authenticate. With phishing kits getting more convincing every year, this is the single biggest UX upgrade of the past five years. MiixKey’s 2-inch color screen also enables on-device password search and NFC profile management.

Capacity. Cheaper keys store 25-32 FIDO2 credentials. If you protect more than a handful of accounts, that fills up fast. MiixKey holds 5 slots of 64 credentials each (320 total) plus a 3,000-entry password vault.

Biometric. Fingerprint sensors are convenient if you authenticate ten times a day; less interesting if you authenticate twice a week.

Certifications. FIDO2 Level 1 is the consumer baseline. Level 2 adds tamper resistance. NIST FIPS 140-3 is required for some regulated industries — overkill for most consumers.

A more detailed buyer’s comparison is in MiixKey vs YubiKey: touchscreen security compared.

MiixKey vs traditional keys

The pitch for a traditional key is “tap the button, do not think about it.” That works until you need to know which key you tapped, which account it was for, or whether the prompt is real. Then the absence of a screen becomes a wall.

MiixKey adds three things on top of the FIDO2 baseline. The 2-inch color touchscreen shows the domain and username for every login, so phishing becomes visually obvious instead of cryptographically obvious. The hardware-encrypted vault stores 3,000+ passwords, browsable from the device itself with no host app required. Up to 8 NFC profiles let the same key replace office badges, gym cards, and transit passes — one device instead of a stuffed keychain.

The trade-off is size and price. A traditional key fits on a keychain and costs €40-€60. MiixKey is closer to a thick coin, costs €129, and is built around the assumption that you would rather have one capable device than three single-purpose ones.

The bottom line

A hardware security key is the strongest, simplest second factor you can put on a high-value account today. The hard part is no longer the cryptography — FIDO2 has solved that. The hard part is picking a key that fits the way you actually live and setting up two of them on day one.

If you are starting from zero, get a key with USB-C and NFC, enroll it on email and your password manager first, and add the rest of your accounts over the following weekend. If you want a single device that doubles as your password vault and access-card holder, the MiixKey product page has the full spec sheet and bundle pricing.

Ready to set up your first key? Walk through the step-by-step setup for Google and GitHub, or jump to the MiixKey product page.

Frequently asked questions

Is a security key the same as a passkey?

A passkey is a credential. A security key is the hardware that can store and use passkeys. You can also store passkeys in software (iCloud Keychain, Google Password Manager, 1Password) — but a hardware key is bound to a physical device and cannot be exfiltrated by malware on your laptop. Same standard, different threat model.

Do I still need a password if I use a security key?

For sites that fully support FIDO2 with passkey login (Google, Microsoft, GitHub, Cloudflare, many others), no — the key replaces the password entirely. For sites that still require a password, the key acts as a phishing-proof second factor on top of it. You will see both flows for a few more years.

What happens if I lose my security key?

Two answers. If you only enrolled one key on an account, you fall back to whatever recovery method that site offers — usually printed backup codes or a phone number. If you enrolled a second key (which every guide recommends), you use it to log in, then revoke the lost key and pair a new backup. Always set up two keys from day one.

Can a security key be hacked remotely?

Practically, no. The private keys never leave the device, the device has no internet connection, and FIDO2 challenges are bound to the exact domain making the request. Remote attacks would require physical possession of the key plus your PIN — and after a few wrong PIN attempts, most keys self-wipe.

Are hardware security keys worth it for normal users?

If you have anything online worth protecting — a primary email, a crypto wallet, a small business — yes. The math is simple: a key costs less than dinner for two and removes the entire phishing class of attack from the picture. CISA recommends them precisely because they work for non-experts.