security-alliance · mattaereal · Apr 6, 2026 · Mar 16, 2026 · Mar 16, 2026 · Mar 21, 2026
diff --git a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx
@@ -0,0 +1,96 @@
+---
+title: "Hardware Security Keys | Security Alliance"
+description: "Use hardware security keys on critical accounts, keep a backup enrolled, and avoid weak recovery paths."
+tags:
+  - Security Specialist
+contributors:
+  - role: wrote
+    users: [dickson, louis, pablo]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Hardware Security Keys
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## Summary
+
+> 🔑 **Key Takeaway for Hardware Security Keys:** Use FIDO2/WebAuthn security keys on high-value accounts, register
+> at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it.
+
+Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and
+SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms,
+social accounts, and any admin or financial account that could be used to pivot into the rest of your organization.
+This guide focuses on YubiKeys and similar FIDO2/WebAuthn hardware keys.
+
+## For Individuals
+
+These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a
+hardware key.
+
+### Setup Checklist
+
+- [ ] Buy at least **two** security keys from a reputable vendor such as Yubico
+- [ ] Prefer keys that match your device mix:
+  - USB-C for modern laptops and phones
+  - NFC if you regularly authenticate on mobile
+- [ ] Label one key **Primary** and the other **Backup**
+- [ ] Register both keys on every critical account that supports them:
+  - Primary email
+  - GitHub and code hosting
+  - Registrar and DNS providers
+  - Cloud and deployment platforms
+  - Banking, custody, or treasury accounts
+  - Social and communication accounts
+- [ ] Where offered, prefer:
+  - **Security key**
+  - **Passkey on hardware key**
+  - Other phishing-resistant WebAuthn/FIDO2 options
+- [ ] Disable **SMS** as a recovery or second-factor method wherever the service allows it
+- [ ] Save provider-issued backup or recovery codes offline
+- [ ] Test both the primary and backup key after enrollment
+
+### YubiKey Setup Notes
+
+- Register both your primary and spare YubiKeys during the same setup session whenever the service allows it
+- Set a PIN on the YubiKey or FIDO2 credential where the workflow supports it, and store that PIN separately from the
+  key itself
+- If your YubiKey supports NFC and it is new, activate NFC before you rely on it for mobile logins
+- Prefer the service's **Security key** or **Passkey** option on a YubiKey over app-based OTP when phishing-resistant
+  login is available
+- If a service only supports authenticator-app codes, Yubico Authenticator can keep those codes tied to the YubiKey,
+  but treat that as a fallback rather than equivalent protection to WebAuthn security-key login
+
+### Practical Use
+
+- Keep the **Primary** key with you for normal logins
+- Store the **Backup** key in a separate secure location, not in the same bag or drawer
+- Maintain a short note in your password manager listing which critical accounts have which keys enrolled
+- For high-value accounts, avoid storing passkeys in a password manager; keep them on the hardware key or another
+  dedicated phishing-resistant authenticator instead
+- If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are
+  operationally necessary
+- Replace lost or damaged keys immediately and re-test the remaining enrolled key
+
+### Recovery Discipline
+
+- Do not wait until you lose a key to learn how account recovery works
+- If you lose your only key and do not have a second enrolled key or a usable recovery path, you can lock yourself out
+  of critical accounts at the moment you most need them
+- Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk
+- If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to
+  a stronger provider or stronger configuration when possible
+
+## Further Reading
+
+- [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet)
+- [Yubico Setup Guide](https://www.yubico.com/setup/)
+- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+
+</TagProvider>
+<ContributeFooter />
diff --git a/docs/pages/guides/endpoint-security/index.mdx b/docs/pages/guides/endpoint-security/index.mdx
@@ -11,5 +11,6 @@ title: "Endpoint Security"
 
 ## Pages
 
+- [Hardware Security Keys](/guides/endpoint-security/hardware-security-keys)
 - [Password Manager Endpoint Hardening](/guides/endpoint-security/password-manager-endpoint-hardening)
 - [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening)
diff --git a/vocs.config.tsx b/vocs.config.tsx
@@ -546,6 +546,7 @@ const config = {
           text: 'Endpoint Security',
           collapsed: true,
           items: [
+            { text: 'Hardware Security Keys', link: '/guides/endpoint-security/hardware-security-keys' },
             { text: 'Password Manager Endpoint Hardening', link: '/guides/endpoint-security/password-manager-endpoint-hardening', dev: true },
             { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' },
           ]

diff --git a/wordlist.txt b/wordlist.txt
@@ -337,6 +337,7 @@ rootfs
 GitHub
 GitLab
 GoDaddy
+Opsek
 Alchemix
 Bram
 dmarcian
-Original file line number
+Diff line change
@@ Expand Up / @@ -337,6 +337,7 @@ rootfs @@
     GitHub
     GitLab
     GoDaddy
+    Opsek
     Alchemix
     Bram
     dmarcian
@@ Expand Down @@