I've been a strong advocate for the "passwordless" approach for some time now. Before fully embracing it, I had a diverse collection of hardware security tokens. Since founding Key9 Identity (https://k9.io) —a company entirely focused on Passkeys and FIDO2—I have developed an increasing obsession with security keys. I'm always looking for new implementations and affordable alternatives to the leading options in the market.

I have just a few criteria defining a good security key.

First and foremost, the key must support Passkeys. I prefer it to have a reasonable number of slots to store Passkeys. In my opinion, security keys that can only store 10 Passkeys are nearly useless.

While not a “hard” requirement, it would be nice if the security key supported SSH. In particular, the ed25519-sk cryptographic algorithm. At the very least, it should support ecdsa-sk. Both ed25519-sk and ecdsa-sk are considered secure, but ed25519-sk is more resistant to potential attacks and is considered a more robust cryptographic algorithm. It’s also faster, but not so much that you would ever notice.

I see many nerds, like myself, screaming that ed25519-sk is the best choice when using SSH. That is true, but remember that ecdsa-sk is far superior to passwords.

The security key needs to be durable. Several of my security keys have passed through the washer and dryer multiple times, and flimsy security enclosures can and will be broken. These devices are meant to be on your key chain or pocket. If they can’t hold up to different levels of torture, then they aren’t for me. On the other hand, cheap keys that can’t hold up to physical pressure might be acceptable as a “backup” in a safe or safety deposit box.

Price typically isn’t an issue for personal use. However, if you are an organization planning to roll out Passkeys and need many security keys, price becomes a significant concern. With this in mind, I am testing the most affordable keys I can find.

Finally, I prefer not to install third-party security key software. Their software is usually unnecessary; many people are unaware of this.

For example, when you purchase a new security key, it typically does not have a PIN set. Many security key manufacturers recommend installing their software to set up the PIN. However, this is not necessary. When you register your first Passkey, most web browsers will recognize that you don’t have a PIN and will allow you to set one before registering your Passkey.

Not having to install third-party software (bloatware) allows you to set up Passkeys more quickly.

Sometimes, you may want to review what is stored on your security key or delete some old entries to free up Passkey slots.

Few people seem aware that web browsers like Google Chrome and Chromium provide options for managing “security keys.” You can find this feature in Chrome/Chromium by navigating to Privacy and security -> Security -> Manage security keys.

Once there, you can create or change your PIN and manage all your sign-in data. For example, you can remove old Passkeys and SSH keys from your hardware security token. If your key supports biometrics, you can manage fingerprints as well. Additionally, you can reset your security key, which will erase all data on the device.

We will see browsers and operating systems directly supporting security keys in the future. This is because FIDO2 security keys generally function similarly across different platforms, except when they don’t. Then you'll need to use software provided by the security key manufacturers. The usability and quality of this third-party software can vary significantly. For instance, some security key manufacturers' software might only be compatible with Windows 11. If you have one of these keys, you'll need access to a Windows 11 machine to manage it, although it will likely still function on Linux and macOS.

We are getting closer to managing our FIDO2 keys directly within the operating system or browser. I, for one, will look forward to that day.

With those conditions and rules in place, let's get started!

Identiv - uTrust FIDO2 NFC

Brand: IDENTIV

Link: https://www.amazon.com/dp/B0C6YRJ7Y7

Price: $16.50

Storage: unknown

Support: Supports FIDO2, U2F, and WebAuth. Support for OTP and PIV is enabled for specific use cases.

SSH Support: No

Software/Manual: https://www.hirschsecure.com/filesimages/LACS/uTrust_Key_Manager_Software_UserManual_Identity.pdf

https://www.hirschsecure.com/products/identity-smart-card-readers/utrust-fido2-security-keys/utrust-key-manager-software

Pros: NFC was functional.

Cons: I would NOT use it as a daily driver. The Button is deep and challenging to get to and doesn’t support the built-in web browser/OS setup. Had to load third-party software to get the key functional. I found this key flaky to use.

Linux “dmesg”:

[82711.528268] usb 1-4: New USB device found, idVendor=04e6, idProduct=5a11, bcdDevice= 0.01

[82711.528289] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[82711.528295] usb 1-4: Product: uTrust FIDO2 Security Key

[82711.528300] usb 1-4: Manufacturer: Identiv

[82711.534180] hid-generic 0003:04E6:5A11.0004: hiddev0,hidraw1: USB HID v1.11 Device [Identiv uTrust FIDO2 Security Key] on usb-0000:00:14.0-4/input1

[82711.535214] input: Identiv uTrust FIDO2 Security Key as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.2/0003:04E6:5A11.0005/input/input20

[82711.615135] hid-generic 0003:04E6:5A11.0005: input,hidraw2: USB HID v1.11 Keyboard [Identiv uTrust FIDO2 Security Key] on usb-0000:00:14.0-4/input2

Linux “lsusb”:

Bus 001 Device 007: ID 04e6:5a11 SCM Microsystems, Inc. uTrust FIDO2 Security Key

Experience:

This key is the cheapest, and it shows. The button used to prove that the operator of the key is present is set pretty low within the key's housing. This sometimes makes it tricky to “touch,” unlike other keys. Physically, it feels cheap, and I don’t think it would hold up to wear and tear.

This was also the most frustrating key to use. Every key covered in this list would let me set the key’s PIN upon first use, but this one did not. This means you must load the Windows-only software to set the PIN, which must be set to register Passkeys.

The “technical” specs didn’t indicate how many FIDO2 credentials it can hold. Some technical specifications might tell you how much memory the key has, which can help you estimate how many FIDO2 keys the device might hold.

Not only that, but locating the correct software was also a challenge. When going to the identiv.com website, I got this:

“On September 6, 2024, Identiv completed the sale of its physical security, access card, and identity reader operations and assets. Identiv is now solely focused on developing, manufacturing, and supplying its specialty Internet of Things (IoT) solutions and in-house IoT connecting cloud.”

After more research, I discovered that identiv.com was sold to https://www.hirschsecure.com/.

I broke down and loaded the “uTrust Key Manager” software, which allowed me to set the initial PIN. After setting the PIN, I retested it with Google Chrome, but that still didn’t work.

After the initial setup, the key was functional with macOS and Linux. However, I found it frustrating to use. I tested it with Key9, the identity company where I work, and on https://webauthn.io.

The key was unreliable; it sometimes needed to be “reinserted” before it would work. On macOS, I experienced multiple instances of the web browser freezing. When it did work, it prompted me to “select” the key to use, even though there was only one passkey associated with the site.

The key did not support SSH. Overall, this key was frustrating and cannot be recommended.

This key is manufactured in the USA.

HyperFIDO Titanium PRO FIDO2 Security Key

Brand: Hypersecu

Link: https://www.amazon.com/dp/B07T7SPMJB

Price: $17.75

Storage: unknown

Support: FIDO U2F, FIDO2 (WebAuthn) and HOTP (HMAC-SHA1 one-time password) all-in-one device

SSH Support: Supports ecdsa-sk, but does not support ed25519-sk

Software/Manual: https://www.scbsolutions.com/Brochures/ProProgrammer.zip (has manual within zip)

Pros: Nice, durable case. Would use as a daily driver. Great Price. Easy to access button. Did not require 3rd party software to setup.

Cons: No NFC.

Linux “dmesg”:

[83870.034876] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[83870.034883] usb 1-4: Product: HyperFIDO

[83870.034889] usb 1-4: Manufacturer: HS

[83870.054993] input: HS HyperFIDO as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.0/0003:2CCF:0854.0012/input/input27

[83870.132067] hid-generic 0003:2CCF:0854.0012: input,hidraw1: USB HID v1.00 Keyboard [HS HyperFIDO] on usb-0000:00:14.0-4/input0

[83870.142197] hid-generic 0003:2CCF:0854.0013: hiddev0,hidraw2: USB HID v1.10 Device [HS HyperFIDO] on usb-0000:00:14.0-4/input1

Linux “lsusb”:

Bus 001 Device 012: ID 2ccf:0854 Hypersecu HyperFIDO

Experience:

This key is quite impressive. It has a solid construction and a satisfying tactile feel to the button. Additionally, it is a good size. I'm uncertain if it would survive a trip through the washer and dryer, but the manufacturing quality is good overall.

Knowing the number of available Passkeys and SSH keys slots would be helpful.

Using the Chrome web browser, users can now update or delete passkeys and SSH keys from their devices, which is very convenient.

It would have been beneficial if it supported ed25519-sk for SSH, but ecdsa-sk is likely sufficient for most users. While it doesn’t have NFC, this is probably not a significant drawback for most people.

This key offers good value for its price.

According to the documentation, this key is manufactured in China. There are indications that Hypersecu may offer manufacturing in Canada for large enterprise orders.

Thetis Pro FIDO2 Security Key

Brand: Thetis

Link: https://www.amazon.com/dp/B0BJP64YTT

Price: $32.95

Storage: 50 Passkeys/SSH keys.

Support: FIDO2, FIDO U2F & TOTP/HOTP

SSH Support: Supports ecdsa-sk and ed25519-sk

Software/Manual: https://thetis.io/pages/downloads

Pros: It has functional NFC. Didn’t need third-party software to set up. By default, it enforces a 6-character PIN. I like the USB-A → USB-C “swivel” design. Comes with a nice little carrying case.

Cons: Bulky due to its USB-A / USB-C design

Linux “dmesg”:

[86328.338933] usb 1-4: new full-speed USB device number 13 using xhci_hcd

[86328.468226] usb 1-4: New USB device found, idVendor=1ea8, idProduct=f825, bcdDevice= 1.00

[86328.468249] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[86328.468256] usb 1-4: Product: Security Key(F825)

[86328.468262] usb 1-4: Manufacturer: Thetis

[86328.475356] hid-generic 0003:1EA8:F825.0014: hiddev0,hidraw1: USB HID v1.10 Device [Thetis Security Key(F825)] on usb-0000:00:14.0-4/input0

Linux “lsusb”:

Bus 001 Device 013: ID 1ea8:f825 Thetis Security Key(F825)

Experience:

Although the price range may increase, this key feature is a unique design. It’s likely quite useful for those who navigate USB-A, USB-C, and NFC—this single key supports all three!

The key has a “swivel” design, which means you can “switch” it between USB-A and USB-C. The presence button is in the center of the key and has a nice tactile feel. The manufacturing quality feels good, but I’m not sure it would survive a trip through the washer and dryer.

The key did not require loading the Thetis software, as it worked fine with Chrome. I like that it requires a 6-digit key by default. In fact, it was the only key tested that required a 6-digit PIN by default. Using third-party software, most keys will allow you to change the default PIN length, but that requires loading bloatware and an extra step during implementation.

Another plus is that SSH keys stored on this device support ecdsa-sk and ed25519-sk. That was a pleasant surprise.

I found NFC to be a bit tricky to use. For instance, I have an iPhone 16 Pro, and I sometimes struggled to find the right spot for the NFC to work effectively. When I removed my phone case, its performance improved. However, I noticed that some other keys tested seemed to work better with NFC, and I didn't need to remove my phone case for those.

My only complaint is that the key feels somewhat bulky, which is a result of its design. It's not excessively large, but when trying to incorporate USB-A, USB-C, and NFC into a single key, I don't see how this can be avoided.

If the slightly bulky design doesn't bother you, this key could be your daily driver.

According to the documentation, this key is manufactured in China.

Trustkey T120

Brand: Trustkey

Link: https://www.amazon.com/dp/B08881651P

Price: $20.00

Storage: Some pages stated 150 slots, while others stated 200.

Support: FIDO2, U2F, TOTP, HOTP

SSH Support: Only supports ecdsa-sk.

Software/Manual: https://www.trustkey.kr/en/sub/support.form

Pros: Great price point. Users can store a sufficient number of keys. No third-party software is needed.

Cons: No NFC

Linux “dmesg”:

[166284.617164] usb 1-4: New USB device found, idVendor=311f, idProduct=a6e9, bcdDevice= 0.00

[166284.617188] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[166284.617195] usb 1-4: Product: TrustKey T120

[166284.617201] usb 1-4: Manufacturer: TrustKey

[166284.617206] usb 1-4: SerialNumber: A00000000017

[166284.622626] hid-generic 0003:311F:A6E9.0015: hiddev0,hidraw1: USB HID v1.10 Device [TrustKey TrustKey T120] on usb-0000:00:14.0-4/input0

[166284.624382] input: TrustKey TrustKey T120 as /devices/pci0000:00/0000:00:14.0/usb1/1-4/1-4:1.1/0003:311F:A6E9.0016/input/input28

[166284.702150] hid-generic 0003:311F:A6E9.0016: input,hidraw2: USB HID v1.10 Keyboard [TrustKey TrustKey T120] on usb-0000:00:14.0-4/input1

Linux “lsusb”:

Bus 001 Device 014: ID 311f:a6e9 TrustKey TrustKey T120

Experience:

This key is quite good. Its size closely resembles a Yubikey, roughly the same as the Yubico 5C series key (USB-C). While it may not match the manufacturing quality of a Yubikey, it is still very close.

Considering its price point and memory capacity, it's a good deal, especially if you primarily plan to use it for storing Passkeys. However, if you intend to use the key to store SSH keys, remember that it only supports ecdsa-sk.

It lacks NFC, but at this price, that isn’t surprising, and many users may not mind.

At this price point, you can have one as a daily driver and purchase another key as a backup.

The key is manufactured in South Korea.

Thales Safenet eToken FIDO Type C

Brand: Thales

Link: https://www.amazon.com/dp/B0CVSH3FBG

Price: $25.00

Storage: Technical specifications stated “55 KB” and “up to 8 FIDO discoverable credentials (resident keys). See https://cpl.thalesgroup.com/sites/default/files/content/brochures/FIDO2-security-keys-specifications-br.pdf

Support: FIDO, FIDO2. U2F

Software/Manual: https://cpl.thalesgroup.com/sites/default/files/content/brochures/FIDO2-security-keys-specifications-br.pdfetoken [this is a great specification page]

https://cpl.thalesgroup.com/access-management/authenticators/safenet-fido-key-manager

SSH Support: None

Pros: It has a very small form factor. There is no “button;” you touch the metal on the key. I liked this. It's a good price point.

Cons:  It lacks a status LED and does not work with Chrome’s built-in security key management. It also lacks NFC and SSH support.

Linux “dmesg”:

[168221.693326] usb 1-4: New USB device found, idVendor=08e6, idProduct=34d1, bcdDevice= 0.08

[168221.693346] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[168221.693351] usb 1-4: Product: eToken Fido

[168221.693355] usb 1-4: Manufacturer: SafeNet

[168221.693358] usb 1-4: SerialNumber: 02EDDEEDD3F9

[168221.698532] hid-generic 0003:08E6:34D1.0019: hiddev0,hidraw1: USB HID v1.11 Device [SafeNet eToken Fido] on usb-0000:00:14.0-4/input0

Linux “lsusb”:

Bus 001 Device 016: ID 08e6:34d1 Gemalto (was Gemplus) eToken Fido

Experience:

This key has a great, super-small form factor and seems to be built very well.

However, it’s not a great key.

I was pleased that when I set up my first Passkey, the process allowed me to create a PIN directly within the browser. However, when I tried to manage the key’s "sign-in data” in Chrome, I received an error message stating, “This security key can't store any sign-in data.”

This suggests that to remove Passkeys, you need to use Thales software.

The key can only store about 8 Passkeys, which isn’t enough for most users.

This key is manufactured in China or Cambodia.

Google Titan Key

Brand: Google

Link: https://store.google.com/us/product/titan_security_key

Price: $35.00 USB-C, $30.00 for USB-A

Storage: 250 unique Passkeys

Support: FIDO2

Software/Manual: https://support.google.com/titansecuritykey/

SSH Support: Supports only ecdsa-sk.

Pros: NFC. Lots of memory for keys. Very well made from a known brand.

Cons: It does NOT support built-in Chrome security key management tools. The price is at the higher range for a “cheap” key.

Linux “dmesg”:

[ 1033.914450] usb 1-4: New USB device found, idVendor=18d1, idProduct=9470, bcdDevice= 0.01

[ 1033.914472] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[ 1033.914479] usb 1-4: Product: Titan Security Key v2

[ 1033.914484] usb 1-4: Manufacturer: Google

[ 1033.914489] usb 1-4: SerialNumber: 2

[ 1033.920835] hid-generic 0003:18D1:9470.0004: hiddev0,hidraw1: USB HID v1.11 Device [Google Titan Security Key v2] on usb-0000:00:14.0-4/input0

Linux “lsusb”:

Bus 001 Device 006: ID 18d1:9470 Google Inc. Titan Security Key v2

Experience:

This key is very nice, but I find it hard to recommend. The reason might surprise you— it certainly surprised me!

I can’t believe I have to write this, but this key does not support the built-in “Manage Security Keys” options in Google Chrome! Yes, you read that correctly—a key manufactured by Google cannot use the Chrome security key management tools.

You might think, “No big deal. I’ll install the software with the key to manage the sign-in data.” However, there is no software available for this purpose! Although the key has plenty of memory to store Passkeys, there is currently no way to remove old Passkeys. The only option that works in Chrome is the “Change the PIN” feature.

The key does support ecdsa-sk for SSH but not ed25519-sk. While testing the key, it dawned on me that it is a couple of years old. Maybe a newer key would have newer firmware, which might support ed25519-sk and Google Chrome’s built-in security key management.

After Googling around, it seemed promising. I found a user who stated that newer Google Titan keys supported ed25519-sk. With this in mind, I purchased a brand new Google Titan key.

The results remain unchanged: there is still no ed25519-sk for SSH support, and the key cannot be managed via Google Chrome. Various Reddit posts say this has been a known issue for over a year.

These issues were quite frustrating for a well-made key with excellent storage capacity!

The Google Titan key is made in China by Feitan.

Yubico - Security Key C NFC

Brand: Yubico

Link: https://www.amazon.com/dp/B0BVNRXFHT

Price: $29.00

Storage: 100 keys

Support: FIDO2, U2F

Software/Manual: https://www.yubico.com/support/download/yubikey-manager/

SSH Support: ed25519-sk and ecdsa-sk

Pros: It's rugged, IP68 Water resistant, and crush resistant. It's at a good price point. It supports NFC. Yubikey makes more expensive keys, but this one does everything I need.

Cons: None

Linux “dmesg”:

[ 520.938599] usb 1-4: new full-speed USB device number 4 using xhci_hcd

[ 521.067638] usb 1-4: New USB device found, idVendor=1050, idProduct=0402, bcdDevice= 5.71

[ 521.067660] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 521.067667] usb 1-4: Product: YubiKey FIDO

[ 521.067673] usb 1-4: Manufacturer: Yubico

[ 521.131719] hid-generic 0003:1050:0402.0002: hiddev0,hidraw1: USB HID v1.10 Device [Yubico YubiKey FIDO] on usb-0000:00:14.0-4/input0

[ 521.131810] usbcore: registered new interface driver usbhid

[ 521.131814] usbhid: USB HID core driver

Linux “lsusb”:

Bus 001 Device 004: ID 1050:0402 Yubico.com Yubikey 4/5 U2F

Experience:

YubiKeys are among the most recognized hardware security keys in the industry.

These keys are a solid choice. However, it's important to note that they offer various options at varying prices. I outlined my specific goals at the beginning of this article: Support for Passkeys is essential, while SSH support is a bonus. Additionally, it's great that these keys support NFC, which has performed well in my testing.

While it doesn't hold the highest number of keys, 100 slots are sufficient for most users.

The advantage of this key is that it meets all my requirements. Specifically, I am referring to the “Yubico Security Key C NFC,” priced at $29.00. While Yubico, the manufacturer of YubiKeys, offers other models with additional features starting at around $50.00, those extra features are unnecessary for my needs..

YubiKeys have an excellent reputation and are widely considered the industry standard for security keys. These devices are durable; several have survived multiple trips through the washer and dryer. They are IP68 water-resistant and crush-resistant, making them quite rugged.

The keys can be easily managed through the Chrome browser's built-in security settings. You do not need to install Yubico software unless you want to explore its features.

These keys are manufactured in Sweden and the USA.

Cryptnox FIDO2 Smart Card

Brand: Cryptnox

Link: https://www.amazon.com/Cryptnox-Security-Physical-Second-Factor/dp/B0B384JCP8

Price: $31.74

Storage: 4k, but it doesn’t explain how memory is allocated.

Support: FIDO2 (Passkeys), U2F

Software/Manual: https://cryptnox.com/directory/content/uploads/2024/10/Cryptnox-Fido2-Manual-and-Specifications-full.pdf

SSH Support: None

Pros: It's Nice to have a key that can go in my wallet. NFC worked well.

Cons: It claims to be “Linux” compatible, but it isn’t. There is no SSH support.

Linux “dmesg”:

[ 2076.447982] Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7

[ 2563.074602] usb 1-4: new full-speed USB device number 8 using xhci_hcd

[ 2563.214111] usb 1-4: New USB device found, idVendor=058f, idProduct=9540, bcdDevice= 1.20

[ 2563.214133] usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[ 2563.214140] usb 1-4: Product: EMV Smartcard Reader

[ 2563.214145] usb 1-4: Manufacturer: Generic

Linux “lsusb”:

Bus 001 Device 008: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader

Experience:

This isn’t a “key," but I wanted to try it out. There’s an entire market for these types of cards. Perhaps one day, I’ll do a “shootout” of those.

My primary motivation for testing this card was to determine if it could replace a hardware security key (i.e., one that you would typically carry on a key ring) that fits in your wallet.

Some jobs prohibit employees from bringing cell phones or USB devices. In these cases, a credit card-sized key that fits in a wallet may be utilized.

I must admit, there is something nice about having your Passkeys securely stored in your wallet and not dangling off a key ring.

There are some issues with going this route.

While NFC works well, if your laptop doesn't support NFC, you'll need to carry a reader for the card. Although the reader isn't bulky, it's an additional item to have and may eventually be lost.

The card and reader do not work with the built-in key management tools in the Chrome browser. You must use the Windows 11 key management software to set the initial PIN. Despite compatibility claims with both systems, it cannot be set up on macOS or Linux.

After the PIN is set up, you might be able to use it with Linux/MacOS, but I never got it to work correctly. Since there is no “setup software," there’s no way to “manage” the keys stored on the device. The documentation states that the card has 4k storage but doesn’t indicate how much is reserved for Passkeys. I managed to store a few without issue, but I suspect you won’t be able to store many more.

Final Thoughts:

As suspected, the Yubikey Security Key C NFC ($29.00) is likely the best option for storing Passkeys and SSH keys, which isn’t surprising. However, a few budget-friendly hardware keys may not be as impressive as the Yubikey tested here, but they come close.

The Trustkey T120 ($20.00) is a solid choice for organizations operating on a limited budget. The Thetis Pro FIDO2 Security Key ($32.95) is also an attractive option for technically inclined people.

For personal use, pairing a Yubikey Security Key C NFC ($29.00) with the Trustkey backup ($20.00) seems like a good combination.

Thank you for reading this article. I hope you enjoyed it. It took a lot of effort, but it was fun to research and write. If your organization is looking for a path to becoming 100% “passwordless,” please check out Key9 Identity ( https://k9.io ).