How to set up a hardware security key (YubiKey)
Why this matters
Authenticator app codes can be phished in real time — a fake login page captures both your password and the 6-digit code you enter, then immediately replays them on the real site. A hardware key uses a cryptographic challenge-response that’s bound to the specific domain, making real-time phishing impossible.
Hardware keys are overkill for most accounts. But if you have crypto holdings, business email, GitHub with production deployments, or are a journalist or activist, the upgrade is worth the cost.
How to do it
- Buy a YubiKey 5C NFC (or two — register a backup). Alternatives: Google Titan Key if you’re in the Google ecosystem; any FIDO2-certified key works.
- Register the key on your most critical account first: Google account, iCloud, or GitHub. Go to security settings → “Security keys” or “Passkeys and security keys.”
- Tap the key when prompted (USB-C plug in, or NFC tap for mobile).
- Register your backup key on the same accounts.
- Store your backup codes in your password manager.
What you don’t need
You don’t need a hardware key for every account — only the ones where a takeover would be catastrophic (email, banking, crypto, primary work tools).
Remove the key and confirm the account won't log in without it when you try a second device.
Frequently asked questions
Do I really need this if I already have an authenticator app?
For most people, no. An authenticator app is sufficient. A hardware key is worth it if you have high-value accounts (crypto, business email, GitHub with production deploys) or are at elevated risk of targeted phishing.
Which YubiKey should I buy?
The YubiKey 5C NFC works for most people — USB-C for laptops, NFC tap for iPhones (iOS 16.3+) and Android. Get two and register both on your critical accounts.
Want a personalized plan that fits your devices, habits, and concerns?
Start the 90-second assessment