Have you ever seen someone plug a USB dongle into their device in order to sign in to something? Or worked for a company that required you to use one whenever you unlocked your laptop, or logged in to an important account?
These authenticators are called hardware security keys. Some people will also refer to them as just security keys, or two-factor security keys.
Here, we’ll break down what these dongles are and how they make it harder for criminals to gain access to your devices and accounts.
What is a hardware security key?
A hardware security key is a way to prove that you or someone you trust – and not a criminal – is trying to access or sign in to something. They’re known as a “possession factor” because they prove you physically own something used to authenticate your account.
Security keys are a form of second or multi-factor authentication (MFA). This means that when you log in with your normal credentials – which could be a four-digit pin code on your phone, or a username and password on a website – you’ll be asked to provide your security key, too.
Not all devices and services support these keys. But the situation is improving all the time. You can also use security keys with many single sign-on services like Okta and password managers including 1Password (more on that later).
The benefits of using a hardware security key
You might be wondering: “Okay, it’s a second form of authentication – how exactly does that keep out criminals?” Think of it this way:
Imagine you’re the ruler of a castle. And you want to make sure that only your most loyal knights are allowed inside. You could create a password for the front gate, but what if one of your enemies overhears it? To be on the safe side, you could give your knights a brooch. Then you could tell your guard at the front gate to only allow people through who know the password and possess the brooch.
Of course, it’s not a completely perfect system. It’s possible an assassin could overhear the password and steal a brooch from one of your knights. But it’s very unlikely, which makes the system far more secure than just using a password.
Hardware security keys are a lot like the brooch – a physical item used to authenticate your account in addition to a password. But they aren’t the only form of multi-factor authentication (MFA) available. Instead of providing a physical key, you might be familiar with other MFA options, like having a one-time code sent via email, text message, or an authentication app like Authy.
But a security key could be considered more secure than most of these methods. Why? Because it’s a physical object. A criminal is unlikely to target you specifically, find out where you work or live, travel to that location (or send someone on their behalf) and try to steal your key. The process is simply too expensive and time consuming, especially when they can use other tactics like social engineering.
The downsides of hardware security keys
Nothing is perfect. If you’re thinking of using a hardware security key, you should also be aware of the drawbacks and plan accordingly:
Hardware security keys cost money. Physical security keys are generally affordable, but they aren’t free. Still, buying one is arguably a small price to pay for securing your digital life. Many companies will also offer their employees free or heavily-discounted security keys to use at work.
You have to take your key with you. Most of them are small, but it’s one more thing to keep in your bag, on a keychain, or stuffed in a pocket.
You can misplace or lose a physical security key. Many services will let you authenticate another way – like entering a recovery code – if you forget, lose, or destroy your hardware security key. Nevertheless, it’s never fun to arrive at the office and realize that you’ve left your authenticator at home.
Some keys only work with specific devices. There are all sorts of security keys that support USB-A, USB-C, lightning, NFC, or a combination of all four. Make sure you choose a key that works with all your devices, or consider using multiple keys that cover everything you own.
Using a hardware security key with 1Password
Should you use a hardware security key to protect your 1Password account? That’s up to you.
1Password is already secure by design. All of your passwords and other saved items are protected by two things: your 1Password account password and your Secret Key. Only you know your account password, and your Secret Key is generated locally during setup. The two are combined on-device to encrypt your vault data and are never shared with 1Password.
We have many protections in place to stop criminals from accessing our servers. But even if a thief somehow slipped through, they would only have access to a bunch of encrypted gibberish. All of the data would be worthless without both your account password and Secret Key.
But if you would like an extra layer of protection, you can secure everything in your private vaults with a security key too. This means you’ll be asked to authenticate with the key when you sign in to your 1Password account.
The bottom line
Hardware security keys are an excellent form of multi-factor authentication. You might want to use one for all of your devices and online accounts, or only for a select group that you think should have a higher level of security.
Not ready to take the plunge? You can still secure your digital life by using a password manager. 1Password will help you create, store, and autofill strong passwords for all your online accounts. Our security model also ensures that only you can access everything that you’ve saved in your private vaults – so you can be rest assured that you’ve put your safety first.