What are Hardware Security Keys?
Before reading on to uncover whether or not I think they are safe, lets cover what Hardware Security Keys actually are. In a sense, they are physical keys in the form of a USB key (or stick/drive, call it what you will) or wireless dongle that utilizes NFC (near-field communication) to communicate wirelessly. These physical keys function as another type of multi-factor authentication (MFA) or two factor authentication (2FA) by using a WebAuthn standard to secure your Google, Facebook, Dropbox, and Github accounts. Instead of entering an authentication code, you plug the USB key into a USB port or authenticate via NFC and it authenticates who you are and grants access to your accounts.

Should you use one?
The right question is, “why don’t you have one?”. As of today (2019), Hardware Security Keys are as safe as you can get when in comes to securing your accounts. With WebAuthn as the new standard, this form of security is highly resilient to man-in-the-middle attacks because unlike it’s predecessor, the Universal 2nd Factor (U2F), it doesn’t require a traditional password to authenticate. This means, even if a hacker knows your password, the only way to authenticate is with the hardware security key. Also, because the private key material is at no time accessible to software running on the host machine, this also makes it resistant to malware.

Yes, there are some cons to this. One problem is that if the hardware security key is lost or stolen, regaining access to your account will be a pain. However, this is also a pain for the hacker. The other problem is if the hackers knows your password and has your key, they could gain access to your accounts and delete or de-associate your hardware security key, but the likelihood of this happening is pretty slim.

There are other backup methods that exist to help you regain access in the event that you ever lose your hardware security key. Some hardware security keys, such as Google’s Titan Bundle, provide a two keys (a primary and a back up). Other methods include the ability to associate multiple keys to allow you to authenticate your login which can be then used to de-associate a lost/stolen key (the loophole is that if the hacker with the stolen hardware security key gets access to your account first and removes all your keys…again, very slim chance). When setting up your hardware security key, backup methods to regain access to your accounts are usually setup which include a set of one-time hand-written or printed recovery codes that you must enter in a particular order to regain access, which is my preferred method.

So are they are really safe?
A good thing to keep in mind is that no cyber security tools are 100% guaranteed to keep you safe. There are so many other factors out there that could rend these tools useless, but overall I think they are still your safest bet if you really need to protect your accounts. Even though there has been recalls on the Google’s Titan Security Key due to a misconfiguration and Yubico’s Yubikeys because of insufficient randomness after powerups, these issues have been patched and the manufacturers have offered free recalls and replacements. In the end, the goal is to make it harder for hackers to access your assets.

Sources:
How-To-Geek – Hardware Security Keys Keep Getting Recalled; Are They Safe?
Wikipedia – WebAuthn
yubico – Losing Your YubiKey