Hardware Keys (2FA)

Phishing‑resistant second factor for critical accounts.

When to use

• Critical mailboxes, password managers, and cloud consoles.
• Any identity you cannot afford to lose.

When not to use

• As a single copy without backups and recovery paths.

What to look for

• FIDO2/WebAuthn support; passkey compatibility.
• Multiple form factors (USB‑A/C, NFC) for redundancy.
• Secure firmware lifecycle and tamper resistance.

OPSEC tips

• Have at least two keys per identity; store backup separately.
• Disable weaker factors once keys are enrolled.

Common mistakes

• Enrolling keys then leaving SMS fallback enabled.
• Using one key across mixed identities without labeling.

Setup (generic)

1. Enroll two keys per account (primary + backup).
2. Record recovery codes into secure storage.
3. Remove SMS/email fallback where possible.

Related: Password Manager, Encrypted Email