Passwords are a pain to type and remember. Even if you create a strong password, you’ll likely reuse it for all your critical accounts. Even worse, passwords can be stolen through phishing sites or data breaches.
While password managers can help, I wanted something more secure. So I switched to passkeys, a phishing-resistant password alternative that uses cryptographic keys instead of memorized strings. All I needed was my device PIN to sign in—my device handled everything else. Problem solved, right?
However, after using device-based passkeys on my Windows laptop and Android phone, the limitations were obvious (more on this later). Ironically, the solution was going back to hardware security keys—the technology that pioneered passwordless authentication long before Apple, Google, and Microsoft jumped on board. So, I took the plunge and invested in an affordable YubiKey Security Key NFC device, and I haven’t typed a password since.
Why I chose a hardware security key
Built-in passkeys in computers and smartphones are not flexible enough
I didn’t buy a YubiKey right away. My Windows laptop and Android phone already had built-in passkey support, so I figured that was good enough. However, when I ditched conventional passwords for passkeys on my Windows and Android devices, I realized that the new login system had two quirks.
First, passkeys are device-bound to an ecosystem. This means I needed to create a separate passkey for my Windows laptop and my Android phone for all the accounts where I intend to sign in with a passkey. While it still offered a password-less sign-in, it wasn’t as seamless as I hoped it would be.
The second quirk, a big one at that, is that passkeys use your device’s biometric or lock screen PIN to authenticate sign-in requests. Simply put, if someone knew my Windows Hello PIN and had access to my laptop, they could potentially access all my passkey-protected accounts— a possibility, especially if someone else usually has access to your computer in your absence.
A hardware security key like the YubiKey solves both problems. It uses its own PIN, is device-agnostic, and stores passkeys independently. I can sign in to the same accounts on any device without relying on Windows, Android, or any big tech to safeguard my private keys.
Yes, the YubiKey also requires a PIN, but the key distinction is physical separation. My Windows PIN gets typed constantly throughout the day, easily observed by anyone nearby. And once someone knows it, they have access to my laptop and every passkey stored there.
The YubiKey PIN, however, is useless without physically possessing the key itself. Even if both PINs were compromised, an attacker would still need to steal the hardware from my keychain, which is a very unlikely situation.
How a YubiKey works
It stores passkeys on the key itself, not on your device
A YubiKey is a FIDO2-certified hardware authentication device. Unlike device-based passkeys that live in your Windows TPM chip or iPhone’s secure enclave, a YubiKey stores the passkeys directly on the physical key itself. When you create a passkey for a website, that cryptographic key gets saved to the YubiKey’s secure storage, not your computer.
The current YubiKey Security Key NFC (the cheaper version I opted for), running firmware version 5.7.4, can store up to 100 passkeys. That might sound limiting, but most people don’t need more than that for their essential accounts like email, banking, and work tools.
When you sign in, the website communicates with the YubiKey through the FIDO2 protocol. The key verifies the website’s legitimacy, confirms your identity using its own PIN that you set up (or a tap on an NFC-supported phone), and then provides the cryptographic signature needed to log you in. Your computer is just the messenger in this exchange.
This makes Yubikeys the most secure form of passkey storage because the private keys never leave the device. Even if your computer gets infected with malware, the attacker can’t extract your passkeys because they’re not stored on the computer at all.
Setting up a YubiKey
Getting started takes just a few minutes
Setting up a YubiKey is easy. I started with my Google account because it has excellent passkey support. Head to Google account security settings, enable two-step verification if you haven’t already, and then select the option to add a security key.
When prompted, click Use another device, then insert the YubiKey. Google automatically detects it and walks you through the registration process. The key has a small metal contact that you touch when prompted, which confirms you’re physically present and not a remote attacker.
After registering the YubiKey, you need to generate backup codes for your Google Account and save them in a safe location. This is critical because if you lose the key, you’ll need the backup code to recover your account. Additionally, if you can, create a backup YubiKey and store it in a safe place at home.
You can register the YubiKey-based sign-in on any service that supports passkeys or security keys. Apart from Google, tech giants like Apple, Microsoft, Amazon, Meta, LinkedIn, Adobe, GitHub, PayPal, and Cloudflare support passwordless sign-in. You can see the complete list of supported services in the FIDO directory for passkeys.
To manage passkeys, you can use the YubiKey Authenticator app on your PC and smartphone. Once installed, authenticate the app with a PIN or via NFC to change the settings and view the saved passkeys.
The authenticator app shows all the passkeys stored on your YubiKey and lets you use them for one-time password codes as well. You can add multiple services by scanning QR codes, turning your YubiKey into a physical authenticator that replaces apps like Google Authenticator.
One thing to remember is setting up a PIN for your YubiKey. This adds an extra security layer because even if someone steals your key, they can’t use it without knowing your PIN. The Yubico Authenticator app guides you through this during initial setup.
Passwordless sign-ins are the future, and a hardware key makes it better
For anyone frustrated with passwords or concerned about security, a hardware key like the YubiKey is worth considering. It costs around $25-$50, depending on the model, but it’s a one-time purchase (literally comes with a crush-resistant shell and IP68 rating) that works across all your devices and accounts.
With a YubiKey, you are not locked into any ecosystem, and your most sensitive accounts stay protected even if your devices get compromised. While a security vulnerability involving a side-channel attack was discovered in 2024, it does not affect YubiKey devices running firmware version 5.7 and above. So anything you buy today is as safe as it can get.