Skip to content

Why your password manager isn't enough, and how a hardware key changes everything

Image

A personal deep-dive into modern authentication, hardware security keys, and why I ended up ordering two YubiKeys from Sweden at 11pm on a Tuesday.

Let's start with an uncomfortable truth

You have a password manager. You feel safe. You sleep well at night.

I hate to break it to you, but that password manager, as brilliant as it is, is still standing on a foundation with some cracks in it. Not because the software is bad. But because the weakest link in your security chain isn't the software. It's the login itself.

Let me explain.

The problem with passwords, even strong ones

Most people understand by now that "fluffy1983" is not a great password. What fewer people realize is that even a randomly generated 24-character monstrosity like kX7!mP2$qLvN9#wR4@dTjY6& has some fundamental problems that have nothing to do with its strength.

Passwords can be phished

A phishing attack doesn't crack your password. It tricks you into handing it over. You get an email that looks exactly like it's from your bank, click a link that looks exactly like your bank's website, type in your credentials, and someone in a data center somewhere now has everything they need. Your 24-character password didn't help at all. You gave it away voluntarily.

Passwords can be intercepted

Even with HTTPS, there are attack vectors. Man-in-the-middle attacks, compromised browser extensions, keyloggers, your password travels from your brain to a server, and at every step of that journey, there are people who would love to intercept it.

Passwords can be leaked

Here's a fun exercise: go to haveibeenpwned.com and type in your email address. If you've been on the internet for more than ten years and you're not listed in at least one data breach, I'd like to know your secrets. Services. get. hacked. Period. Databases get dumped. Your password ends up on a forum somewhere, often in plain text because the service was storing it incorrectly in the first place.

So you got a password manager. Smart.

A password manager solves a lot of these problems. Unique, strong passwords for every account. Autofill that doesn't fall for phishing sites because it checks the actual domain. Encrypted vault. It's genuinely one of the best things you can do for your security.

But here's the thing; to unlock that vault, you still need a master password. And that master password is, well, a password. Which means everything I just said above still applies to that one critical login.

One password to rule them all. One password to find them. One password to bring them all, and in the darkness breach them.

Enter two-factor authentication; and why SMS doesn't count

Two-factor authentication (2FA) adds a second layer to your login. Something you know (your password) plus something you have (a code, a device, a token). The idea is that even if someone steals your password, they still can't get in without that second factor.

Most people use SMS-based 2FA. A text message with a six-digit code. It feels secure. It is, in fact, not particularly secure.

SIM swapping is a real and terrifying attack where someone calls your mobile provider, pretends to be you, and convinces them to transfer your phone number to a new SIM card. Suddenly all your SMS codes go to an attacker, not to you. This has happened to cryptocurrency holders, journalists, executives, and regular people. It costs the attacker maybe €20 and a phone call. And from personal experience in this industry: getting an (e)SIM on someone else's number is disturbingly easy to pull off. The only real defence is a well-trained employee on the other end of the line; and as the Odido breach painfully demonstrated, that's not something you can always count on.

Authenticator apps are better. TOTP codes (those six-digit rolling numbers from apps like Google Authenticator or Authy) are not interceptable via SIM swap. And yes; your password manager would refuse to autofill on a fake site, because it checks the actual domain. A small warning sign, if you're paying attention. But here's the scenario that actually plays out in real life. You're in a hurry. You need to log in quickly. Your password manager hesitates; doesn't autofill. You glance at the URL, it looks fine, close enough. You're annoyed. You type your credentials manually and punch in your TOTP code. Done. What you don't know is that you just handed everything to an attacker in real time. The fake page isn't a dead end; it's a live proxy. The moment you hit submit, an automated script relays your username, password, and TOTP code to the real site instantly. No human needed on the other end. The 30-second window is more than enough because the relay happens in milliseconds. The attacker's session opens on the real site before your TOTP code has even expired. You see a successful login screen, assume everything is fine, and move on with your day.

You're f.cked

This is called a real-time phishing proxy attack. There are ready-made toolkits that automate the entire thing. The attacker doesn't need to be fast, clever, or even awake. They just need you to land on their page once; in a hurry, overriding the one thing that was trying to protect you.

What you actually want is something that's cryptographically bound to the legitimate site. Something that physically cannot be phished because it verifies the site's identity, not just the other way around.

That something is a hardware security key.

Hardware security keys: What they are and how they work

A hardware security key is a small physical device, about the size of a USB stick, that stores cryptographic keys in a tamper-resistant chip called a secure element. When you authenticate, the key performs a cryptographic operation and proves its identity. No code is ever transmitted. No secret ever leaves the device.

The magic here is FIDO2/WebAuthn, the modern standard for hardware-based authentication. When you register a key with a service, the service stores your public key. When you log in, your hardware key signs a challenge using its private key. The private key never leaves the hardware. Ever.

This makes phishing attacks fundamentally impossible. Here's why. With a password, you're sharing a secret. You know it, the server knows it, and anyone who intercepts it or tricks you into typing it somewhere else now knows it too. The secret can travel. That's the problem. With a hardware key and FIDO2, there is no shared secret. Instead, your key and the server do a cryptographic handshake; a mathematical challenge and response that is unique to that exact website, at that exact moment. The key will only complete that handshake for the legitimate domain it was registered with. Not a lookalike. Not a typosquat. Not a pixel-perfect copy hosted on evil-bank.com. The exact domain. Think of it like a lock and key, but smarter. Imagine you have a house key that was cut specifically for your front door. A criminal builds a fake replica of your front door, puts it in their warehouse, and asks you to try your key. Your key won't turn. Not because you're suspicious, but because the lock is physically different; and your key knows it. That's what happens with FIDO2. The fake website can't pretend to be the real one at a cryptographic level, even if it looks identical. There are no credentials to hand over, no code to relay, no window of opportunity. The attack simply has nothing to grab.

To put it in terms a six-year-old would understand: imagine you and your best friend have a secret handshake that nobody else knows. To come to your birthday party, a guest needs three things: to know your name, to know the address, and to do the secret handshake at the door. Someone pretending to be your friend can find out your name and your address, that's the easy part. But without the secret handshake, the door stays closed. And here's the crucial bit: the handshake only works at your actual front door. If someone builds a fake copy of your house around the corner and tries to lure guests there, the handshake won't work; because it was never made for that door.

Passkeys: The modern evolution

You've probably started hearing about passkeys. They're showing up everywhere; Apple, Google, Microsoft, your bank. But the messaging around them is confusing, because they sound like just another form of "logging in without a password." So let me explain what's actually happening.

A passkey is built on the exact same cryptographic foundation as your hardware key. The same FIDO2 standard. The same secret handshake principle. The difference is where the private key lives: on a hardware key it lives on the physical device, on a passkey it lives in a secure vault; your phone's secure chip, iCloud Keychain, or a password manager like Bitwarden.

So why is that different from a username and password?

A password is a secret you know and type. Which means you can forget it, someone can trick you into typing it on the wrong site, or a server can store it badly and leak it in a breach. A passkey is a secret you never see and never type. When you log in, your device performs the same cryptographic handshake we described earlier; unique to that exact site, at that exact moment. You don't type anything. You just approve it with Face ID, a fingerprint, or a tap. There's nothing to phish, nothing to leak, nothing to forget.

Going back to our birthday party analogy: with a password, you're telling the doorman a secret code word that you memorised. With a passkey, you don't say anything at all; your hand automatically does the secret handshake the moment you arrive, without you even thinking about it. And it only works at the real front door. The catch is that passkeys stored in software, on your phone or in Bitwarden, are only as secure as the device or vault protecting them. That's why a hardware key like a YubiKey represents the gold standard: the private key is locked inside a tamper-resistant chip that cannot be exported, copied, or extracted. Not by hackers, not by malware, not even by Yubico themselves. Passkeys are a massive step forward from passwords. A hardware key is simply the most secure place to keep one.

The case for YubiKey specifically

At this point you might be thinking: okay, I'm sold on the concept. But there are plenty of hardware keys on the market. Why YubiKey?

Fair question. Let me give you the honest answer.

I spent a good amount of time researching alternatives. Google Titan keys, Feitian, Token2, Thetis, Hideez. All of them work. All of them implement FIDO2. So what makes YubiKey stand out?

Yubico's core business is security.

That sounds obvious, but it's actually a profound distinction. Google makes hardware keys. But Google's core business is advertising. Their revenue comes from knowing as much about you as possible. A hardware key that enhances your privacy is, at a fundamental level, in tension with their primary incentive structure. That doesn't mean the Titan key is compromised. But it means that if Google ever has to choose between your security and their business model, you already know which way that decision goes.

Yubico's entire company exists to solve one problem: secure authentication. Their reputation, their revenue, their survival as a business; all of it depends on their keys being trustworthy. If a YubiKey is ever found to have a backdoor or a critical vulnerability that wasn't disclosed, Yubico ceases to exist. That alignment of incentives matters enormously.

They have a proven track record.

YubiKeys are deployed by nine of the top ten internet companies in the world. They're used by governments, militaries, banks, and security researchers. They've been on the market for over fifteen years. The cryptographic implementations have been audited, tested, and battle-hardened in real-world conditions.

Compare that to some of the newer, cheaper alternatives that appeared on Amazon, AliExpress or Temu two years ago with no track record, no audit history, and firmware you can't inspect.

The keys are manufactured and shipped from Sweden (or the UK for EU orders).

Not in a country with complicated political relationships with data privacy. Yubico is a Swedish company that manufactures in Sweden and the USA. For EU customers, orders ship from their European warehouse in Sweden or the UK, under EU jurisdiction, subject to GDPR, from a facility Yubico controls directly. This matters less for the cryptographic security (a hardware key's security is mathematical, not geographic) but it matters for supply chain trust.

They're durable.

IP68 rated. Crush resistant. No battery. No moving parts. The mean time between failure is rated at over 100 years. You can throw it in your bag, run it through the washing machine (accidentally, not intentionally, I hope), drop it on concrete. It will survive. I have a four-year-old daughter. I'm not saying I'm going to give it to her to play with; but I'm saying that if she gets her hands on it, I'm more worried about what she'll do to the furniture than what she'll do to the key.

The 100 passkey slot "problem", and why it's not actually a problem

Here's something that stopped me in my tracks when I first started researching this: hardware keys have a limited number of passkey storage slots. On the YubiKey Security Key series and the YubiKey 5 series, that number is 100.

A hundred sounds like a lot until you start counting your accounts. Email, bank, work systems, social media, streaming services, developer tools, cloud platforms... you can hit a hundred accounts faster than you think.

But here's where the architecture gets elegant.

You don't need to store all your passkeys on the hardware key. You only need to store the most critical ones there, or better yet, just one: your password manager.

The two-tier strategy

Here's how I'm planning to set it up, and why it makes the 100-slot limitation irrelevant:

Tier 1 — Hardware key protects Bitwarden. My YubiKey is registered as the 2FA for my Bitwarden vault. To open Bitwarden, I need my email address, my master password, and my physical YubiKey. Three factors. Without all three, nobody gets in. Not me, not you, not a sophisticated nation-state actor with a lot of time on their hands.

Tier 2 — Bitwarden stores unlimited passkeys. Bitwarden supports passkey storage in its encrypted vault. Unlimited. Every account that supports passkeys gets one, stored safely in Bitwarden, encrypted with my master password, protected by my hardware key. The passkeys live in software, but they're locked behind hardware.

The result: I have effectively unlimited passkey coverage for all my accounts, with hardware-level protection at the critical chokepoint; the vault itself.

The hardware key's 100 slots are more than enough for the handful of accounts that genuinely need direct hardware-key-level protection: Bitwarden itself, Apple ID, Microsoft account, and maybe two or three others.

Three factors: Why this setup is genuinely strong

Let's count what an attacker needs to access my accounts:

  1. My email address — publicly findable, so this is not really a secret
  2. My master password — something I know, never written down digitally
  3. My physical YubiKey — something I have, sitting in my pocket

To break into my Bitwarden vault, an attacker needs to be physically near me, steal my YubiKey, and somehow also know my master password. That's not a remote attack anymore. That's a targeted physical attack, which is an entirely different threat model, and frankly, if someone is willing to mug you for a €35 USB stick, you have bigger problems than your password manager.

The critical point here is that all three factors must be present simultaneously. Your password alone does nothing. Your YubiKey alone does nothing. Even both together do nothing without the correct email address. This is genuine multi-factor security, not the theatrical version.

The PIN: Why you want one even though you don't strictly need one

Here's a nuance that a lot of guides skip over: your YubiKey should have a PIN set on it.

To be clear: without a PIN, a stolen key does not grant full access. An attacker would still need your username and master password; the key alone is useless without those credentials. So you're not suddenly exposed if someone finds your key on the street.

But here's why you still want a PIN anyway.

Without a PIN, your YubiKey is something you have. With your username and password, an attacker who also has your physical key now has everything needed to log in. That's two factors, but both can theoretically be obtained without being physically near you (credentials via phishing or breach, key via theft or loss).

With a PIN, your YubiKey becomes something you have plus something you know. Even if someone has your key, your credentials, and is sitting at your laptop; they still can't complete authentication without the PIN. It genuinely adds a third layer.

Setting a PIN is done through the YubiKey Manager (free download from yubico.com). Go to Applications → FIDO2 → Set PIN. You set it once, it's stored in the secure element, and the key requires it before performing any authentication operation.

Critical warning: after eight incorrect PIN attempts, the key permanently locks itself. There is no "forgot my PIN" option. No support ticket that can help you. The only way forward is a full factory reset of the key, which deletes EVERY. CREDENTIAL. STORED. ON. IT. PERIOD. Every passkey, every registration, gone. You'd have to re-register the key with every account from scratch.

This is not a flaw. It's the security model working as designed. But it means two things practically: first, don't forget your PIN. Second, don't let anyone sit there guessing at it. If you ever suspect someone has had unsupervised access to your key, treat it as compromised and reset it yourself before they can lock you out.

My recommendation: use a PIN of at least 8 digits, not a birthdate or phone number, and not the same PIN you use for your bank card. Write it down once on paper, seal it in an envelope, and store it with your backup key in a physically secure location. Bonus points if you seal it with red candle wax and your grandfather's old signet ring.

Speaking of backup keys...

Always buy two. Always.

This is non-negotiable. If you buy one hardware key and lose it, you are locked out of every account it protects. Some services offer recovery codes. Some don't. Some recovery processes take weeks (I'm looking at you Microsoft). Some require proof of identity that you may struggle to provide.

Buy two keys. Register both of them with every service. Keep one on your keychain and one somewhere safe; a home safe, a locked drawer, a trusted location. If you lose Key A, you use Key B to regain access and order a replacement.

The cost: roughly €70 for two Security Key C NFC units. That's less than a dinner out, and it protects everything.

What I actually bought and why

After going through this entire thought process, which, I'll be honest, involved a lot of reading, a lot of questions, a few rabbit holes, and at least one moment where I convinced myself I needed a biometric key before talking myself back out of it, I ended up ordering:

Two YubiKey Security Key C NFC units, directly from Yubico's website.

Here's my reasoning:

  • Security Key, not the 5 Series: The 5 Series has additional protocols, PIV, OpenPGP, OATH-TOTP, OTP. These are genuinely useful for certain use cases, but not mine. I'm using these keys for passkeys and FIDO2 authentication. Why pay €70 per key for features I'll never touch when the Security Key at €35 does exactly what I need?

  • C NFC: USB-C for MacBook and Windows workstation, NFC for iPhone. No adapters needed, no dongles, no compromises.

  • Two of them: As above. One for daily use, one in the safe. Both registered everywhere.

  • Directly from Yubico: Because if you've just read 2,000 words about supply chain trust and the importance of buying from companies whose core business is security, ordering your hardware security key from a random reseller would be a bit ironic, wouldn't it?

SSH authentication to my Alpine Linux VPS is also on the roadmap. OpenSSH has natively supported FIDO2 since version 8.2 (Alpine runs 9.7+), which means the key can generate a hardware-bound SSH key pair where the private key never leaves the device. Connecting to a server then requires both the key and a physical touch, remote exploitation of SSH credentials becomes essentially impossible. That's next on my list.

How to set this up: A practical walkthrough

Step 1: Set a PIN on both keys

Before registering your keys anywhere, set a PIN using YubiKey Manager (free download from yubico.com). Go to Applications → FIDO2 → Set PIN. Do this for both keys. Choose something memorable but not obvious. Store it safely.

Step 2: Register both keys with Bitwarden (or your other Passwordmanager)

Log into vault.bitwarden.com. Go to Settings → Security → Two-step login. Select FIDO2 WebAuthn and add your first key (name it something like "YubiKey A – daily"). Then immediately add the second key ("YubiKey B – backup").

Bitwarden will generate a recovery code. Print it. Do not store it digitally. Put it in your safe with Key B. This is your absolute last resort if both keys are lost.

Step 3: Disable other 2FA methods

If you had an authenticator app set up for Bitwarden, disable it. Your hardware key should be the only 2FA method. Other methods are back doors, and back doors defeat the purpose.

Step 4: Test everything before putting Key B away

Log out of Bitwarden completely. Log back in. Does it ask for your key? Does Key A work? Does Key B work? Good. Now you know both are properly registered.

Test on your phone too. NFC authentication on iPhone works by holding the key to the top of the phone when prompted.

Step 5: Register both keys with critical accounts

Work through your most sensitive accounts one by one: Apple ID, Microsoft account, GitHub, any financial accounts that support hardware keys. For each one: add Key A first, then Key B. Always both.

Step 6: Key B goes in the safe

Once everything is registered and tested, Key B, along with your Bitwarden recovery code and a note of your FIDO2 PIN — goes somewhere physically secure. You hope you never need it. You will be extremely glad it exists if you do.

Step 7: Enable vault unlock shortcuts, without compromising security

This step confuses a lot of people, so let me explain it clearly.

When you set up Bitwarden with your hardware key, the full authentication flow is: email address + master password + physical YubiKey. That happens when you start a completely new session, after a restart, after a timeout, after logging out.

But Bitwarden distinguishes between two states: locked and logged out. When your vault is locked (not logged out), Bitwarden can use a biometric shortcut, Face ID on iPhone, fingerprint on Mac, to unlock it. This does not bypass your hardware key. It bypasses the re-entry of your master password for a vault that's already been authenticated in the current session.

Think of it like your laptop screen lock. You still logged in properly with your password at boot. The fingerprint reader just lets you get back in quickly after it sleeps. You haven't lowered your security, you've just made the day-to-day experience manageable.

In practice: when your keys arrive and you set everything up, you'll authenticate fully with your YubiKey once. Then Bitwarden stays in a "locked" state on your devices. From that point on, Face ID or fingerprint is enough to unlock it for normal use. You'll only need the physical key again when you explicitly log out, reinstall the app, or after a configurable timeout (which you set yourself, I recommend "lock on system sleep" as a reasonable default).

This is the right balance between security and usability. If you had to physically tap your YubiKey every single time you needed a password from Bitwarden, you'd give up within a week and go back to "fluffy1983". The biometric layer keeps the friction low while the hardware key remains the cryptographic foundation.

Why you should actually do this

I want to be honest with you about something.

Setting all of this up takes about two hours. Maybe three if you take it slowly and do it properly. It involves a small amount of money; let's say €100 including two keys and a nice coffee while you do it.

In return, you get:

  • A password manager that cannot be accessed without a physical device you own
  • Passkeys for every account that supports them, managed centrally
  • A roadmap toward SSH authentication that cannot be remotely compromised
  • Protection against phishing at a cryptographic level, not just a behavioral one
  • The ability to sleep well at night without wondering if your data is being auctioned on the dark web

That last point hit closer to home than I expected. In February 2026, Dutch telecom provider Odido was hacked by the ShinyHunters group, the same group behind breaches at Ticketmaster and others. Personal data of up to 8 million customers was stolen: names, addresses, phone numbers, IBANs, passport numbers, and more. Odido refused to pay the ransom. The hackers responded by publishing the data in daily batches, publicly and freely accessible.

Millions of people woke up to a Have I Been Pwned notification they didn't ask for. Former customers too, people who had cancelled years earlier and assumed their data was gone. It wasn't.

Here's the thing: a YubiKey wouldn't have prevented that breach. The attack was on Odido's servers, not on individual accounts. No personal security measure protects you from a company storing your data insecurely.

But what it does protect you from is the follow-up. When your name, address, phone number and IBAN are on the dark web, attackers use that information to craft highly convincing phishing attacks, attempt SIM swaps, and try to access your email and financial accounts. If your Bitwarden is locked behind a hardware key, those follow-up attacks fail. The leaked data doesn't give them a way in.

That's the threat model that actually affects ordinary people. Not nation-states. Not sophisticated zero-days. Just someone with your Odido data, a spoofed email, and two hours to try their luck.

A €35 USB stick is cheap insurance against that.

The question isn't really whether the setup is worth it. The question is what you think your accounts are worth.

Where to buy

Buy directly from Yubico's official website. You know exactly where the key was manufactured, under what conditions, and you're supporting a company whose entire existence depends on getting this right.

yubico.com/store

My recommendation: two Security Key C NFC units if you use USB-C devices and want NFC for your phone. €35 each, €70 total, free shipping on orders over €100 (so ordering two gets you close, add a lanyard).

The convenient option

If you prefer Amazon and are comfortable with the supply chain trade-off, I do have an affiliate link. The keys are the same product, same firmware, same cryptographic guarantees, the difference is the chain of custody between Yubico's factory and your door.

Buy YubiKey on Amazon

Full transparency: I earn a small commission if you buy through that link. It doesn't change your price. It does mean I can keep writing articles like this one instead of doing something more financially sensible with my time.

If you'd rather not use Amazon

That's a completely legitimate security posture, and honestly the one I'd recommend. Buy directly from Yubico. If this article was useful to you and you'd like to support the writing anyway, you can buy me a coffee:

Final thoughts

Security is often presented as a binary; you're either secure or you're not. The reality is more of a spectrum, and every decision you make moves you up or down that spectrum.

Using a password manager moves you significantly up. Using unique passwords everywhere moves you up further. Using hardware-based 2FA moves you to a level that the vast majority of attacks, including sophisticated, targeted ones, simply cannot reach.

The YubiKey isn't magic. It doesn't protect you from everything. If someone installs malware on your computer that waits for you to unlock Bitwarden and then exfiltrates everything, your hardware key doesn't help with that. Security has layers, and no single layer is complete.

But for the specific threat of remote account takeover, which is the threat that affects millions of people every year, draining bank accounts, compromising identities, destroying businesses, a hardware security key combined with a properly configured password manager is about as good as consumer-grade security gets right now.

So yes. Buy two keys. Set up the PIN. Register them properly. Put one in the safe.

Then go do something more interesting with your time, secure in the knowledge that your accounts are protected by hardware that would take a nation-state's resources to compromise.

Your digital life is worth it.

Found this useful? Share it with someone who's still using SMS-based 2FA. They need it more than you do.