← All Tips/HARDWARE
HARDWARE

Buy a YubiKey

Hardware codes beat SMS codes 100% of the time. Phishing-proof your identity.

The Problem With Software 2FA

Time-based one-time passwords (TOTP) from apps like Google Authenticator are vastly better than SMS codes — but they have one critical weakness: they can be phished.

A sophisticated phishing site proxies your credentials in real-time. You enter your username, password, and then your 6-digit TOTP code. The phishing site immediately forwards all three to the real site and logs in as you — within the 30-second TOTP window. You see an error and think you mistyped. They're already in your account.

Hardware security keys eliminate this attack entirely.

How YubiKeys Work

A YubiKey is a physical USB or NFC device that handles authentication using public-key cryptography (FIDO2/WebAuthn protocol).

When you register a YubiKey with a site:

  1. The site stores your public key
  2. To authenticate, the site sends a challenge
  3. Your YubiKey signs the challenge with its private key (which never leaves the device)
  4. The site verifies the signature

The critical part: the response is cryptographically bound to the domain you're logging into. If you're on a phishing site instead of google.com, the YubiKey will refuse to authenticate — because the domain doesn't match what it registered with.

There is no TOTP code to intercept. There is no credential to replay. The phishing attack simply fails.

Which YubiKey to Buy

  • YubiKey 5 NFC (~$55) — Works with USB-A and NFC. Best all-around choice. Use it with phones via tap.
  • YubiKey 5C NFC (~$55) — USB-C version for modern laptops
  • Security Key NFC (~$30) — Budget option, FIDO2 only (no OTP or PIV)

Buy two. Register both with your important accounts. Keep one on your keychain and one in a safe location as backup.

Where to Use It

Almost every major platform now supports hardware keys:

  • Google / Gmail
  • GitHub
  • Dropbox
  • Salesforce
  • Microsoft / Azure AD
  • 1Password, Bitwarden
  • Twitter / X
  • Facebook

Look for "Security Key" in any account's 2FA settings.

The Bottom Line

SMS 2FA: Vulnerable to SIM swap, SS7 attacks

TOTP apps: Vulnerable to real-time phishing

Hardware keys: Phishing-proof, SIM-swap-proof, brute-force-proof

A $55 YubiKey protects your accounts better than any software solution. It's the highest-leverage security purchase you can make.

Get your site properly hardened.

The Voice of Cash delivers professional security audits and hands-on implementation.

Speak to a Specialist →
← Previous
Separate Your Lives
Next →
Print Your Backup Codes