YubiKeys & Hardware 2FA: Kill the Password
A small key on your keyring is the difference between a phish that works and one that doesn't. Here's the setup that sticks.
TL;DR
SMS, TOTP, and push are phishable speed bumps. WebAuthn on a hardware key is a different category of defence, origin-bound public-key auth that fails closed against phishing, by construction. Buy two YubiKeys, set PINs, enrol your password manager / email / code hosts / financial accounts in priority order, remove SMS where you can, and commit to a recovery plan that survives losing one key.
What you'll be able to do
- ▸Two YubiKey 5-series keys, both with FIDO2 PINs set.
- ▸Password manager, primary email, and code-host accounts using WebAuthn as the second factor.
- ▸SMS removed as a fallback wherever the provider allows it.
- ▸A recovery plan (backup key in a separate location, or printed recovery codes) you've actually tested.
- ▸Optional: OpenPGP on the YubiKey for git commit signing and SSH.
Prerequisites
- ·A YubiKey 5 (NFC recommended), and ideally a second one as backup.
- ·A password manager you already use (Bitwarden, 1Password, Dashlane).
- ·An hour of uninterrupted attention to do the enrolments correctly the first time.
Threat model
Credential phishing, password reuse, SIM-swap, and push-prompt fatigue against accounts you can migrate to WebAuthn. NOT a defence against post-auth session theft, malware on the endpoint, or recovery-flow social engineering, those need separate work.
Passwords lost in 2012. The industry spent the decade since layering second factors on top, SMS codes, authenticator apps, push prompts, each one phishable by a slightly more patient adversary. In 2022 the Uber and Cisco breaches were both push-prompt fatigue: spam the user with prompts until they tap one to make it stop. The factor wasn't the failure. The model was.
A hardware security key changes the model. It does not send a code that can be intercepted, retyped on a fake site, or forwarded by a man-in-the-middle. It signs a challenge with a private key that physically cannot leave the device, against a domain the browser tells it about. If the site is attacker.example, the key signs nothing useful, it doesn't even know how. The phishing attack fails by construction, not by the user being clever.
This is the cheapest categorical security upgrade you can make. Fifty dollars, ten minutes per account, and the threat of remote credential theft on every account you migrate drops to roughly zero.
SMS, TOTP, and push are speed bumps. WebAuthn is a wall. Spend the fifty bucks.
By the end of this guide you will own two YubiKeys (primary + backup), have them registered on your password manager, primary email, GitHub, and any financial accounts that support it, have SMS removed as a fallback where the site allows, and have a recovery plan that survives losing the primary key without locking you out of anything.
§ 01
What a YubiKey actually is.
A YubiKey is a small USB (and usually NFC) device that runs cryptographic operations on a secure element. It speaks several protocols at once and most users never touch more than one of them:
- · FIDO2 / WebAuthn, the modern one. Origin-bound public-key authentication. This is the one that kills phishing.
- · U2F, the FIDO1 predecessor. Still works on legacy sites; the YubiKey supports both transparently.
- · OATH-TOTP, stores up to 32 TOTP secrets (the 6-digit codes from Authy/Google Authenticator). Convenient; not phishing-resistant.
- · OpenPGP, three slots (sign / encrypt / authenticate). Useful for git commit signing and SSH.
- · PIV (smartcard), enterprise certificate auth. Skip unless your employer requires it.
- · Yubico OTP / Static Password / HMAC-SHA1, legacy. Don't bother.
§ 02
Why WebAuthn is qualitatively different.
Not all second factors are equal. Most of them are speed bumps that raise the cost of an attack by a small constant factor. WebAuthn raises it by a category.
| Factor | Phishable? | SIM-swap exposed? | Origin-bound? | Honest verdict |
|---|---|---|---|---|
| SMS code | Yes, type it into the fake site | Yes, the canonical SIM-swap target | No | Worse than no 2FA in some ways (false sense of security) |
| TOTP app (Authy, Google Auth, 2FAS) | Yes, same problem as SMS, retyped on fake site | No | No | Fine for most threat models, but not phishing-resistant |
| Push prompt (Duo, Microsoft) | Yes, push-fatigue attacks, see Uber 2022 | No | No (until number-matching) | Better than TOTP, still social-engineerable |
| WebAuthn / FIDO2 (YubiKey, passkey) | No, the browser tells the key the origin, signature is over that origin | No | Yes, cryptographically | Different category of defence |
§ 03
Buy two. Always two.
The single biggest mistake people make with hardware keys is buying one. The day you lose it, and you will eventually lose it, every account you've migrated becomes a recovery nightmare. Two keys is not paranoia; it is the price of admission.
YubiKey 5C NFC
ref ↗Daily driver · USB-C + NFC · ~$55
The default recommendation for almost everyone in 2026. USB-C plugs into modern laptops; NFC taps the back of any modern phone. Full protocol set (FIDO2, U2F, OATH, OpenPGP, PIV).
YubiKey 5 NFC
ref ↗USB-A + NFC · ~$50
Same protocols as the 5C NFC, with a USB-A connector instead of USB-C. Buy this if your daily-driver laptop is still USB-A, or as a backup that lives in your safe and plugs into older machines.
YubiKey 5Ci
ref ↗Lightning + USB-C · ~$75
Only buy this if you carry a pre-USB-C iPhone (iPhone 14 or earlier). For iPhone 15+ and Android, the 5C NFC over the NFC reader is the better answer.
Security Key C NFC by Yubico
ref ↗FIDO2/U2F only · ~$29
Cheaper. Speaks FIDO2 and U2F only, no OATH-TOTP, no PGP, no PIV. Fine if you'll only use WebAuthn. Not a full substitute for a YubiKey 5.
§ 04
First-time setup: PINs and policies.
Out of the box, a YubiKey has no FIDO2 PIN. Anyone who physically holds it can tap it to authenticate. Set a PIN on both keys before you enrol either of them anywhere.
- STEP 01
Install the Yubico Authenticator app.
Get it from
yubico.com/products/yubico-authenticator/(Mac, Windows, Linux, iOS, Android). This is the modern config tool; ignore the older "YubiKey Manager" unless you need PIV/PGP setup. - STEP 02
Set a FIDO2 PIN on each key.
Open Yubico Authenticator → plug or NFC-tap the key → settings (gear icon) → FIDO2 → Set PIN. Pick something you can remember and type one-handed. 8+ characters. The key locks after 8 wrong attempts, then requires a full reset (which wipes credentials). This is the point, keep the PIN somewhere you can actually retrieve it.
- STEP 03
Repeat for the second key.
Both keys get PINs. Same PIN on both is fine, they represent the same person. The point of two keys is redundancy against loss, not against compromise of one PIN.
- STEP 04
Optionally: set an OATH password.
Only do this if you'll use the YubiKey as a TOTP store (§08). Locks the TOTP secrets behind a password so a picked-up key doesn't immediately yield codes. Skip if you'll keep TOTP on your phone.
§ 05
The enrolment order that matters.
Do these in order. Each layer protects the one below it, so getting the order wrong leaves a gap an attacker can walk through.
§ CHECKLIST, Enrolment priority (top of list = do first)
§ 06
The recovery plan, pick one, commit to it.
A lost YubiKey is not the failure case. A lost YubiKey without a recovery plan is the failure case. Pick one of the three honest options before you enrol your first account.
| Plan | How it works | Tradeoff |
|---|---|---|
| Two keys (recommended) | Primary on your keyring, backup in a fireproof safe or with a trusted family member. Both registered on every account. | Costs $100. Survives loss, theft, fire (if safe is rated). The right answer for most people. |
| One key + printed recovery codes | Print the per-account recovery codes when each site offers them. Seal in an envelope, store with passport. | Cheaper. Recovery is account-by-account and tedious. Codes age out on some providers. |
| One key + recovery email on a separate account | Recovery flows fall back to a clean email account that itself has hardware MFA. | Works for sites without recovery codes. Adds a dependency on a second account staying healthy. |
§ 07
What daily use actually feels like.
The friction is smaller than the security model suggests. On a modern OS, logging in with WebAuthn takes one tap.
macOS (Safari, Chrome, Firefox): 1. Site prompts for security key. 2. Touch ID dialog appears (or browser asks for the key). 3. Plug YubiKey into USB-C, tap the gold contact. 4. You're in. iOS / iPadOS: 1. Site prompts for security key. 2. iOS shows "Hold YubiKey near top of phone." 3. Tap the key to the back of the phone (NFC). 4. You're in. Windows 10/11 (Edge, Chrome, Firefox): 1. Windows Hello prompt appears. 2. Choose "Security key" → enter PIN → tap. 3. You're in. Linux (Chrome, Firefox, kernel >= 5.4): 1. No driver install needed, FIDO2 is in-kernel. 2. Plug key, tap, done. 3. (For sudo via pam_u2f, see Yubico's pam-u2f guide.)
§ 08
The other protocols, what's worth your time.
YubiKey 5 series speaks more than just WebAuthn. Be opinionated about which extras are worth setting up.
- OpenPGP, yes, if you sign git commits or use SSH keys. Generate a signing key on the YubiKey, configure
gpg --card-edit, pointgitat it, andgit pushrequires a tap. Same for SSH viagpg-agent --enable-ssh-support. The SSH private key never lives on disk. - OATH-TOTP, use it as a backup TOTP vault, not a security upgrade. Storing TOTP secrets on the key keeps them off your phone, which is nice if your phone gets stolen, but does not add phishing resistance. Don't confuse "on a YubiKey" with "phishing-resistant".
- PIV, only if your employer asks. Enterprise smartcard cert auth. Useful in regulated environments; unnecessary at home.
- Static Password / Yubico OTP / HMAC-SHA1, skip. Legacy protocols from before FIDO. They have niche uses (LUKS unlock, KeePassXC challenge-response) but none that justify the configuration time for a first-time user.
§ 09
Verification: confirm the keys really work.
§ CHECKLIST, End-of-setup verification
§ 10
What the key does NOT do.
✓ PROTECTS AGAINST
- +Credential phishing on any account you've migrated, the signature is bound to the real origin, period.
- +Password reuse blast radius, a leaked password is now insufficient to log in anywhere protected.
- +SIM-swap takeover of accounts where SMS has been removed as a factor.
- +Push-prompt fatigue attacks, there is no prompt, only a hardware tap you initiate.
- +Most credential-stuffing automation, bots can't tap a physical button.
✗ DOES NOT PROTECT AGAINST
- −Protect accounts you haven't enrolled, and most US banks still don't support WebAuthn at all.
- −Protect post-auth session cookies, if malware steals a logged-in session, the key isn't consulted.
- −Defend against malware that proxies the auth flow in real time (rare, sophisticated, expensive, not impossible).
- −Stop physical theft of an unlocked key with no PIN set. Set the PIN.
- −Save you if the recovery path is still email + SMS, fix the recovery path or the front door doesn't matter.
- −Replace a password manager, you still need unique passwords for sites without WebAuthn.
§ 11
Going further.
NEXT IN TRACK
Passkeys & The End of the Phishable Login →Same cryptography, different storage. When to use which.
COMPLEMENTS THIS
Self-OSINT →Find out which of your accounts an attacker would target first.
§ REFERENCES