Though consumers may be less aware of this option, people who work at Google, Facebook, Twitter, and cybersecurity companies have been quick to embrace it.
Instead of entering a code into your computer to verify your identity, you insert a physical key.
In some cases, the key and computer are linked via Bluetooth. In fact, cellular phones that run versions of the Android operating system dating back to 7.0 (Nougat) can now act as a Bluetooth-connected key.
The good: Google has famously claimed that not one of its 85,000 employees has had a work account phished since the company started using these physical keys in early 2017.
While hackers may be able to phish an SMS code from the other side of the world, they certainly can’t fish a physical key out of the bottom of your purse or nightstand drawer remotely.
What’s more, this method doesn’t require a data connection or a powered-up cell phone.
Regardless of brand and price, security experts recommend buying a key that supports the FIDO2 security standard, which mandates higher levels of cryptography and authentication.
The bad: Yes, you have to buy the key. And you have to make sure it’s with you whenever you need it. Logging in without it can be horribly complicated.
But you can have a backup key or two, just in case the original gets lost. And there are now tiny models that you can just leave plugged into one of your computer’s ports and forget about.
And while many of the major tech companies have embraced security keys, your bank may have not. The overall adoption rate still trails those of other 2FA methods.
And, just a warning, not all browsers work with physical security keys just yet. And if you want to use a key with a mobile device, make sure you buy one that’s compatible. Otherwise, you’ll need to fall back on one of the other 2FA methods above.
While most early keys were USB- or USB-C-compatible, new models also connect through Bluetooth and near-field communication (NFC). And Yubico now makes iPhone-friendly keys with lightning cable connectors.