The Top 5 Security Keys For MFA
Discover the best hardware security keys for user authentication that can keep your accounts safe. Explore features like compatibility, security, and ease-of-use to find the best solution for your needs.
Written by Alex Zawalnyski
Technical Review by Laura Iannini
-
1.
Google Titan Security Key
-
2.
HID Crescendo Key Series
-
3.
Kensington VeriMark Guard
-
4.
Nitrokey Storage 2
-
5.
Yubico YubiKey 5 Series
As users log in to important accounts from a range of physical locations on a range of devices, ensuring only authenticated users have access is harder than ever before. With the implementation of MFA, you can ensure that the right people have access to the right accounts, no matter what device or where in the world they’re logging in from.
But not all MFA is created equal, and some methods of authenticating user access are more secure than others. Security keys, or hardware tokens, can be a very effective and secure means of verifying identity. By cross-referencing a hardware factor with a software factor, you make it much harder for hackers to find a way of fraudulently accessing your accounts, as they would need access to the physical key to gain access.
In this article we’ll consider the top hardware keys for MFA. We’ll consider and compare key features including ease-of-use, security, compatibility, and integrations. Some MFA hardware providers offer a wrap-around service to keep your account safe, or additional built-in features – like encrypted storage – to protect your data as well as your identity.
Google Titan Security Key
The Titan Security Key is Google’s entrant to the MFA hardware market. This affordable device adds a layer of security to your 2FA or MFA solution, ensuring your accounts are kept safe from fraudulent access.
Google Titan Security Key Features:
The key can be bought as a USB-A or USB-C version, both of which offer NFC to make authentication quick. The authentication key will flash when connected to a device, making it obvious that an NFC has been established.
The key’s hardware is tamper-resistant, ensuring that your key will always keep your accounts safe. The key also supports FIDO U2F standards, so you can have a clear understanding of how the key works to securely verify your identity.
Google partnered with Yubico to manufacture the key – this ensures that the highest standards were met from design to manufacture and production. With the key, you can also enrol in the APP (Advanced Protection Program). This is a Google-backed service that keeps your accounts safe by verifying applications and downloads, as well as preventing hackers from impersonating your account.
The key can easily be integrated with common websites like Google Account, Dropbox, Salesforce, and GitHub, amongst others, as well as other third-party identity security products such as 1Password.
Expert Insights’ Comments: The Google Titan Security Key offers the features and capabilities that you’d expect from a security key. Authentication is quick and easy, while many applications can be integrated to ensure your workflow is not impeded. For organizations using Google Cloud, account management can be particularly straight forward as admin users have the ability to enforce the use of Google Titan keys across their organization.
Google Titan Security Key
HID Crescendo Key Series
Austin-based HID makes MFA verification easy with their Crescendo series – they offer a card or a key option. High authentication standards ensure that identification can be verified with a high degree of accuracy.
HID Crescendo Key Series Features:
The Crescendo Key Series authenticators are designed around the FIDO2, OATH, and PIV frameworks – this ensures that you are compliant with any relevant legislation that requires the use of these authentication methods.
The Crescendo platform aligns with NIST Digital Identity Guidelines for a Level 3 authentication device – this means that the key can show signs when it has been tampered with and take proactive steps to prevent malicious actors gaining access to the cryptographic module. This means that you can easily tell if your key is not safe to use.
The keys utilize NFC, as well as being USB-A or USB-C compatible. Each key has its own digital signature which ensures that recipients can verify that the email is from you. This gives an extra layer of security to protect against spear phishing attempts. The keys also implement advanced end-to-end encryption to ensure that only authorized users can access to sensitive information.
The Crescendo key is smaller than many others on the market, which makes it less obtrusive when plugged into your computer. Like many other security keys, it has a keyring loop to ensure that you don’t lose it.
Expert Insights’ Comments: With HID’s Crescendo authenticators, your accounts will be kept secure and compliant with a wide range of regulations – including GDPR, HIPAA, and PCI-DSS. The keys are easy to integrate with your existing security set-up, thanks to the ease of managing the credential lifecycle from a single platform.
HID Crescendo Key Series
Kensington VeriMark Guard
The VeriMark Guard by Californian company, Kensington, is a sleek and efficient MFA security key. It supports a wide number of integrations and can quickly authenticate identity with the inbuilt fingerprint scanner.
Kensington VeriMark Guard Features:
Kensington VeriMark brings a built-in fingerprint sensor to add a high level of security to the verification process. The key can also be configured to run SSO as 2FA or MFA, and what Kensington calls “Tap-and-go”. This allows users to authenticate identity with a tap, rather than with fingerprint recognition.
VeriMark offers universal integration, meaning that it will work with any OS. Kensington is aware that the security key market is ever growing and evolving, so, rather than allowing their technology to become outdated, their “VeriMark Guard” USB-A and USB-C authenticator can be continually updated to ensure you’re working with the most up-to-date procedures and standards.
The key is FIDO2 and FIDO U2F certified, making it secure with a trusted framework. The key is compatible with a host of webservices, including Google, AWS, and Microsoft, as well as others. The key can be purchased as a USB-A or a USB-C; however, it doesn’t offer NFC.
Once the key is set up, logging into accounts is frictionless for end users. According to Kensington’s product testing, the fingerprint sensor has a false acceptance rate of 0.001% and a false rejection rate of 2%. This ensures that you can protect your users’ accounts with the highest level of security without impeding on the login workflow.
Expert Insights’ Comments: Users praise the Kensington VeriMark Guard for its compatibility – the key is widely accepted by most computer devices, as well as browsers. This ensures that however you usually work, your security set up can be enhanced with Kensington.
Kensington VeriMark Guard
Nitrokey Storage 2
Nitrokey’s Storage 2 is a versatile security key with a host of additional features to keep your accounts and sensitive information safe. The Nitrokey goes beyond being just an MFA authentication tool, thanks to the inbuilt storage and security features.
Nitrokey Storage 2 Features:
The Nitrokey contains between 16-64GB of storage, making it more than just an authentication device. This memory can be used to store important files that are automatically hardware-encrypted by the Nitrokey. GnuPG, OpenPGP, S/MIME, or Thunderbird encryption keys can also be stored on the key. A separate password is required to access the encrypted and hidden storage compartments within the Nitrokey – this makes it incredibly secure.
The Nitrokey can generate OTPs, which can function as a secondary authentication factor – this ensures that accounts are inaccessible to everyone but the legitimate user. With continual updates, you can ensure that the firmware is as effective as possible, and you are able to assess the firmware before you install it to verify its integrity.
An LED light on the key shows you the integrity of a computer BIOS (basic input/output system) – green denotes that the BIOS is intact, whilst red suggests manipulation has been detected. This ensures you can maintain a robust and effective security posture.
Expert Insights’ Comments:
The Nitrokey, with its advanced host of features, is designed to provide a high level of security to those who need it. The ability to store documents and encryption keys on the Nitrokey makes this a good choice for individuals and organizations who handle particularly sensitive information, like journalists or government agencies.
Nitrokey Storage 2
Yubico YubiKey 5 Series
The YubiKey 5 Series is the latest hardware security key from Swedish company Yubico. The company is often first on the list of MFA security keys, thanks to their ergonomic designs and robust security protocols. The YubiKey 5 Series offers a range of models, each with different ports and authentication actions.
Yubico YubiKey 5 Series Features:
The YubiKey is built around the FIDO2 & FIDO U2F security protocols, this makes it robust and secure. The keys also conform to PIV, OATH, and Open PGP specifications. This means that YubiKeys remain secure, and at the forefront of cybersecurity developments.
There is no need to remember a password with YubiKey, thanks to the fingerprint scanner built into the unit. This makes ID verification seamless, but no less secure. The key can be configured to work as part of a SSO, 2FA, or MFA solution when the highest level of assurance is needed.
Yubico has thought about practicality when building these units, as they are both water and crush resistant. The larger keys have a loop to fit onto a keyring, so you can take them wherever you go.
Users praise how easy the touch/fingerprint sensor is to verify your identity – this is even faster than using an OTP from an authenticator app. The versatility and number of integrations is also praised by users.
Expert Insights’ Comments: The YubiKey 5 Series by Yubico is a strong solution that is highly regarded by many in the industry. We would, therefore, recommend the YubiKey 5 Series to organizations or individuals who need an added layer of security when authorizing their accounts in a simple and effective manner.
Yubico YubiKey 5 Series
FAQ
What Is An MFA Key?
An MFA security key is a small hardware device that can be used as an authentication factor for logging in. The keys look much like a USB device. These keys must be presented when attempting to log in to confirm that a login attempt is made by a valid user.
To use a security key, you will have to plug it into your device – some devices use near field connection (NFC) – then log in. You will only be granted access to your account if you are in possession of this key and have the corresponding log in credentials. Some keys will have additional security features such as a pin code or a fingerprint sensor. This adds an additional layer of security to the login.
Hardware security keys will have a series of inbuilt features to prevent their misuse. The keys are often tamper-proof, with anti-duplication features built in. As this is a physical object, there are several practical concerns to consider when using a key: How portable and manageable is the key? Is it water and dustproof? Does your infrastructure support its means of connection?
Using hardware security keys is one of the most secure authentication factors. The fact that a user must be in possession of a physical device, that is, itself, highly secure makes it much harder for an attacker to access your accounts. In some use cases, the fact that you must be in possession of a physical device can be a drawback. This system will be much more time consuming to roll out than a OTPs for instance. It will also have a higher cost and be more complicated for admin to resolve issues. In the trade-off between ease and security, hardware keys are more secure, therefore having a greater impact on ease of use and productivity.
Who Should Use Hardware Security Keys?
In the perfect world – where security is the only factor – everyone should use hardware security keys, for everything they do. They are much more secure than traditional login methods, especially when paired with biometric authentication. It is far easier to obtain a password from a data breach, or social engineering, than it is to obtain a physical device that can only be used in conjunction with the correct fingerprint.
However, we do not live in the perfect world. Security is not the only factor to consider.
We must be mindful of the cost of these devices, as well as the limitations of needing to physically present the key to gain access.
These devices have three main use-cases: for gaining access to areas that need to be kept particularly secure; for employees who cannot use mobile devices; and workplaces where the hardware key can also act as physical ID.
1. Secure Areas. As hardware keys are much more secure than other types of authentication, they can be used to protect highly sensitive areas. As an organization, you will know exactly how many devices – and therefore users – have access to an account area. Unlike a password that can be shared infinitely, there is a maximum number of users who can have access at any one time. If an attacker does want to gain access, their attack will have to be physical, rather than a virtual cyber-attack. This escalation is one that most cyber-attackers are not willing to do.
2. No Mobile Devices. Depending on where and how your employees work, mobile phone authentication – be it OTPs or biometric – may not be viable. On oil rigs, or in certain manufacturing environments, having a mobile phone can pose a safety risk. Equally, in highly sensitive (governmental) organizations, mobile devices may be prohibited. In these cases, a security key can provide access for those who need it.
3. Physical ID. Hardware security keys can be packaged in a multitude of ways. Some companies opt to put a photograph and ID information on a hardware security key. This allows the key to be used as physical ID – to show to a security guard, for example – as well as allowing access to digital systems.
What Happens If A Hardware Key Is Lost?
The first thing to do is to notify your system administrator, or the company that manages your security cards. They will be able to deactivate the hardware key to ensure that it cannot be found and used by another user. Even though a hardware key on its own would not allow a stranger to access your systems, it is good practice to have the key deactivated.
You can then look to recovering or replacing the lost key, thereby restoring access for the users who need it. Some companies will provide additional keys with your subscription package for just this instance.
Written By
Alex is an experienced journalist and content editor. He researches, writes, factchecks and edits articles relating to B2B cyber security and technology solutions, working alongside software experts. Alex was awarded a First Class MA (Hons) in English and Scottish Literature by the University of Edinburgh.
Technical Review
Laura Iannini is an Information Security Engineer. She holds a Bachelor’s degree in Cybersecurity from the University of West Florida. Laura has experience with a variety of cybersecurity platforms and leads technical reviews of leading solutions. She conducts thorough product tests to ensure that Expert Insights’ reviews are definitive and insightful.