- #security
- #2fa
- #yubikey
- #gear
What is a YubiKey and should you get one?
A hardware key is the only common form of 2FA that a fake login page cannot beat. Here is what it fixes, what it does not, and why you should buy two or none.

Most account takeovers start the same way: someone types their password and a six-digit code into a fake login page. The code is real. The page is not. That is the hole a hardware key closes, and it is the only common form of 2FA that closes it.
What a YubiKey actually does
A YubiKey is a small key that plugs into a USB port or taps against your phone over NFC. When a site asks you to sign in, you touch the key and it answers a cryptographic challenge. The important part is what happens on a fake site: nothing. The key verifies the real domain as part of the protocol. A phishing page on a lookalike domain cannot get a valid answer out of it, no matter how convincing it looks. There is no code on a screen, so there is nothing for you to type into the wrong place.
App codes from Google Authenticator or Authy do not have that property. If a phishing page asks for your code and you type it in, the attacker has about 30 seconds to replay it, and automated phishing kits do exactly that. This is why phishing-resistant MFA keeps showing up in the Security+ SY0-701 material I am studying right now. The exam cares about the difference. So do attackers.
To be fair to the other side: app codes still stop the most common attack, which is someone reusing a password leaked from another site. If you run a nail salon or a landscaping company and you have any 2FA turned on at all, you are already ahead of most of your competitors. App codes are fine for most people. A hardware key is for the accounts where a takeover would actually hurt: your email, your domain registrar, your bank, the Google account that owns your business listing.
The two-key rule
Never buy one key. Buy two.
Register both keys on every account. Keep one on your keychain and put the second in a drawer at home or in a safe. If you lose your only key after disabling the weaker fallback methods (which is the whole point), you can lock yourself out of your own accounts. Recovery is slow and sometimes impossible. A second key turns a disaster into a mild errand.
That is the honest cost of hardware keys, and nobody selling them says it loudly enough: you are trading phishing risk for lockout risk. The backup key is how you buy that risk back down.
What it does not fix
A key protects the login. It does nothing about:
- Malware already on your machine. If your laptop is compromised, everything after you log in is compromised too.
- Sites that do not support keys. Plenty of small-business tools still offer SMS codes or nothing, and the key cannot help there.
- Social engineering that skips the login page. If someone talks your phone carrier into a SIM swap, or talks you into installing remote access software, the key never enters the picture.
It is one strong lock on one door. Worth having. Not a security program by itself.
The keys I would actually buy
I kept this list to what a broke early-career dev or a small-shop owner would actually spend money on.
Yubico Security Key C NFC - the blue one. FIDO2/WebAuthn only, USB-C plus NFC for phones, around $30. This is the right first key for almost everyone. It covers Google, Microsoft, Apple, GitHub, and most password managers. The tradeoff is that it skips the advanced protocols (OTP slots, PIV smart card, OpenPGP), which you will not miss unless you already know you need them.
YubiKey 5C NFC - the full version, roughly double the price. Adds PIV, OpenPGP, and OTP on top of FIDO2. I like it as a dev because it can hold an SSH key and sign git commits. The tradeoff: if PIV and GPG mean nothing to you, you are paying extra for features you will never touch.
YubiKey 5 NFC - the same key with a USB-A connector. It earned its spot because a lot of small businesses around here run older desktops with no USB-C port at all. Tradeoff: new laptops and phones are USB-C, so this one ages worse.
Google Titan Security Key - Google's own FIDO2 key, usually a little cheaper than a comparable YubiKey. A fine choice if your whole business lives in Google. Tradeoff: fewer protocols than a YubiKey 5, and Yubico has the longer track record on firmware.
Skip this: YubiKey Bio - the fingerprint version. It costs a lot more, and the fingerprint mostly replaces a PIN you would have typed anyway. A stolen key is already useless without that PIN. The Bio solves a problem most people do not have. Spend the difference on your backup key instead.
If you remember one thing from this post, make it this: two blue Yubico Security Key C NFCs, registered everywhere that matters, one on the keychain and one in the drawer. Around $60 total for a login that phishing kits cannot beat. And if your important accounts are still on SMS codes or nothing, fix that first. It costs nothing.
community rating
$ ls ./comments
sign in or create an account to rate and comment.
no comments yet, be first.