
You may have seen the option to “add a security key” in your account settings, or a small USB device on a colleague’s keyring, and wondered what it does. A security key is the strongest, most phishing-resistant form of two-factor authentication available to ordinary users. Our GetMyPassword team explains what a security key is, how it works, and whether it is worth getting one.

What a security key is
A security key is a small physical device — usually a USB stick, sometimes with NFC for phones — that proves your identity when you log in. Built on the FIDO2 / U2F standards, it holds a secret that never leaves the device. Popular examples include YubiKey and Google Titan, and some phones and laptops have one built in.
Why it is so secure
Unlike an SMS code, a security key is phishing-proof: it cryptographically checks the website’s real address and refuses to authenticate on a fake one. There is no code to type, intercept or trick out of you. To log in, an attacker would need to physically steal the key and know your password — a bar almost no remote attack can clear.
How to use one
- Buy a reputable key (and ideally a spare as backup).
- In an account’s Security → Two-factor settings, choose Add security key.
- Insert or tap the key and follow the prompt.
- Register the backup key too, and store it somewhere safe.
Always register a second security key as a backup. If your only key is lost and you have no other recovery method, you can be locked out of your own account — the same strength that protects you works against you.
Is it worth it?
For high-value accounts — your primary email, banking, or crypto — a security key is the gold standard and well worth the small cost. For everyday accounts, an authenticator app is usually enough. Either way, the key is the second factor; you still need a strong first factor. Pair it with a unique password from our password generator for the strongest protection available.
Frequently asked questions
What is the difference between a security key and a passkey?
A security key is a physical device used as a second factor alongside your password. A passkey is a credential that can replace the password entirely and often lives on your phone or computer. Both use the same FIDO technology and resist phishing.
What happens if I lose my security key?
If you registered a backup key or another second factor, use that to sign in and remove the lost key. This is why you should always set up a spare — without one, recovery can be difficult.
Do I still need a password with a security key?
Usually yes. A security key is typically the second factor, so you still enter a password first. Keep that password strong and unique; the key then makes the login almost impossible to break remotely.



