Add a hardware security key to your most important accounts

Why this matters

A hardware security key is the most phishing-resistant form of two-step verification available. Unlike SMS codes or authenticator apps, a hardware key cannot be intercepted — it verifies the exact website domain it is being used on, so it will refuse to authenticate on a fake login page even if you click a convincing phishing link.

How to do it

1. 1Purchase a hardware security key such as a YubiKey 5 NFC (£50–60) — it works with USB-A and NFC for phones. Titan Security Keys from Google are also an option.
2. 2Register the key with your email account first — in Gmail, go to Security → 2-step verification → Add security key and follow the on-screen instructions.
3. 3Register the same key with any other critical accounts that support hardware keys: Microsoft, GitHub, Dropbox, and most banking apps.
4. 4Purchase a second key and register it as a backup on the same accounts — store the backup key somewhere physically separate from the primary.
5. 5Keep your authenticator app or backup codes active until the hardware key is set up and confirmed working — do not remove other 2FA methods until you have successfully authenticated with the key.