Table of Contents
Choosing a second factor for your accounts is one of the most consequential security decisions you can make. As we cover in our guide to two-factor authentication, any second factor is dramatically better than a password alone – but the two leading options, hardware security keys and TOTP authenticator apps, differ in meaningful ways. This article breaks down those differences so you can make an informed choice based on your actual threat model rather than marketing claims.
Both methods generate cryptographic proof that you possess something beyond your password. The mechanisms are fundamentally different, though, and those differences translate into real-world security and usability trade-offs that matter.
How Hardware Security Keys Work
Hardware security keys are dedicated physical devices that implement the FIDO2/WebAuthn protocol. When you register a key with a service, the key generates a unique public-private key pair. The private key never leaves the device. During authentication, the service sends a cryptographic challenge, the key signs it internally, and the signed response proves you hold the physical key.
The most widely used hardware keys include:
YubiKey (by Yubico) – Available in USB-A, USB-C, Lightning, and NFC form factors. YubiKeys support FIDO2, U2F, OTP, smart card (PIV), and OpenPGP. The YubiKey 5 series is the current flagship line, with models ranging from approximately $50 to $75 per key.
Google Titan Security Key – Available in USB-C/NFC and USB-A/NFC models. Titan keys support FIDO2 and U2F. Priced at around $30 per key, they are a more affordable option with a narrower feature set.
SoloKeys – An open-source alternative supporting FIDO2/U2F. Useful for users who want the ability to audit the firmware running on their security key.
All of these keys share a critical characteristic: the private key material is generated on the device and cannot be extracted. Even if an attacker has physical access to your computer, they cannot clone the key without physically possessing it.
How TOTP Authenticator Apps Work
Time-based One-Time Password (TOTP) apps generate six- or eight-digit codes that change every 30 seconds. The mechanism is defined in RFC 6238 and works as follows:
- During setup, the service shares a secret key with your authenticator app (usually via a QR code).
- Both the service and your app use the shared secret plus the current time to compute an HMAC-SHA1 hash.
- The hash is truncated to produce a short numeric code.
- Because both sides know the secret and the time, they independently generate the same code.
Popular TOTP apps include Google Authenticator, Authy, Microsoft Authenticator, and Raivo OTP (for Apple devices). For a detailed comparison, see our guide to the best authenticator apps.
The shared secret is the critical element. Anyone who possesses the secret can generate valid codes. This means the secret must be protected both at rest (on your device) and during the initial exchange.
Security Comparison
Phishing Resistance
This is the single most important distinction between the two methods.
Hardware security keys are phishing-resistant by design. When you authenticate with a FIDO2 key, the browser sends the key the origin (domain) of the requesting website. The key cryptographically binds its response to that specific origin. If an attacker creates a convincing phishing site at g00gle-login.com, the key will not produce a valid signature because the origin does not match the one registered during setup. The user does not need to notice the fraudulent domain – the key notices for them.
TOTP codes are not phishing-resistant. A well-crafted phishing page can display a field asking for your six-digit code. If you type it in, the attacker captures it and replays it to the real service in real time. The code itself carries no information about which domain requested it. Sophisticated phishing toolkits like Evilginx2 automate this relay attack and can capture both passwords and TOTP codes simultaneously.
This distinction matters enormously. Google reported that after deploying hardware security keys to all 85,000+ employees in 2017, the company experienced zero successful phishing attacks against those accounts. That is not a marginal improvement – it is a categorical one.
Man-in-the-Middle Attacks
Related to phishing, man-in-the-middle (MITM) attacks intercept communication between you and the service.
Hardware keys defeat MITM attacks because the signed challenge includes the origin and channel binding information. Even if an attacker intercepts the communication, they cannot replay the signed response to a different session.
TOTP codes are vulnerable to real-time MITM proxies. The attacker proxies your session, captures the code as you enter it, and forwards it to the legitimate server. The entire attack completes within the 30-second validity window.
Physical Access Requirements
Hardware keys require physical possession for each authentication. An attacker who compromises your computer remotely cannot use a hardware key plugged into that machine without triggering a physical interaction (typically a touch or button press). USB keys require a physical tap. NFC keys require proximity to the reader.
TOTP secrets, by contrast, are stored as data. If malware on your phone can access the authenticator app’s storage, it can exfiltrate the secrets silently. Once the secrets are exfiltrated, the attacker can generate valid codes from anywhere in the world without physical access to your device.
Account Recovery
Hardware keys introduce a practical risk: if you lose the key, you lose access. This is why security experts universally recommend registering at least two hardware keys per account and storing the backup in a separate physical location.
TOTP apps can be backed up. Some apps (like Authy) support encrypted cloud backup. Others let you export secrets or store the original QR codes. This recoverability is a usability advantage, but it also means the secrets exist in more places, expanding the attack surface.
Replay Attacks
Hardware key signatures include a counter that increments with each use. A replayed signature will have a stale counter and be rejected.
TOTP codes are valid for a 30-second window (sometimes longer, as servers typically accept codes from adjacent time steps). Within that window, a captured code could theoretically be replayed, though most services invalidate a code after first use.
Usability Trade-Offs
Setup Complexity
TOTP setup is straightforward: scan a QR code, and the app generates codes immediately. Nearly every service that supports 2FA supports TOTP. It is the universal second factor.
Hardware key setup varies by service. Some services (Google, GitHub, Microsoft) have polished enrollment flows. Others have minimal or confusing interfaces. You may need to install drivers or enable specific browser features, though this has improved significantly with native WebAuthn support in modern browsers.
Daily Use
TOTP requires unlocking your phone, opening the app, finding the correct account, and typing a six-digit code before it expires. This takes 10 to 20 seconds per login.
Hardware keys require plugging in the key (or tapping NFC) and touching the button. This takes 3 to 5 seconds. For frequent logins, the time savings add up.
Device Compatibility
TOTP works on any device with a clock and the shared secret. You can use it on phones, tablets, desktops, and even some smartwatches.
Hardware keys require a compatible port or NFC. A USB-A key will not work on a USB-C-only laptop without an adapter. Some mobile devices have limited NFC support. Lightning-compatible keys exist for iPhones, but the selection is smaller.
Service Support
TOTP is supported by virtually every service that offers 2FA. Hardware key support is growing but remains less universal. Major platforms (Google, Microsoft, Apple, GitHub, Dropbox, Facebook) support hardware keys. Many smaller services do not.
As TOTP continues to replace SMS as the baseline second factor, hardware keys occupy the premium tier above TOTP.
Cost Analysis
TOTP: Free. Authenticator apps are free to download and use. The only “cost” is the phone or device running the app, which you already own.
Hardware keys: $30 to $75 per key, and you need at least two (one primary, one backup). A basic setup with two Google Titan keys costs approximately $60. Two YubiKey 5C NFC keys cost approximately $110. For a family of four, each needing two keys, the investment ranges from $240 to $440.
For most individuals, the cost of hardware keys is modest relative to the security improvement. For organizations, the per-employee cost of hardware keys is typically far less than the cost of a single successful phishing attack.
Which Should You Choose?
Use Hardware Keys If:
- You are a high-value target. Journalists, activists, executives, IT administrators, cryptocurrency holders, and anyone with elevated threat exposure should use hardware keys. The phishing resistance alone justifies the investment.
- You are protecting critical infrastructure. Admin accounts for cloud services, domain registrars, DNS providers, and similar services should be secured with hardware keys.
- Your organization can mandate them. When you can ensure every employee has and uses hardware keys, the security improvement is transformative.
Use TOTP If:
- Hardware keys are not supported. Many services only support TOTP. Use the strongest option available.
- Cost is a barrier. TOTP provides meaningful security improvement over passwords alone at zero cost.
- You need to onboard non-technical users. TOTP is more familiar and less intimidating for users who have never used a hardware security device.
- You need backup flexibility. If the risk of being locked out concerns you more than the risk of phishing, TOTP’s backup options provide peace of mind.
Use Both
The strongest approach is layered. Register hardware keys as your primary second factor on services that support them. Use TOTP for services that do not. Many services allow you to register both, using the hardware key for daily logins and TOTP as a fallback.
The Role of Passkeys
The authentication landscape is evolving. Passkeys build on the same FIDO2/WebAuthn protocol that hardware keys use, but store the credentials in platform authenticators (your phone’s secure enclave, your laptop’s TPM) or in password managers. Passkeys bring hardware-key-level phishing resistance to software-based authentication, potentially bridging the gap between hardware key security and TOTP convenience.
As passkeys gain adoption, the distinction between hardware keys and TOTP may become less relevant for many users. For now, though, both methods remain essential tools. The future of multi-factor authentication is moving toward phishing-resistant standards, and understanding the current landscape helps you make decisions that align with where security is heading.
Practical Recommendations
- Audit your accounts. Start with the services that would cause the most damage if compromised. See our guide to setting up 2FA on every service for a systematic approach.
- Buy two hardware keys. Register both with your critical accounts. Store one on your keychain and one in a safe or safety deposit box.
- Use a reputable TOTP app for services that do not support hardware keys. Avoid SMS-based 2FA where possible.
- Save recovery codes. Regardless of which method you use, store recovery codes in a secure location, separate from your primary authentication method.
- Re-evaluate annually. The authentication landscape changes. New services add hardware key support. Passkeys are expanding. Review your setup periodically.
The choice between hardware keys and TOTP is not binary. It is a spectrum, and the right answer depends on what you are protecting, who you are protecting it from, and what friction you are willing to accept. Either option puts you ahead of the vast majority of internet users who rely on passwords alone.
