TL;DR: YubiKey dominates the market but runs closed firmware you can't audit. Nitrokey, SoloKeys, and OnlyKey offer open-source alternatives where you can verify exactly what's running on your security key. For most people: Nitrokey 3 for general use, OnlyKey if you want a built-in password manager, SoloKeys for budget FIDO2.
Why Open Source Security Keys Matter
A security key is supposed to be the most trusted device you own. It protects your email, your bank accounts, your identity. If it's compromised, everything is compromised.
YubiKey is the market leader. Millions trust it. But you can't see what's running on it. The firmware is proprietary. When security researchers find vulnerabilities—like the September 2024 side-channel attack affecting YubiKey 5 series—you're trusting Yubico to tell you. You can't verify anything yourself.
Open source security keys flip that equation. The firmware is public. Independent researchers audit the code. You can compile it yourself if you're paranoid enough. That's not just ideology—it's how security should work.
Quick Comparison
| Feature | Nitrokey 3 | SoloKeys Solo 2 | OnlyKey |
|---|---|---|---|
| Price | $49–$109 | $30–$50 | $50–$60 |
| FIDO2/WebAuthn | Yes | Yes | Yes |
| U2F | Yes | Yes | Yes |
| TOTP | Yes | No | Yes |
| OpenPGP | Yes | No | Yes |
| Password Manager | Yes (24 slots) | No | Yes (24 slots) |
| NFC | Yes (3C NFC model) | Yes (Solo 2C+ NFC) | No |
| USB-C | Yes | Yes | Yes (DUO model) |
| Firmware | Trussed (Rust) | Trussed (Rust) | Trezor-based |
| Company Location | Berlin, Germany | USA | USA |
Nitrokey
Best for: Most users who want a full-featured open source security key
Nitrokey has been building open-source security hardware in Berlin since 2015. They started with USB keys and expanded into laptops (NitroPC), phones (NitroPhone—a de-Googled Pixel), and hardware security modules for enterprise.
Current Models
Nitrokey 3A/3C ($49): USB-A or USB-C. FIDO2, U2F, one-time passwords. The baseline.
Nitrokey 3A/3C NFC ($59): Same as above plus NFC for mobile authentication.
Nitrokey 3A Mini ($29): Tiny form factor, reduced features, great for leaving plugged in.
Nitrokey Pro 2 ($109): OpenPGP smart card, S/MIME email encryption, password safe with 16 slots. For serious crypto users.
Firmware
The Nitrokey 3 series runs on Trussed, a firmware framework written in Rust and developed jointly with SoloKeys. Rust's memory safety eliminates entire classes of vulnerabilities common in C-based firmware. The code is auditable on GitHub.
Extra Features
Beyond authentication, Nitrokey includes a password safe (store passwords directly on the device), OpenPGP for email encryption, and SSH key storage. The Nitrokey App provides a GUI for management on Linux, Windows, and macOS.
Buy from: nitrokey.com
SoloKeys
Best for: Budget-conscious users who only need FIDO2/U2F
SoloKeys created the first open-source FIDO2 security key in 2018 via a successful Kickstarter. Their Solo 2 series focuses purely on FIDO2 and U2F authentication—no password manager, no OpenPGP, just passwordless login and two-factor auth done right.
Current Models
Solo 2 USB-A ($35): Basic FIDO2/U2F key.
Solo 2 USB-C ($40): Same features, modern connector.
Solo 2C+ NFC ($50): USB-C plus NFC for mobile. The recommended model for most users.
What Makes It Different
SoloKeys strips away features to focus on doing one thing well. No bloat. The firmware is the same Trussed framework Nitrokey uses—developed in partnership between the two companies. You're getting equivalent security for less money if you don't need extra features.
They also sell customizable sleeves so your security key doesn't have to look boring. Minor, but someone cared enough to do it.
Buy from: solokeys.com
OnlyKey
Best for: Users who want a hardware password manager combined with 2FA
OnlyKey takes a different approach. Instead of just authenticating you to websites, it stores your passwords and types them directly when you press physical buttons on the device. No keylogger can capture what the OnlyKey types—it appears as a USB keyboard to your computer.
Current Models
OnlyKey ($57): USB-A, six buttons for password slots, PIN entry on-device.
OnlyKey DUO ($60): Smaller form factor with USB-A and USB-C.
The Password Manager Angle
OnlyKey stores 24 accounts directly on the device. Each of the six buttons can have a short-press and long-press action, plus multiple profiles. Press a button, and OnlyKey types your username, tabs, types your password, and hits enter. It can also auto-fill TOTP codes.
The PIN is entered directly on the device buttons. Even if malware controls your computer, it can't see your PIN or extract your passwords. The device self-destructs after 10 wrong PIN attempts.
Firmware Origins
OnlyKey's firmware derives from the Trezor hardware wallet codebase—also open source. This shared heritage means it can also function as a basic cryptocurrency wallet, though that's not its primary purpose.
Limitations
No NFC. The button-based interface has a learning curve. Setup takes longer than simpler keys. But once configured, it's genuinely more secure than typing passwords.
Buy from: onlykey.io
Which Should You Buy?
For Most People: Nitrokey 3C NFC ($59)
USB-C works with modern devices. NFC works with phones. FIDO2 handles passwordless login. TOTP handles sites that don't support hardware keys. It does everything without being complicated.
On a Budget: SoloKeys Solo 2C+ NFC ($50)
Same Trussed firmware as Nitrokey, fewer features, lower price. If you only need FIDO2/U2F, this is the smart buy.
For Password Haters: OnlyKey ($57)
If you're tired of password managers and want your credentials stored on a physical device that types them for you, OnlyKey is unique. The workflow takes adjustment, but the security model is sound.
For High-Security Needs: Nitrokey Pro 2 ($109)
OpenPGP smart card functionality for email encryption, SSH key storage, and S/MIME. Overkill for most people, essential for journalists, activists, and anyone handling sensitive communications.
Getting Started
Whatever key you choose, the setup process is similar:
- Register with critical accounts first: Google, Microsoft, GitHub, your password manager. These are the accounts that, if compromised, cascade into everything else.
- Buy two keys: One for daily use, one locked in a drawer as backup. If you lose your only key, you're locked out of everything. $50 for peace of mind is cheap.
- Save backup codes: Most services generate recovery codes when you enable 2FA. Print them. Store them somewhere physical and secure.
- Test recovery before you need it: Try logging in with your backup key. Try using a backup code. Know the process works before an emergency.
FIDO2 vs TOTP: Which Matters?
FIDO2/WebAuthn is the future. The website sends a challenge, your key signs it, phishing becomes impossible because the key verifies the domain. Passwordless login when supported. Google, Microsoft, GitHub, and thousands of other sites support it.
TOTP (time-based one-time passwords) is the fallback. Six-digit codes that change every 30 seconds. Less secure than FIDO2—phishable if someone tricks you—but universally supported. Most sites that offer 2FA support TOTP.
Get a key that supports both. Use FIDO2 where available, TOTP where it's not.
Why Not Just Buy a YubiKey?
YubiKeys work well. They're reliable, widely supported, and have excellent build quality. Many security professionals use them daily.
The difference is trust model. With YubiKey, you trust Yubico—their code, their supply chain, their vulnerability disclosures. With open source keys, you trust the code itself because you (or security researchers you trust) can read it.
When Yubico discovered a critical vulnerability in September 2024, users had to trust their disclosure was complete and their firmware update was safe. With Nitrokey or SoloKeys, the patch would be public and auditable.
For most threat models, either approach is fine. For high-stakes situations—journalism, activism, cryptocurrency—the ability to verify matters.