Enterprises are moving to passkeys to become phishing resistant, while small businesses—the backbone of the economy—are being left behind with SMS-based MFA that attackers can easily bypass. This creates a “soft target” environment where hackers ignore the “fortress” (Enterprise) and feast on the “unprotected” (SMBs).

Within the SMB world, adoption of even simple MFA drops off a cliff. Only 27–34% of small businesses enforce MFA at all, and less than 5% of SMB-facing internal tools offer passkeys as an option.

There are several reasons for this. For one, SMBs typically don’t have staff who understand or can handle the task of being an Identity and Access Management (IAM) administrator. Identity can be complex, requiring knowledge of OIDC, SAML2, SCIM, and more. Many small organizations don’t bother with IAM—and thus passkeys—because they simply don’t have the technical expertise.

One of the biggest challenges, and where I think many SaaS providers fail their customers, is the “SSO tax.” Even if a small organization decides to implement IAM, many tools will charge an extra “fee” simply for the right to use an SSO provider. I’ve heard many excuses for this. For example: “As a SaaS provider, we now have to keep up with the codebase for OIDC or SAML2.”

This strikes me as ridiculous. That statement implies that once an OIDC or SAML2 connector is built into a SaaS service, there is a massive, ongoing development effort required to maintain it. This is simply not true. I would argue that “rolling your own” auth is not only more complex but also creates more risk for the SaaS provider.

The bottom line is that SaaS providers know “enterprise” clients have deep pockets and will pay enterprise rates. What they really mean is that because authentication methods like OIDC and SAML2 are considered “enterprise-level,” they feel justified in charging enterprise-level rates. Translation: the enterprise will pay more, so we charge more. There is no other reason.

To get around the “SSO tax,” some smaller identity players have decided to bypass it using automatic “form filling.” In this scenario, a legacy username and password form is presented to the user, and the credentials are automatically entered for them.

In most cases, this breaks the “Zero Trust” cycle. Many Identity Providers simply store the username and password within a database on their backend. This means that if they are compromised, those credentials could be exposed. Compare that to public key cryptography: even if a public key is exposed, there is no harm done.

A provider may tell you that they store usernames and passwords within “encrypted vaults.” That might be true, but encrypted or not, centralizing all credentials into one online “safe” creates a single, catastrophic point of failure. The LastPass hack, for example, led to millions of customer vaults being stolen. Attackers then searched the vaults for high-value targets by examining the URLs stored within. How did they get access to the URLs if the vaults were encrypted? While the usernames and passwords were encrypted, the URLs were not. Hosting millions of “vaults” made LastPass a massive target.

It is possible to create “encrypted local vault” systems that allow for automatic form filling and interact with your IdP, but these get complex and can still lead to other issues—such as the KeePass “memory dump” vulnerability (CVE-2023-32784).

On top of all this, with these systems, you are still using passwords!

Which leads us right back to public key cryptography (i.e., passkeys and SSH keys). While no system is 100% perfect, public key cryptography mitigates many of these vulnerabilities.

This is what Key9 is 100% built on. We’re trying to not only make the user experience seamless but create a true Zero Trust solution.

As I’ve seen in my decades-long experience in computer and network security, while we would like the road to lead toward more secure solutions, laziness and greed often keep us from getting there.

We hope that Key9 can be a small stepping stone in changing that.

DigitalOcean resources are remarkably stable. Throughout our many years of using their platform, we have never encountered stability issues regarding connectivity, uptime, or bandwidth. Beyond technical stability, their pricing is also stable, transparent, and easy to understand, which is a significant benefit for both developers and users.

My main gripe with DigitalOcean had been the absence of Single Sign-On (SSO) capabilities. Because DigitalOcean lacked support for SAML2 or OpenID Connect (OIDC), every one of our developers was forced to maintain their own separate account.

The lack of SSO leads to user “sprawl,” which significantly complicates the platform’s adoption for enterprise customers. In previous roles, I’ve encountered environments where applications absolutely had to support SSO; if they didn’t, they were not permitted within the system.

On September 2nd, 2025, DigitalOcean announced SSO functionality!

This update allows teams to integrate with OIDC-compatible identity providers (IdPs), such as Key9, to manage user authentication for the DigitalOcean control panel. This integration is a significant step for organizations, as it enhances security protocols and streamlines user access by centralizing credential management through a trusted, single service.

Key9 enhances DigitalOcean’s appeal by offering a completely passwordless platform. Since all authentication is managed through Passkeys, developers can focus on writing code instead of struggling with usernames, passwords, and MFA.

It’s easy to get started using DigitalOcean with Key9. You can find DigitalOcean support directly in the Key9 “Market Place.” For detailed information, please refer to the documentation at:

https://docs.k9.io/key9-identity/web/marketplace/digitalocean

https://docs.digitalocean.com/platform/teams/how-to/configure-sso/

At Key9, we have a concept called "provisioned users." This is an innovative approach to setting up new users in a highly secure manner. To illustrate, let’s consider an example company that uses Key9 as its identity provider (iDp) and YubiKeys to secure its network and applications.

As a Key9 administrator, you can have a Yubikey shipped directly to the user’s location and send a registration “magic link.” While this process works, it requires users to undertake quite a bit of effort to set up their own Yubikey, which can be confusing, especially for new users.

Ultimately, passwordless technology should simplify the experience, not complicate it further.

At Key9, an alternative method is available. When the administrator sets up a new user, they can enable the “Provisioning user?” option.

This informs Key9 that you wish to bypass the standard verification processes. While this may initially seem less secure, it actually isn't.

When this option is enabled, the administrator can set up the user as usual by assigning privileges and groups. However, the administrator also has the option to pre-configure the Yubikey.

For instance, after entering all the user’s information, the administrator can insert a new Yubikey into their workstation. At that point, the administrator can assign a PIN to the Yubikey and generate a Passkey for the user. Don’t worry; later, we’ll discuss how the PIN plays into the secure transfer.

Key9 will manage the public key as usual, while the YubiKey will securely store the private key. The design of YubiKeys ensures that even administrators cannot access the private key, providing an additional layer of protection.

After the user has been created and assigned a pre-generated Passkey stored on the Yubikey, the physical key must be transferred to the user.

In certain situations, handing over a Yubikey to a user can be as simple as meeting them in person and providing the PIN. This process is reminiscent of the old "key signing parties." The idea is that when you are face-to-face with someone, you can be confident that the Yubikey has been received by the right person.

In other situations, this may not hold true. This is where we can use the PIN code to help facilitate the transfer.

Imagine a situation where a user is in a different city or country. In this case, the administrator would mail the physical key to the user, along with a note advising them to contact the administrator upon receiving the key. Importantly, the administrator would not include the PIN for that key in the package. Instead, the PIN code would be communicated through a separate, secure method (out-of-bands).

The idea is that if the key is intercepted by someone other than the intended user, the PIN serves as a safeguard to prevent unauthorized access. By default, YubiKeys allow up to eight attempts to enter the correct PIN. If the correct PIN is not entered after these attempts, the FIDO2 applications will block further access, and the key must be reset.

Additionally, after every third failed attempt in a row, the YubiKey must be physically removed and reinserted into the device. This design helps prevent brute-force attacks on the physical key.

Once the user successfully receives their Yubikey, they should notify the administrator. The administrator will then use a pre-established communication method to relay the PIN code to the Yubikey.

For instance, if the user calls the administrator to request the Yubikey PIN, the administrator cannot provide it during that call. Instead, they must hang up and call back using a predetermined phone number to transfer the PIN securely. This prevents social engineering to gaining access to the PIN number.

This is a simple example. An administrator can share the PIN with the user in several ways. For instance, they could use encrypted email or a predetermined instant messaging service like Signal.

The final issue to address is the possibility that the administrator may know all the YubiKey PINs. Fortunately, this can be easily resolved. Users can change their PINs using the built-in security key tools in Windows 11 or the security key management tools available in web browsers like Google Chrome. This means users can update their PINs without installing any third-party software.

In this example, we’re using YubiKeys as a reference, but any FIDO2 hardware token will work just as well. You can envision this as an “onboarding” process for company laptops. The main idea is to pre-register a Passkey for each computer before shipping it out.

I’ve made a short video to show you how the process works. You can watch it on Youtube below:

Passwordless technology is essential; it not only streamlines the onboarding process for new users but also significantly strengthens security.

I have just a few criteria defining a good security key.

First and foremost, the key must support Passkeys. I prefer it to have a reasonable number of slots to store Passkeys. In my opinion, security keys that can only store 10 Passkeys are nearly useless.

While not a “hard” requirement, it would be nice if the security key supported SSH. In particular, the ed25519-sk cryptographic algorithm. At the very least, it should support ecdsa-sk. Both ed25519-sk and ecdsa-sk are considered secure, but ed25519-sk is more resistant to potential attacks and is considered a more robust cryptographic algorithm. It’s also faster, but not so much that you would ever notice.

I see many nerds, like myself, screaming that ed25519-sk is the best choice when using SSH. That is true, but remember that ecdsa-sk is far superior to passwords.

The security key needs to be durable. Several of my security keys have passed through the washer and dryer multiple times, and flimsy security enclosures can and will be broken. These devices are meant to be on your key chain or pocket. If they can’t hold up to different levels of torture, then they aren’t for me. On the other hand, cheap keys that can’t hold up to physical pressure might be acceptable as a “backup” in a safe or safety deposit box.

Price typically isn’t an issue for personal use. However, if you are an organization planning to roll out Passkeys and need many security keys, price becomes a significant concern. With this in mind, I am testing the most affordable keys I can find.

Finally, I prefer not to install third-party security key software. Their software is usually unnecessary; many people are unaware of this.

For example, when you purchase a new security key, it typically does not have a PIN set. Many security key manufacturers recommend installing their software to set up the PIN. However, this is not necessary. When you register your first Passkey, most web browsers will recognize that you don’t have a PIN and will allow you to set one before registering your Passkey.

Not having to install third-party software (bloatware) allows you to set up Passkeys more quickly.

Sometimes, you may want to review what is stored on your security key or delete some old entries to free up Passkey slots.

Few people seem aware that web browsers like Google Chrome and Chromium provide options for managing “security keys.” You can find this feature in Chrome/Chromium by navigating to Privacy and security -> Security -> Manage security keys.

Once there, you can create or change your PIN and manage all your sign-in data. For example, you can remove old Passkeys and SSH keys from your hardware security token. If your key supports biometrics, you can manage fingerprints as well. Additionally, you can reset your security key, which will erase all data on the device.

We will see browsers and operating systems directly supporting security keys in the future. This is because FIDO2 security keys generally function similarly across different platforms, except when they don’t. Then you'll need to use the software provided by the security key manufacturers. The usability and quality of this third-party software can vary significantly. For instance, some security key manufacturers' software might only be compatible with Windows 11. If you have one of these keys, you'll need access to a Windows 11 machine to manage it, although it will likely still function on Linux and macOS.

We are getting closer to managing our FIDO2 keys directly within the operating system or browser. I, for one, will look forward to that day.

With those conditions and rules in place, let's get started!

Token2 T2F2-Dual PIN+Octo FIDO2.1 Security Key - Nonbranded

Brand: Token2

Link: https://token2.com/shop/product/token2-t2f2-dual-pin-octo-fido2-1-security-key-nonbranded

Price: €25.00 ($28.43 USD on 2025/04/21)

Storage: 300

Support: FIDO U2F + FIDO2.1 WebAuthn + HOTP (HID) + TOTP

SSH Support: ed25519-sk and ecsda-sk

Software/Manual: https://token2.com/shop/product/token2-t2f2-dual-pin-octo-fido2-1-security-key-nonbranded

Pros: NFC, SSH support, great design. No third-party software needed (worked fine in Google Chrome). Great price. Great functionality.

Cons: Worried about the keyring hole. Shipping costs to the United States.

Linux “dmesg”:

[1187114.633013] usb 1-6: New USB device found, idVendor=349e, idProduct=0022, bcdDevice= 1.00

[1187114.633038] usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[1187114.633046] usb 1-6: Product: FIDO2 Security Key

[1187114.633052] usb 1-6: Manufacturer: TOKEN2

[1187114.639474] input: TOKEN2 FIDO2 Security Key as /devices/pci0000:00/0000:00:14.0/usb1/1-6/1-6:1.0/0003:349E:0022.000A/input/input23

[1187114.723975] hid-generic 0003:349E:0022.000A: input,hidraw1: USB HID v1.10 Keyboard [TOKEN2 FIDO2 Security Key] on usb-0000:00:14.0-6/input0

[1187114.726111] hid-generic 0003:349E:0022.000B: hiddev0,hidraw2: USB HID v1.10 Device [TOKEN2 FIDO2 Security Key] on usb-0000:00:14.0-6/input1

Linux “lsusb”:

Bus 001 Device 008: ID 349e:0022 TOKEN2 FIDO2 Security Key

Experience:

Shortly after originally posting these reviews, I received a message from “Imightbenormal” on Reddit asking, “Have you looked at token2.com?”

I hadn't, and I'm thrilled he reached out to me. In almost every category, this key hits the mark. It supports everything I need, the price is reasonable, and it is well-built.

One aspect I appreciated was Token2's transparency regarding the specifications of their keys. When visiting their website to purchase a key, all the information is clearly presented and easy to find. Unlike many manufacturers who bury specifications in lengthy PDFs that require extensive searching, Token2 displays the key specifications right on the same page as the “Add to Basket” button. I appreciated this very much.

This design features both USB-C and USB-A ports. It is similar to the Thetis Pro FIDO2 Security key, but offers a superior, more compact design.

The overall design and feel of the device are solid. While it doesn't feel quite as robust as the YubiKey 5C, it is still quite close. I do have some concerns about the hole for the key ring. On their website, they clearly state that you should use keyrings that are 2mm or thinner. The device is designed to “tolerate” a force of 80-100 Newtons, which translates to about 18-22 pounds for those in the United States. For forces exceeding this range, they recommend using a silicone case, which can be purchased for a few extra dollars.

This key has a good chance of passing the “clothes washer” test. The casing feels solid, and their site indicates that the PCB (Printed Circuit Board) is coated to protect against water ingress.

You may have noticed that this key is "unbranded," meaning one side is blank. This blank side can be laser-engraved with a logo of your choice at no extra cost. To do this, simply provide the Token2 team with your logo in SVG format, ensuring it is in a 1:1 ratio.

How cool is that!

One impressive feature of this key is that it requires users to set a PIN of at least 8 characters right from the start. Additionally, it prevents users from choosing easily guessable PINs, such as sequences like "12345678." I have not encountered any other security key vendor that offers this level of protection.

This is a crucial security feature that businesses and organizations should prioritize.

The key can be easily set up without the need for third-party software installation. I successfully managed the security settings from within Google Chrome. As mentioned earlier, the key prevents users from entering a PIN that is easily guessable. I tested this feature by attempting to use a short PIN. As expected, I was informed that the PIN was too short. This is not surprising, as other keys have similar limitations. I then tried entering the PIN “12345678,” but the Chrome security manager returned the error, “PIN operation failed with code 55.”

It prevented me from using a PIN that was easy to guess.

As mentioned, I haven't observed this feature being enforced on any other key out of the box. Additional information about PIN complexity can be found at https://www.token2.com/site/page/token2-fido2-pin-see-the-pin-complexity-in-action.

One downside that is beyond the control of the Token2 team is the shipping costs, which you should factor into your budget if you plan to use these keys. However, the Token2 team was quick to respond to my inquiries, and they are open to offering discounts for bulk purchases of keys.

This key not only met my specifications but also exceeded them. For instance, the NFC functionality worked exceptionally well with this key.

This has been my favorite security key.

This key is manufactured in Switzerland. See the Token2 FAQ for more details: https://www.token2.com/site/page/faq-hardware-tokens

T2F2-PIN+ Release3 TypeC

Brand: Token2

Link: https://token2.com/shop/product/t2f2-pin-release3-typec

Price: USB-C €21.50 ($24.45 USD), USB-A €20.50 ($23.31 USD on 2025/04/21)

Storage: 300

Support: FIDO U2F + FIDO2.1 WebAuthn + HOTP (HID) + TOTP

SSH Support: ed25519-sk and ecsda-sk

Software/Manual: https://token2.com/shop/product/t2f2-pin-release3-typec

Pros: NFC, SSH support, great design. No third-party software is needed (it works fine in Google Chrome). Great price. Great functionality.

Cons: Shipping costs to the United States.

Linux “dmesg”:

[1187229.041292] usb 1-6: New USB device found, idVendor=349e, idProduct=0026, bcdDevice= 1.00

[1187229.041314] usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[1187229.041320] usb 1-6: Product: FIDO2 Security Key(0026)

[1187229.041325] usb 1-6: Manufacturer: TOKEN2

[1187229.046828] input: TOKEN2 FIDO2 Security Key(0026) as /devices/pci0000:00/0000:00:14.0/usb1/1-6/1-6:1.0/0003:349E:0026.000C/input/input24

[1187229.127439] hid-generic 0003:349E:0026.000C: input,hidraw1: USB HID v1.10 Keyboard [TOKEN2 FIDO2 Security Key(0026)] on usb-0000:00:14.0-6/input0

[1187229.129664] hid-generic 0003:349E:0026.000D: hiddev0,hidraw2: USB HID v1.10 Device [TOKEN2 FIDO2 Security Key(0026)] on usb-0000:00:14.0-6/input1

Linux “lsusb”:

Bus 001 Device 009: ID 349e:0026 TOKEN2 FIDO2 Security Key(0026)

Experience:

This key shares many of the same features mentioned above. However, it is priced slightly lower and supports either USB-C or USB-A, depending on the model you choose. For a better understanding of the features this key offers, please refer to the section titled “Token2 T2F2-Dual PIN+Octo FIDO2.1 Security Key - Nonbranded” above.

I will discuss some of the differences and share my thoughts on them.

The overall feel of the key is solid, though it is slightly less sturdy than the YubiKey 5C. Additionally, this key is somewhat smaller than the YubiKey 5C. In comparison to the “Token2 T2F2-Dual PIN,” the keyhole on this key feels much more solid.

These keys don’t use a “button,” per se. Instead of “pressing” anything, you simply “touch” the exposed metal part of the key to confirm your presence.

The “Token2 T2F2-Dual” enforces an 8-digit PIN and prevents users from using easily guessable PINs. This key also stops users from setting PINs that are easy to guess, with a minimum PIN length of 6 digits.

The specifications are very similar to those of the “Token2 T2F2-Dual.” However, there are some differences:

• Less worried about the keyhole.

• Key will only support USB-A or USB-C (not both)

• The minimum PIN is 6 digits, instead of 8.

• The form factor is smaller.

This key is manufactured in Switzerland. See the Token2 FAQ for more details: https://www.token2.com/site/page/faq-hardware-tokens

Identiv - uTrust FIDO2 NFC

Brand: IDENTIV

Link: https://www.amazon.com/dp/B0C6YRJ7Y7

Price: $16.50

Storage: unknown

Support: Supports FIDO2, U2F, and WebAuth. Support for OTP and PIV is enabled for specific use cases.

SSH Support: No

Software/Manual: https://www.hirschsecure.com/filesimages/LACS/uTrust_Key_Manager_Software_UserManual_Identity.pdf

https://www.hirschsecure.com/products/identity-smart-card-readers/utrust-fido2-security-keys/utrust-key-manager-software

Pros: NFC was functional.

Cons: I would NOT use it as a daily driver. The Button is deep and challenging to get to and doesn’t support the built-in web browser/OS setup. Had to load third-party software to get the key functional. I found this key flaky to use.

Linux “dmesg”:

[82711.528268] usb 1-4: New USB device found, idVendor=04e6, idProduct=5a11, bcdDevice= 0.01

[82711.528289] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[82711.528295] usb 1-4: Product: uTrust FIDO2 Security Key

[82711.528300] usb 1-4: Manufacturer: Identiv

[82711.534180] hid-generic 0003:04E6:5A11.0004: hiddev0,hidraw1: USB HID v1.11 Device [Identiv uTrust FIDO2 Security Key] on usb-0000:00:14.0-4/input1

[82711.535214] input: Identiv uTrust FIDO2 Security Key as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.2/0003:04E6:5A11.0005/input/input20

[82711.615135] hid-generic 0003:04E6:5A11.0005: input,hidraw2: USB HID v1.11 Keyboard [Identiv uTrust FIDO2 Security Key] on usb-0000:00:14.0-4/input2

Linux “lsusb”:

Bus 001 Device 007: ID 04e6:5a11 SCM Microsystems, Inc. uTrust FIDO2 Security Key

Experience:

This key is the cheapest, and it shows. The button used to prove that the operator of the key is present is set pretty low within the key's housing. This sometimes makes it tricky to “touch,” unlike other keys. Physically, it feels cheap, and I don’t think it would hold up to wear and tear.

This was also the most frustrating key to use. Every key covered in this list would let me set the key’s PIN upon first use, but this one did not. This means you must load the Windows-only software to set the PIN, which must be set to register Passkeys.

The “technical” specs didn’t indicate how many FIDO2 credentials it can hold. Some technical specifications might tell you how much memory the key has, which can help you estimate how many FIDO2 keys the device might hold.

Not only that, but locating the correct software was also a challenge. When going to the identiv.com website, I got this:

“On September 6, 2024, Identiv completed the sale of its physical security, access card, and identity reader operations and assets. Identiv is now solely focused on developing, manufacturing, and supplying its specialty Internet of Things (IoT) solutions and in-house IoT connecting cloud.”

After more research, I discovered that identiv.com was sold to https://www.hirschsecure.com/.

I broke down and loaded the “uTrust Key Manager” software, which allowed me to set the initial PIN. After setting the PIN, I retested it with Google Chrome, but that still didn’t work.

After the initial setup, the key was functional with macOS and Linux. However, I found it frustrating to use. I tested it with Key9, the identity company where I work, and on https://webauthn.io.

The key was unreliable; it sometimes needed to be “reinserted” before it would work. On macOS, I experienced multiple instances of the web browser freezing. When it did work, it prompted me to “select” the key to use, even though there was only one passkey associated with the site.

The key did not support SSH. Overall, this key was frustrating and cannot be recommended.

This key is manufactured in the USA.

HyperFIDO Titanium PRO FIDO2 Security Key

Brand: Hypersecu

Link: https://www.amazon.com/dp/B07T7SPMJB

Price: $17.75

Storage: unknown

Support: FIDO U2F, FIDO2 (WebAuthn) and HOTP (HMAC-SHA1 one-time password) all-in-one device

SSH Support: Supports ecdsa-sk, but does not support ed25519-sk

Software/Manual: https://www.scbsolutions.com/Brochures/ProProgrammer.zip (has manual within zip)

Pros: Nice, durable case. Would use as a daily driver. Great Price. Easy to access button. Did not require 3rd party software to setup.

Cons: No NFC.

Linux “dmesg”:

[83870.034876] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[83870.034883] usb 1-4: Product: HyperFIDO

[83870.034889] usb 1-4: Manufacturer: HS

[83870.054993] input: HS HyperFIDO as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.0/0003:2CCF:0854.0012/input/input27

[83870.132067] hid-generic 0003:2CCF:0854.0012: input,hidraw1: USB HID v1.00 Keyboard [HS HyperFIDO] on usb-0000:00:14.0-4/input0

[83870.142197] hid-generic 0003:2CCF:0854.0013: hiddev0,hidraw2: USB HID v1.10 Device [HS HyperFIDO] on usb-0000:00:14.0-4/input1

Linux “lsusb”:

Bus 001 Device 012: ID 2ccf:0854 Hypersecu HyperFIDO

Experience:

This key is quite impressive. It has a solid construction and a satisfying tactile feel to the button. Additionally, it is a good size. I'm uncertain if it would survive a trip through the washer and dryer, but the manufacturing quality is good overall.

Knowing the number of available Passkeys and SSH keys slots would be helpful.

Using the Chrome web browser, users can now update or delete passkeys and SSH keys from their devices, which is very convenient.

It would have been beneficial if it supported ed25519-sk for SSH, but ecdsa-sk is likely sufficient for most users. While it doesn’t have NFC, this is probably not a significant drawback for most people.

This key offers good value for its price.

According to the documentation, this key is manufactured in China. There are indications that Hypersecu may offer manufacturing in Canada for large enterprise orders.

Thetis Pro FIDO2 Security Key

Brand: Thetis

Link: https://www.amazon.com/dp/B0BJP64YTT

Price: $32.95

Storage: 50 Passkeys/SSH keys.

Support: FIDO2, FIDO U2F & TOTP/HOTP

SSH Support: Supports ecdsa-sk and ed25519-sk

Software/Manual: https://thetis.io/pages/downloads

Pros: It has functional NFC. Didn’t need third-party software to set up. By default, it enforces a 6-character PIN. I like the USB-A → USB-C “swivel” design. Comes with a nice little carrying case.

Cons: Bulky due to its USB-A / USB-C design

Linux “dmesg”:

[86328.338933] usb 1-4: new full-speed USB device number 13 using xhci_hcd

[86328.468226] usb 1-4: New USB device found, idVendor=1ea8, idProduct=f825, bcdDevice= 1.00

[86328.468249] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[86328.468256] usb 1-4: Product: Security Key(F825)

[86328.468262] usb 1-4: Manufacturer: Thetis

[86328.475356] hid-generic 0003:1EA8:F825.0014: hiddev0,hidraw1: USB HID v1.10 Device [Thetis Security Key(F825)] on usb-0000:00:14.0-4/input0

Linux “lsusb”:

Bus 001 Device 013: ID 1ea8:f825 Thetis Security Key(F825)

Experience:

Although the price range may increase, this key feature is a unique design. It’s likely quite useful for those who navigate USB-A, USB-C, and NFC—this single key supports all three!

The key has a “swivel” design, which means you can “switch” it between USB-A and USB-C. The presence button is in the center of the key and has a nice tactile feel. The manufacturing quality feels good, but I’m not sure it would survive a trip through the washer and dryer.

The key did not require loading the Thetis software, as it worked fine with Chrome. I like that it requires a 6-digit key by default. In fact, it was the only key tested that required a 6-digit PIN by default. Using third-party software, most keys will allow you to change the default PIN length, but that requires loading bloatware and an extra step during implementation.

Another plus is that SSH keys stored on this device support ecdsa-sk and ed25519-sk. That was a pleasant surprise.

I found NFC to be a bit tricky to use. For instance, I have an iPhone 16 Pro, and I sometimes struggled to find the right spot for the NFC to work effectively. When I removed my phone case, its performance improved. However, I noticed that some other keys tested seemed to work better with NFC, and I didn't need to remove my phone case for those.

My only complaint is that the key feels somewhat bulky, which is a result of its design. It's not excessively large, but when trying to incorporate USB-A, USB-C, and NFC into a single key, I don't see how this can be avoided.

If the slightly bulky design doesn't bother you, this key could be your daily driver.

According to the documentation, this key is manufactured in China.

Trustkey T120

Brand: Trustkey

Link: https://www.amazon.com/dp/B08881651P

Price: $20.00

Storage: Some pages stated 150 slots, while others stated 200.

Support: FIDO2, U2F, TOTP, HOTP

SSH Support: Only supports ecdsa-sk.

Software/Manual: https://www.trustkey.kr/en/sub/support.form

Pros: Great price point. Users can store a sufficient number of keys. No third-party software is needed.

Cons: No NFC

Linux “dmesg”:

[166284.617164] usb 1-4: New USB device found, idVendor=311f, idProduct=a6e9, bcdDevice= 0.00

[166284.617188] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[166284.617195] usb 1-4: Product: TrustKey T120

[166284.617201] usb 1-4: Manufacturer: TrustKey

[166284.617206] usb 1-4: SerialNumber: A00000000017

[166284.622626] hid-generic 0003:311F:A6E9.0015: hiddev0,hidraw1: USB HID v1.10 Device [TrustKey TrustKey T120] on usb-0000:00:14.0-4/input0

[166284.624382] input: TrustKey TrustKey T120 as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.1/0003:311F:A6E9.0016/input/input28

[166284.702150] hid-generic 0003:311F:A6E9.0016: input,hidraw2: USB HID v1.10 Keyboard [TrustKey TrustKey T120] on usb-0000:00:14.0-4/input1

Linux “lsusb”:

Bus 001 Device 014: ID 311f:a6e9 TrustKey TrustKey T120

Experience:

This key is quite good. Its size closely resembles a Yubikey, roughly the same as the Yubico 5C series key (USB-C). While it may not match the manufacturing quality of a Yubikey, it is still very close.

Considering its price point and memory capacity, it's a good deal, especially if you primarily plan to use it for storing Passkeys. However, if you intend to use the key to store SSH keys, remember that it only supports ecdsa-sk.

It lacks NFC, but at this price, that isn’t surprising, and many users may not mind.

At this price point, you can have one as a daily driver and purchase another key as a backup.

The key is manufactured in South Korea.

Thales Safenet eToken FIDO Type C

Brand: Thales

Link: https://www.amazon.com/dp/B0CVSH3FBG

Price: $25.00

Storage: Technical specifications stated “55 KB” and “up to 8 FIDO discoverable credentials (resident keys). See https://cpl.thalesgroup.com/sites/default/files/content/brochures/FIDO2-security-keys-specifications-br.pdf

Support: FIDO, FIDO2. U2F

Software/Manual: https://cpl.thalesgroup.com/sites/default/files/content/brochures/FIDO2-security-keys-specifications-br.pdfetoken [this is a great specification page]

https://cpl.thalesgroup.com/access-management/authenticators/safenet-fido-key-manager

SSH Support: None

Pros: It has a very small form factor. There is no “button;” you touch the metal on the key. I liked this. It's a good price point.

Cons:  It lacks a status LED and does not work with Chrome’s built-in security key management. It also lacks NFC and SSH support.

Linux “dmesg”:

[168221.693326] usb 1-4: New USB device found, idVendor=08e6, idProduct=34d1, bcdDevice= 0.08

[168221.693346] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[168221.693351] usb 1-4: Product: eToken Fido

[168221.693355] usb 1-4: Manufacturer: SafeNet

[168221.693358] usb 1-4: SerialNumber: 02EDDEEDD3F9

[168221.698532] hid-generic 0003:08E6:34D1.0019: hiddev0,hidraw1: USB HID v1.11 Device [SafeNet eToken Fido] on usb-0000:00:14.0-4/input0

Linux “lsusb”:

Bus 001 Device 016: ID 08e6:34d1 Gemalto (was Gemplus) eToken Fido

Experience:

This key has a great, super-small form factor and seems to be built very well.

However, it’s not a great key.

I was pleased that when I set up my first Passkey, the process allowed me to create a PIN directly within the browser. However, when I tried to manage the key’s "sign-in data” in Chrome, I received an error message stating, “This security key can't store any sign-in data.”

This suggests that to remove Passkeys, you need to use Thales software.

The key can only store about 8 Passkeys, which isn’t enough for most users.

This key is manufactured in China or Cambodia.

Google Titan Key

Brand: Google

Link: https://store.google.com/us/product/titan_security_key

Price: $35.00 USB-C, $30.00 for USB-A

Storage: 250 unique Passkeys

Support: FIDO2

Software/Manual: https://support.google.com/titansecuritykey/

SSH Support: Supports only ecdsa-sk.

Pros: NFC. Lots of memory for keys. Very well made from a known brand.

Cons: It does NOT support built-in Chrome security key management tools. The price is at the higher range for a “cheap” key.

Linux “dmesg”:

[ 1033.914450] usb 1-4: New USB device found, idVendor=18d1, idProduct=9470, bcdDevice= 0.01

[ 1033.914472] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[ 1033.914479] usb 1-4: Product: Titan Security Key v2

[ 1033.914484] usb 1-4: Manufacturer: Google

[ 1033.914489] usb 1-4: SerialNumber: 2

[ 1033.920835] hid-generic 0003:18D1:9470.0004: hiddev0,hidraw1: USB HID v1.11 Device [Google Titan Security Key v2] on usb-0000:00:14.0-4/input0

Linux “lsusb”:

Bus 001 Device 006: ID 18d1:9470 Google Inc. Titan Security Key v2

Experience:

This key is very nice, but I find it hard to recommend. The reason might surprise you— it certainly surprised me!

I can’t believe I have to write this, but this key does not support the built-in “Manage Security Keys” options in Google Chrome! Yes, you read that correctly—a key manufactured by Google cannot use the Chrome security key management tools.

You might think, “No big deal. I’ll install the software with the key to manage the sign-in data.” However, there is no software available for this purpose! Although the key has plenty of memory to store Passkeys, there is currently no way to remove old Passkeys. The only option that works in Chrome is the “Change the PIN” feature.

The key does support ecdsa-sk for SSH but not ed25519-sk. While testing the key, it dawned on me that it is a couple of years old. Maybe a newer key would have newer firmware, which might support ed25519-sk and Google Chrome’s built-in security key management.

After Googling around, it seemed promising. I found a user who stated that newer Google Titan keys supported ed25519-sk. With this in mind, I purchased a brand new Google Titan key.

The results remain unchanged: there is still no ed25519-sk for SSH support, and the key cannot be managed via Google Chrome. Various Reddit posts say this has been a known issue for over a year.

These issues were quite frustrating for a well-made key with excellent storage capacity!

The Google Titan key is made in China by Feitan.

Yubico - Security Key C NFC

Brand: Yubico

Link: https://www.amazon.com/dp/B0BVNRXFHT

Price: $29.00

Storage: 100 keys

Support: FIDO2, U2F

Software/Manual: https://www.yubico.com/support/download/yubikey-manager/

SSH Support: ed25519-sk and ecdsa-sk

Pros: It's rugged, IP68 Water resistant, and crush resistant. It's at a good price point. It supports NFC. Yubikey makes more expensive keys, but this one does everything I need.

Cons: None

Linux “dmesg”:

[ 520.938599] usb 1-4: new full-speed USB device number 4 using xhci_hcd

[ 521.067638] usb 1-4: New USB device found, idVendor=1050, idProduct=0402, bcdDevice= 5.71

[ 521.067660] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 521.067667] usb 1-4: Product: YubiKey FIDO

[ 521.067673] usb 1-4: Manufacturer: Yubico

[ 521.131719] hid-generic 0003:1050:0402.0002: hiddev0,hidraw1: USB HID v1.10 Device [Yubico YubiKey FIDO] on usb-0000:00:14.0-4/input0

[ 521.131810] usbcore: registered new interface driver usbhid

[ 521.131814] usbhid: USB HID core driver

Linux “lsusb”:

Bus 001 Device 004: ID 1050:0402 Yubico.com Yubikey 4/5 U2F

Experience:

YubiKeys are among the most recognized hardware security keys in the industry.

These keys are a solid choice. However, it's important to note that they offer various options at varying prices. I outlined my specific goals at the beginning of this article: Support for Passkeys is essential, while SSH support is a bonus. Additionally, it's great that these keys support NFC, which has performed well in my testing.

While it doesn't hold the highest number of keys, 100 slots are sufficient for most users.

The advantage of this key is that it meets all my requirements. Specifically, I am referring to the “Yubico Security Key C NFC,” priced at $29.00. While Yubico, the manufacturer of YubiKeys, offers other models with additional features starting at around $50.00, those extra features are unnecessary for my needs..

YubiKeys have an excellent reputation and are widely considered the industry standard for security keys. These devices are durable; several have survived multiple trips through the washer and dryer. They are IP68 water-resistant and crush-resistant, making them quite rugged.

The keys can be easily managed through the Chrome browser's built-in security settings. You do not need to install Yubico software unless you want to explore its features.

These keys are manufactured in Sweden and the USA.

Cryptnox FIDO2 Smart Card

Brand: Cryptnox

Link: https://www.amazon.com/Cryptnox-Security-Physical-Second-Factor/dp/B0B384JCP8

Price: $31.74

Storage: 4k, but it doesn’t explain how memory is allocated.

Support: FIDO2 (Passkeys), U2F

Software/Manual: https://cryptnox.com/directory/content/uploads/2024/10/Cryptnox-Fido2-Manual-and-Specifications-full.pdf

SSH Support: None

Pros: It's Nice to have a key that can go in my wallet. NFC worked well.

Cons: It claims to be “Linux” compatible, but it isn’t. There is no SSH support.

Linux “dmesg”:

[ 2076.447982] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

[ 2563.074602] usb 1-4: new full-speed USB device number 8 using xhci_hcd

[ 2563.214111] usb 1-4: New USB device found, idVendor=058f, idProduct=9540, bcdDevice= 1.20

[ 2563.214133] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 2563.214140] usb 1-4: Product: EMV Smartcard Reader

[ 2563.214145] usb 1-4: Manufacturer: Generic

Linux “lsusb”:

Bus 001 Device 008: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader

Experience:

This isn’t a “key," but I wanted to try it out. There’s an entire market for these types of cards. Perhaps one day, I’ll do a “shootout” of those.

My primary motivation for testing this card was to determine if it could replace a hardware security key (i.e., one that you would typically carry on a key ring) that fits in your wallet.

Some jobs prohibit employees from bringing cell phones or USB devices. In these cases, a credit card-sized key that fits in a wallet may be utilized.

I must admit, there is something nice about having your Passkeys securely stored in your wallet and not dangling off a key ring.

There are some issues with going this route.

While NFC works well, if your laptop doesn't support NFC, you'll need to carry a reader for the card. Although the reader isn't bulky, it's an additional item to have and may eventually be lost.

The card and reader do not work with the built-in key management tools in the Chrome browser. You must use the Windows 11 key management software to set the initial PIN. Despite compatibility claims with both systems, it cannot be set up on macOS or Linux.

After the PIN is set up, you might be able to use it with Linux/MacOS, but I never got it to work correctly. Since there is no “setup software," there’s no way to “manage” the keys stored on the device. The documentation states that the card has 4k storage but doesn’t indicate how much is reserved for Passkeys. I managed to store a few without issue, but I suspect you won’t be able to store many more.

Final Thoughts:

As suspected, the Yubikey Security Key C NFC ($29.00) is likely the best option for storing Passkeys and SSH keys, which isn’t surprising. However, a few budget-friendly hardware keys may not be as impressive as the Yubikey tested here, but they come close.

The Trustkey T120 ($20.00) is a solid choice for organizations operating on a limited budget. The Thetis Pro FIDO2 Security Key ($32.95) is also an attractive option for technically inclined people.

For personal use, pairing a Yubikey Security Key C NFC ($29.00) with the Trustkey backup ($20.00) seems like a good combination.

Thank you for reading this article. I hope you enjoyed it. It took a lot of effort, but it was fun to research and write. If your organization is looking for a path to becoming 100% “passwordless,” please check out Key9 Identity ( https://k9.io ).

If the website offers a "backup" method of authentication, such as a secondary username and password, the user must use it.  The attacker can capture the username and password, but not the Passkey. The attack is simple: force the victim to take the least secure route and compromise their account that way.

At Key9, we have acknowledged that outdated authentication protocols pose a risk to passkeys.  

Imagine a scenario where a highly secure bank vault is protected by an off-the-shelf Walmart bike lock as a backup. The attacker will focus on attacking the Walmart bike lock instead of the expensive, highly secure locking mechanism.  It may be a "convenient backup" for the user, but it is a vulnerability to the entire system.

Joe Stewart’s work is an excellent example of how such attacks might unfold. However, the attacker needs to be "in the middle" of the session, making it challenging to execute against TLS sessions at scale.

We have envisioned a more direct approach that aligns with a traditional phishing campaign.

In this method, the attacker would register a domain name that is similar to the target domain. This can be achieved through standard domain squatting, omission, or replacement techniques. For instance, the attacker might create a domain name like "examples.com" to imitate "example.com." This slight alteration makes the domain appear legitimate at a casual glance.

Attackers have been using this technique for years.

The attacker's domain directs users to a fraudulent "login" page that is an exact replica of the target's actual login page. The main distinction is that when the user tries to use their Passkey, the attacker's website shows a bogus "error message" claiming that Passkeys are not available and that the user should instead use the less secure traditional username and password.

By compelling the user to take a less secure path with usernames and passwords, attackers can employ their typical phishing tactics.

The reason we avoid using legacy authentication protocols, such as usernames and passwords, is precisely because of these types of attacks. Key9 does not depend on weaker forms of authentication; instead, we solely rely on public key cryptography (Passkeys).

This makes our platform immune to these kinds of attacks.

It will take time and trust building, but continued reliance on passwords will become increasingly vulnerable. Passkeys and public key cryptography can only work if we abandon legacy weak authentication protocols.

Companies will love this technology because it increases productivity. There's no longer a need for 'password resets,' which are estimated to waste 11 hours per year per employee. Additionally, 20% to 50% of IT staff time is currently wasted on 'password reset' calls. This is due to the fact that 78% of users forget their passwords within 90 days."

The more productive an employee can be without being distracted by password resets, invalid login attempts, and password updates, the more they can accomplish.

It can also protect companies from potential cyber-attacks, as 81% of all cyber-attacks are centered around stolen credentials. 

The reasons mentioned are compelling enough to warrant considering a transition to passwordless technology.

There is yet another reason why many of the world's largest companies are embracing the "Passwordless" approach. 

The reason is corporate liability. 

Storing passwords carries significant risks. Many organizations struggle to do it securely, and in the event of a breach, they may face legal consequences.  Around 73% of users admit to commonly "reusing passwords." This increases the potential impact or “blast radius” of password exposure during a breach. For example, if your organization's password database is breached, that data will be used in attacks known as “credential stuffing” to attack other organizations.

Simply put, a breach of your organization's passwords will likely be used to compromise other organizations. When people start examining the “root cause” of an incident, the roads might lead right back to you.

You might have already noticed a shift but not given it much thought. For instance, some websites are replacing usernames and passwords with "one-time codes" sent to your email.   This is to avoid the responsibility and liability of having to store passwords. 

These email links and one-time codes shift the security and liability to your email provider. In fact, Gmail.com is likely to do a better job of securing your account than the company you work for.

Public key cryptography allows you to log in without your company or identity provider (IdP) storing “secrets”. This is also why Passkeys are growing in popularity.    Organizations that adopt this approach no longer risk exposing "secrets" such as passwords because they no longer have them. If an attacker were to compromise your company's "Passkey" database, they would only find public keys, which are useless without the corresponding private keys.  

This mitigates the company's legal liabilities, ensuring that even if compromised, there is nothing for the attacker to “steal”.

This is why we say Key9 “doesn’t keep secrets”. 

We are proud to present the world's first fully Passkey-powered, zero-trust, cloud-based Identity Provider (iDp). Our state-of-the-art technology guarantees your online protection, so you can enjoy a secure and hassle-free experience.

Our business model has two main components. Firstly, we utilize open standards such as FIDO2 and Passkeys to eliminate the need for usernames and passwords. Secondly, we believe that Identity and Access Management (IAM) has become too complicated for many organizations. Our goal is to implement passwordless technologies and simplify identity management.

As you may already know, traditional usernames and passwords have been vulnerable for quite some time and can easily be compromised. Shockingly, over 80% of all security breaches occur as a result of weak, reused or compromised passwords. In fact, a quarter of the S&P 500 had their SSO (single sign-on) credentials exposed and sold on the "dark web".

Multi-Factor Authentication (MFA) was created as a solution to prevent data breaches. However, while MFA has been effective in enhancing security, it has also made logging into applications more complicated and frustrating for users. This has resulted in what experts call "MFA Fatigue", which attackers can exploit by taking advantage of the users' frustration and confusion.

Although MFA has helped prevent breaches to a certain extent, many organizations have still been breached by attackers using a technique called "MFA bombing". In the early days of MFA, text messages (SMS) were used; however, security professionals have been urging people and organizations to switch to better alternatives like Time-Based One Time Passwords (TOTP). Nevertheless, many people still use SMS, which has made it easier for attackers to con telephony providers and perform SIM swapping attacks.

This is a problem faced by traditional and legacy Identity Providers (iDp). When these iDp’s rely solely on usernames and passwords, they may not feel the urgency to replace their business model. However, the consequences can be severe if a large number of companies had their Single Sign-On credentials exposed and sold on the "dark web". In such cases, traditional iDp may use "band-aid" solutions under the guise of "intelligence" by using terms like "impossible travel" and "threat intelligence". However, the root of the problem still remains.

Security breaches like those suffered by Okta highlight the importance of cybersecurity.

Many legacy IAM platforms that claim to support Passkeys often have other issues. One such problem is that these legacy platforms still rely on usernames and passwords as a backup means to access. This defeats the purpose of using public key cryptography and creates a vulnerability for attackers to bypass the added security provided by Passkeys.

Key9 avoids vendor lock-in and potential vulnerabilities by using open standards like "Passkeys" supported by major companies such as Microsoft, Google, Apple, and Mozilla instead of proprietary applications.

Key9 combined various technologies with SSO. The idea behind it is to use public key cryptography to eliminate the need for usernames and passwords. By doing so, we avoid storing sensitive information that could be vulnerable to hacking attempts. In other words, if we don't have your usernames and passwords, there is nothing for hackers to steal.

We still have a long journey ahead, but we hope you'll join us in a future without passwords.