If you follow cybersecurity advice, you’ve heard it: enable multi-factor authentication on everything. Most security-conscious people do, typically using an authenticator app or SMS codes. What fewer people know is that there’s a significantly stronger option: hardware security keys based on the FIDO2/WebAuthn standard.

According to Yubico’s market research, fewer than 5% of MFA-enabled accounts use hardware keys. The best option is the least popular. Here’s why.

What Makes Hardware Keys Different

When you register a hardware key with a service, the key generates a unique cryptographic key pair. The private key never leaves the device. Authentication involves a cryptographic challenge-response bound to the specific domain — if a phishing site at “g00gle-login.com” tries to impersonate Google, the key won’t respond because the domain doesn’t match.

Compare this to alternatives:

SMS codes can be intercepted via SIM swapping or SS7 vulnerabilities, and entered on phishing sites just as easily as passwords.

Authenticator app codes (TOTP) are better, but vulnerable to real-time phishing proxies. An attacker can relay the code to the real service before the 30-second window expires.

Push-based authentication is vulnerable to MFA fatigue attacks, where attackers trigger repeated notifications until the user approves one. This technique was used in the 2022 Uber and Cisco breaches.

Hardware keys resist all of these attacks. In Google’s internal deployment — mandatory since 2017 — there have been zero successful phishing attacks against employee accounts. The FIDO Alliance designed the protocol specifically to address phishing and replay attacks.

Why Adoption Stays Low

Cost. A YubiKey 5 NFC costs $70-90 AUD. Security guidance recommends two (primary plus backup). For an individual, $150 is reasonable. For 500 employees, that’s $75,000+ in hardware before enrollment and support overhead.

Convenience. A push notification is one tap. A hardware key requires a physical device, a compatible USB port, or NFC tap. If you left the key at home, you can’t log in. In consumer technology, minor inconveniences at scale kill adoption.

Lost key recovery. Losing a hardware key means needing a backup or separate recovery mechanism. For enterprises, this requires help desk processes that balance security with getting locked-out employees back to work quickly.

Spotty service support. Major platforms support hardware keys, but many industry-specific and smaller SaaS products don’t support FIDO2/WebAuthn at all.

Passkeys: The Potential Bridge

The most promising development isn’t hardware keys — it’s passkeys. Passkeys use the same FIDO2 protocol but store the private key in a platform authenticator (phone’s secure enclave, laptop’s TPM, or cloud keychain) rather than on a hardware device.

This preserves phishing resistance while eliminating cost and convenience barriers. No device to buy or carry. Authentication happens via biometrics on the device you already have. Apple, Google, and Microsoft have all deployed passkey support, and the FIDO Alliance reported passkey-enabled accounts exceeding 15 billion globally by late 2025.

The trade-off: passkeys stored in a cloud keychain are only as secure as that keychain. If someone compromises your iCloud account enough to access stored passkeys, they’ve bypassed authentication. Hardware keys don’t have this vulnerability — the private key literally cannot be extracted.

For most people, passkeys are good enough. For high-value targets — journalists, activists, administrators of critical systems — hardware keys remain the gold standard.

Practical Recommendations

For individuals: Enable passkeys wherever available. If you want the highest protection, buy two YubiKey 5 NFC devices, register both with critical accounts (email, banking, password manager), and store the backup securely.

For small businesses: Start with passkeys for your Google Workspace or Microsoft 365 accounts. Consider hardware keys for administrator accounts if you handle sensitive data.

For enterprises: Mandate hardware keys for privileged accounts and deploy passkeys for the broader workforce.

The gap between the best MFA and the most popular is closing. Passkeys may be what finally brings phishing-resistant authentication to the mainstream. But if your threat model includes targeted attacks, a $70 hardware key remains the most reliable protection available.