What Is a Security Key? Hardware 2FA Explained

2FA & PasskeysJune 19, 20263 min read

A security key is a small physical device — usually a USB stick or an NFC tag the size of a house key — that proves a login is really you. Instead of typing a code, you plug it in or tap it, and the key performs a cryptographic handshake with the website. It is widely considered the strongest form of two-factor authentication available to ordinary people.

How a security key works

When you register a security key with an account, the key generates a unique pair of cryptographic keys for that specific site. The public half is stored by the website; the private half never leaves the device. At login, the site sends a challenge, the key signs it with the private key, and the site verifies the signature.

Two things make this powerful:

The secret never travels. Unlike a password or an SMS code, there is nothing to intercept or phish — the private key stays inside the hardware.
It is bound to the real site. The key checks the website's identity before responding, so a fake phishing page gets nothing even if it looks identical to the real one.

That second point is why security keys are essentially phishing-proof, and why high-risk accounts and large companies rely on them.

Security key vs. authenticator app vs. SMS

Not all second factors are equal. From weakest to strongest:

SMS codes — better than nothing, but vulnerable to SIM swapping and interception.
Authenticator apps — far better than SMS, generating codes on your device. See authenticator app vs SMS 2FA.
Security keys — the strongest, because they can't be phished and require physical possession.

For most accounts, an authenticator app is plenty. For your most critical accounts — email, your password manager, your domain registrar — a hardware key is worth it.

Passkeys are the software cousin

If a security key sounds a lot like a passkey, that's because they share the same underlying technology (FIDO2/WebAuthn). A passkey stores that same kind of private key on your phone or laptop, protected by your biometrics, while a hardware security key stores it on a dedicated, portable device. Both resist phishing for the same reason.

Do you need one?

You don't need a hardware key for every account, but consider one if:

You're a high-value target (developer, admin, journalist, finance).
You want phishing-proof protection on your "keys to the kingdom" accounts.
You want a backup factor that works even when your phone is dead or lost.

A common setup is two keys — one daily-carry, one stored safely as a backup — registered on your most important accounts.

Where Passlock fits

Passlock keeps your passwords in the native macOS Keychain, protected by Touch ID and your device's secure hardware — so the credentials themselves stay local and encrypted. Pair that with two-factor authentication and, on your most critical accounts, a hardware security key, and you've layered the strongest protections available. Strong, unique passwords plus a phishing-proof second factor is the combination attackers can't beat.

Frequently asked questions

What is a security key used for?

A security key is a physical device used for two-factor authentication. You plug it in or tap it during login to prove it's really you, using cryptography that can't be phished or intercepted.

Are security keys better than authenticator apps?

Yes, for the highest-risk accounts. Security keys are phishing-proof because they verify the website's identity and never reveal a secret. Authenticator apps are still very good and more convenient for everyday accounts.

What happens if I lose my security key?

If you registered a backup key or another second factor, you log in with that. This is why security experts recommend registering at least two keys, or keeping an authenticator app as a backup, before relying solely on a hardware key.