01What is it, really?
A hardware security key is a tiny tamper-resistant computer. Its one job is to hold secrets that never leave the chip and to perform crypto operations with them on demand — so even malware on your laptop can borrow the key's powers while it's plugged in, but can never copy the keys themselves.
Most modern keys (YubiKey, SoloKey, Nitrokey, Token2, and others) are really several independent "applets" sharing one piece of plastic. Each speaks a different open standard, and you can use as many or as few as you like.
02What can I actually do with it today?
In rough order of "most people start here":
- Protect your important accounts. Add the key as a security key / passkey on Google, Microsoft, Apple, GitHub, your password manager, etc. This is the single highest-value step, and it defeats phishing in a way that SMS and app codes don't.
- Replace passwords entirely (passkeys). On sites that support it, the key is your login — no password to steal or reuse.
- Carry your TOTP codes on hardware for sites that only offer "authenticator app" 2FA.
- Log into SSH servers with a key that requires a physical touch — via FIDO, PIV, or OpenPGP.
- Sign your git commits and releases, and encrypt or sign email (OpenPGP), or do smart-card login to a workstation or VPN (PIV).
You don't have to use every applet. Putting one key on your email and one other critical account, plus a backup key in a drawer, already puts you ahead of the overwhelming majority of attacks.
03The four things a key can be
Each links to a short page on what it is and what keyroost can do with it.
Passwordless & phishing-proof login
Sign in to websites with a touch — as a second factor or a full passkey, bound to the real site's domain so it can't be phished.
Learn FIDO2 →
OATH · TOTP / HOTPYour 2FA codes, off your phone
The 6-digit "authenticator app" codes, stored on the key instead of an app that syncs to the cloud.
Learn OATH →
PIV · smart cardCertificates, SSH & login
Holds X.509 client certs and keys for SSH, VPN, workstation login, and document signing.
Learn PIV →
OpenPGP cardSign & encrypt mail, git, files
An on-card PGP keypair for encrypted email, signed git commits, and SSH — the private key never touches disk.
Learn OpenPGP →
Have a programmable TOTP token instead of a multi-applet key? See Token2 Molto2. Starting over with a key? See resetting safely.
04The 10-minute first-day checklist
- Buy two keys, not one. Register both everywhere; the second lives somewhere safe as your recovery key. (This is the step people skip and regret.)
- Set a PIN. The FIDO2 / PIV / OpenPGP applets each take a PIN that gates their use — it unlocks the key, not a website, and the key locks or wipes itself after a handful of wrong tries. More on PINs →
- Register the key with one account and test it — including signing out and back in — before you rely on it.
- Record your recovery codes for each account offline.
- Then roll it out to the rest of your important accounts.
05FAQ
Is a security key better than my authenticator app?
For phishing — the threat most people face — yes, meaningfully. A FIDO2 key cryptographically checks the website's real domain before it responds, so a look-alike phishing page gets nothing. TOTP codes can be typed into a fake site and replayed within the 30-second window. TOTP still beats SMS or nothing; FIDO2 is the gold standard. CISA on phishing-resistant MFA →
What happens if I lose it?
This is exactly why you register a second key and keep recovery codes. Sign in with your backup, remove the lost key from each account, and register a replacement. Because the secrets never leave the chip, whoever finds your key still needs your PIN — and it locks itself after too many wrong guesses.
Can someone copy my key, or read the secrets off it?
No — that's the whole point. Private keys are generated on the chip and are designed to be non-exportable. Operations happen inside the key; only the result (a signature, an assertion) comes out. There's no "export key" button.
Is the PIN the same as a password?
No. A website password is checked by a server and can be stolen in a breach. A key's PIN is checked by the key, offline, just to authorize local use — and the key enforces a small retry limit, so even a short PIN resists brute force. You never type it into a web form. More →
What's a "passkey," and is it the same thing?
A passkey is a FIDO2 credential used instead of a password rather than alongside one. A hardware key can store passkeys (a "device-bound passkey"); the phones-and-cloud kind syncs across devices. Same standard, different storage and recovery trade-offs. More →
Do I need keyroost to use my key?
Not for everyday logins — registering a key with a website happens in your browser, no extra software required. keyroost is for managing the key itself: inspecting it, setting PINs, loading TOTP secrets, generating OpenPGP/PIV keys, and programming Token2 Molto2 tokens — over an open, auditable toolchain with no vendor SDKs. It's optional power tooling, not a requirement.
06Mini-glossary
- FIDO2 / WebAuthn / CTAP
- The modern passwordless standard. WebAuthn is the browser-to-website half; CTAP is the browser-to-key half; "FIDO2" is the two together.
- U2F
- The original second-factor-only predecessor to FIDO2. Still works; FIDO2 is the superset.
- TOTP / HOTP (OATH)
- Time- and counter-based one-time passwords — the 6-digit codes, defined in RFC 6238 and RFC 4226.
- PIV
- A US-government smart-card standard (NIST SP 800-73) for certificates and keys; widely used for SSH, login, and signing.
- OpenPGP card
- A standard for an on-card PGP keypair — sign/encrypt email, files, git, and SSH.
- Attestation
- A signed statement a key can make about what model it is, so an organization can require approved hardware.
07Authoritative resources
Primary sources — standards bodies and the people who wrote the specs.