Ask Ada: What’s a Physical Security Token? Do I Need One?

Ask Ada: What’s a Physical Security Token? Do I Need One?

. 5 min read

By now you should be well acquainted with 2-step login (aka multi-factor authentication). It's mandatory on Tryst and I've made a few posts here and here, about how awesome and good it is on this very blog. Most people use 2-step login via one of the various authentication apps on their smartphone, but did you know there's an even more robust method of providing a second factor of authentication? They're called physical security tokens and with a little bit of extra effort, you can lock your internet accounts down so tight that only the most dedicated of hackers could find their way in.

What's a Physical Security Token?

You know those authenticator apps with the numbers that change every few minutes? A physical security token is a different type of second factor used alongside a password, similar to an authenticator app. Instead of having to enter the number into the website or app, there’s a little electronic gadget you can hold and touch and connect to your phone or computer.

The numbers in authenticator apps can be stolen from you if malware was to get on your device. They can also be "phished" if a jerk calls you up pretending to be someone else and bluffs you into handing over the code. A physical security token is impervious to these types of attacks because a website or app expects to see that physical token connected to your device and without it, won't allow a log in.

Someone has to steal the physical security token from you for it to be useful and that's a big ask for most hackers. It's too much effort to steal a physical security token for a single online account, when guessing passwords or phishing for authentication codes can be done by bots at a much larger scale, in a totally different country, behind a computer screen.

How Do I Use a Physical Security Token?

The first step is to buy some. Yep, you gotta spend money and you need to buy multiple.

Yubico is the main manufacturer of physical security tokens and they have a broad range of different models depending on the device you want to use it with. For most people, the YubiKey 5C NFC or YubiKey 5 NFC will be the best bet. It can either plug in to a USB port or be tapped on a device via NFC, covering the vast majority of computers, tablets and smartphones. They cost approximately US$50-US$55 each and you want at least two of them so if you lose or damage one, you've got a backup (more on that later). A physical security token can be used on hundreds of accounts, you won’t need one for each service.

Not all online services that support 2-step login or multi factor authentication support physical security tokens. Most of the big ones with the juiciest data and most damaging potential fallout should they get compromised, like Google and Facebook, encourage their use.

Once you've purchased a few physical security tokens, you need to connect them to your account. Each service has their own different way of setting the tokens, but the process is similar to the following:

  • Log in to the account and go to your account settings.
  • Look for a "multi-factor" or "additional security" option.
  • Select "add security key" or "add physical token".
  • Tap (if using an NFC token) or insert (for a USB token) the token into your device.
  • Wait for the service to confirm pairing.
  • Do it again with your second or third backup tokens.
  • Store backup tokens in a safe place.

After setup, each time you login using a username and password, you'll be prompted to either plug in the physical token via USB or tap it on the rear of your device. No token, no entry.

What if I lose the token or don't have it with me?

This is one of the downsides of physical security tokens – you lose it, you're fucked. Because the whole point of a security token is that it is mandatory to gain access, so if you don't have it, you can't log in. Having an "oops I lost it" mode means if someone wants to get into your account and they don't have the token, they can use that method to gain access, defeating the entire purpose of the security key.

The good news is that you can attach a second or a third key to your account and keep those backup keys somewhere safe. If you do lose or damage your primary token, you can log in with the other key to remove the lost key from the account and add a new one to replace it.

What if someone gets hold of my security token?

Another downside is that unlike an authenticator app that is usually locked on your smartphone behind some other form of authentication (fingerprint, PIN, Face ID, etc), someone can just take the key, plug it in to a computer and if they know your password already, get access to your account.

This is why it's recommended that you still use a strong and unique password on every account, along with a password manager to make sure you don't forget them. Whoever gets your security token still needs to know your password, so if the password isn't easy to guess and isn’t used anywhere else, even with the token, they're unlikely to know your password and will be unable to login.

Physical Security Token Tips

Make sure you have more than one security key. I cannot stress this enough – set up at least two and keep one in a safe place, similar to a passport, property deeds and other things you'd be super upset about if you were to lose them.

It's not recommended to leave it plugged in to your computer or device all the time, particularly when traveling. If someone steals your device or you lose it they also have your security key and can log in to your stuff.

Physical security tokens can also be used to secure other things besides access to websites or apps. Windows can be configured to only allow someone to login to a computer unless a physical security token is present and some password managers, like 1Password, can be setup to require a token present whenever logging in.

Yubico also has an application that lets you secure your authentication codes with a physical security token. This is ideal for any services that have 2-step login but do not allow physical security tokens.

Which Services Support Physical Security Tokens?

Here's a handy list of common services that support tokens and a link to their documentation outlining how to set it up:


Got a tech question for Ada? She wants to hear from you!

Ada answers all your questions about tech, the online world, and staying safe in it. No question is too silly, no hypothetical is too far-fetched! Learn to leverage devices, systems, and platforms to your benefit.