Hardware security keys — why they are different from TOTP and when they matter

Hardware security keys — YubiKey, Google Titan, and similar FIDO2 devices — are frequently mentioned alongside TOTP as 'two-factor authentication options.' The grouping suggests they are roughly equivalent alternatives. They are not. Hardware keys and TOTP codes address the same threat scenario (an attacker who has your password) but differ fundamentally in whether they are resistant to phishing.

TOTP codes can be phished. A convincing fake login page that captures your username, password, and TOTP code has 30 seconds to relay all three credentials to the real service before the TOTP code expires. This attack — adversary-in-the-middle phishing — is actively deployed and responsible for a meaningful fraction of account takeovers despite TOTP being enabled. Hardware keys using FIDO2/WebAuthn cannot be phished in this way.

Understanding why hardware keys are phishing-resistant, not just phishing-harder, changes how you think about which accounts deserve which type of second factor.

The assumption 'TOTP is sufficient for most users' is reasonable for most accounts and insufficient for the accounts that matter most. Email accounts, password manager vaults, banking, and any account that controls other accounts deserve the strongest available second factor. If your email is phished despite TOTP, all accounts recoverable through that email become vulnerable.

A second assumption is that hardware keys are difficult to use. Modern FIDO2 keys — particularly those with USB-A, USB-C, and NFC — work with a single touch on both desktop and mobile. Authentication is: plug in the key (or tap it to the phone for NFC), touch the contact point, done. For services that support FIDO2, it is typically faster than waiting for a TOTP code and copying it.

A third assumption is that losing a hardware key means permanent account lockout. FIDO2 key authentication requires registering backup keys or backup authentication methods. Standard practice is registering two keys (keep one, store one securely) and keeping backup codes in the vault. Losing a single key is an inconvenience, not a lockout, if the setup includes backups.

How FIDO2 phishing resistance works: when you authenticate with a hardware key on the real service, the key performs a cryptographic operation that is bound to the specific origin (the exact domain). The key generates a response that is valid only for that domain. On a phishing site — even one with a convincing domain like paypal-secure-login.com — the key produces a different response because the origin is different. The real service won't accept it. There is no code to intercept and replay.

Hardware key support in this comparison: all six providers support FIDO2/WebAuthn on paid plans. Keeper has the broadest enterprise integration including Duo, RSA SecurID, and RADIUS. Bitwarden supports FIDO2/WebAuthn at the lowest cost (Premium $10/year). The key choice (YubiKey 5 series, Google Titan, Thetis) is largely independent of the password manager choice — major FIDO2 keys work with all FIDO2-supporting services.

The recommended configuration for maximum protection: hardware key as the second factor for vault login and email accounts; TOTP (in vault or dedicated app) for all other accounts. This provides FIDO2 phishing resistance where it matters most — the accounts that control your identity — without requiring hardware key registration on every service.

FIDO2 phishing resistance applies to the authentication step. It does not protect against account takeover that bypasses authentication entirely — for example, OAuth consent phishing, account recovery attacks, or social engineering the service's support team. Hardware keys secure the password + second factor authentication step, not the full account security surface.