I have stopped typing passwords, and I started using the same login protection that Google trusts for its own staff. It’s a small hardware key that costs about as much as a decent lunch, and it’s changed how I think about account security entirely.
The device is called a YubiKey, a hardware security key. Plug it in, tap a button, and you’re logged in. It’s so safe that even if someone phishes my credentials, they can’t get in without the physical key in my hand.
Google’s 85,000 employees haven’t been phished since 2017
The same security standard is protecting one of the world’s largest tech companies
Tashreef Shareef / MakeUseOfCredit: Tashreef Shareef / MakeUseOf
Back in 2017, Google made a bold decision. Instead of relying on passwords and authenticator apps, they required all 85,000 employees to use physical USB security keys for login. The result was not a single confirmed account takeover since then.
Think about that for a moment. Google is one of the most targeted companies in the world, and phishing is how most breaches happen. Attackers send convincing emails that look like password reset notices or billing alerts. You click the link, land on a page that looks exactly like the real login screen, and type in your credentials. The attacker now has your password—and probably your one-time code too if they’re quick enough.
Hardware security keys break this attack chain. Even if an attacker tricks an employee into entering their password on a fake site, they still can’t get in without the physical key. That’s the power of hardware-based authentication, and it’s why Google hasn’t had a single employee account compromised in years.
A YubiKey works using public key cryptography. When you register the key with a service like Google, it creates a unique cryptographic pair. The private key stays locked inside the hardware and never leaves. During login, the key checks that you’re on the legitimate website before producing a cryptographic signature. Fake phishing sites can’t trigger this response because the cryptographic handshake fails—the key knows something is wrong even when you don’t. Stolen passwords become useless without the key in hand.
Why I trust a $25 key over passwords and authenticator apps
Physical possession beats digital codes
Tashreef Shareef / MakeUseOfCredit: Tashreef Shareef / MakeUseOf
I initially switched to passkeys, thinking I was done with password headaches. But device-based passkeys on my Windows laptop and Android phone came with their own problems. Each device stored its own passkeys, so I had to set up the same accounts multiple times. Worse, anyone who knew my device PIN could access everything.
A hardware security key solved both issues. My YubiKey stores all my passkeys on its chip with its own separate PIN. I can plug it into any computer—Windows, Mac, Linux, even a library PC—and sign in to my accounts without an ecosystem lock-in or worrying about someone shoulder-surfing my phone PIN.
But why a security key when an authenticator app offers the same convenience? With SMS-based authentication, a sophisticated attacker can intercept your one-time codes through SIM swapping or phishing. Authenticator apps are more secure but still vulnerable to targeted attacks. A Google study found that SMS codes blocked only 76% of targeted attacks and authenticator apps blocked 90%, while security keys had a 100% success rate. Zero users with security keys fell victim to targeted phishing. Since my YubiKey lives on my keychain, losing it is about as likely as misplacing my house keys.
Private keys stored on a YubiKey cannot be copied or exported. Even if malware completely compromises your computer, attackers can’t steal the keys—they can only misuse them while you’re actively logged in. The moment you unplug the key, access stops.
A hardware key is the simplest security upgrade you can make
Five minutes of setup for unmatched protection
Setting up a YubiKey is no different than setting up a device-based passkey. You can start with your Google account since it has excellent security key support. Head to Google Account Security, enable two-step verification if you haven’t already, and select Add a security key. When prompted, choose Use another device and insert your YubiKey into a USB port. Google automatically detects it and walks you through a short registration flow. Touch the metal contact when prompted, and you’re done.
After registering with Google, I generated backup codes and stored them somewhere safe. This is important: if you lose your key and don’t have backup codes, you could lock yourself out of your accounts. I also bought a second YubiKey as a backup, registered it to the same accounts, and keep it at home.
The same process works for other services. Microsoft, Apple, Amazon, PayPal, GitHub, and dozens more support hardware security keys. The FIDO Alliance maintains a directory of compatible services if you want to check before buying. Most major platforms I use daily now work with my YubiKey, including my password manager and cloud storage.
Tashreef Shareef / MakeUseOfCredit: Tashreef Shareef / MakeUseOf
For managing everything, I installed the YubiKey Authenticator app. It lets me set a PIN for the key itself—so even if someone steals the physical device, they can’t use it without the PIN. The app also handles one-time password entries for services that don’t support full passkey authentication yet. It’s essentially a more secure version of Google Authenticator that stores your codes on the hardware key instead of your phone.
These hardware keys are also more durable than they appear. My YubiKey has survived drops on concrete, getting sat on, and once even went through a washing machine cycle. It’s built from glass-reinforced plastic with no battery or moving parts, and it’s IP68-rated for dust and water resistance. The key lives on my keychain and has held up to daily abuse without missing a beat. Unlike software solutions that can be bypassed, a hardware key’s security is baked into the physical chip itself, so there’s no software layer an attacker can exploit.
A hardware key is the best way to protect your accounts
A YubiKey works like a physical key to your locker—except it’s nearly impossible to crack or clone. Yes, you could lose it just like any key, but that’s what backup codes and a spare key are for.
For $25-50, depending on the model, you get a one-time purchase that works across all your devices and accounts. No subscriptions, no per-device setup beyond plugging in and authenticating. If it’s good enough for Google’s 85,000 employees, it’s good enough for me.
