Signing in to a service

Multi-factor authentication with a physical object

A security key is inserted into a computer and a checkmark is displayed on screen.


Multi-factor authentication adds an extra layer of security on top of having a username and password.

For this kind of multi-factor authentication, people log in and then connect a physical security object to gain access. This object can be standalone or built into a smartphone and connect via USB, NFC or Bluetooth.

IF thinks that this pattern effectively protects people against phishing attacks. So far it has mainly been used for enterprise security, where extra protection is needed. That said, it is not universally supported by services and needing an extra object to log in (unless it’s built in a phone) makes it less useful for most users.

Examples of authentication using a physical object but without passwords are currently being trialled.


  • Adds one more barrier if other authentication methods are compromised or broken.
  • Protects people from phishing attacks.


  • People need to have the physical security object to hand.
  • The hardware is not universally supported.