---
title: "Hardware tokens and keys for two-factor authentication (2FA)"
description: "Here’s how you can use hardware tokens and keys for two-factor authentication with UserLock."
locale: "en"
updated_at: "2025-12-08T08:32:43.920Z"
canonical: "https://www.isdecisions.com/en/userlock/features/mfa-security-keys"
---

# Hardware tokens and keys for two-factor authentication (2FA)

Secure access to on-premise Active Directory and cloud apps with 2FA via hardware tokens and keys from YubiKey or Token2.

- Quick setup
- Easy self-enrollment
- Protect from human error
- Phishing-resistant

## Secure 2FA with a hardware tokens and keys

Connect your hardware authentication device for highly-secure MFA that meets the highest compliance and security standards.

### Easy onboarding

UserLock makes it easy for IT teams to onboard [YubiKey](https://www.yubico.com/works-with-yubikey/catalog/userlock/) or [Token2](https://www.token2.com/shop/page/enrolling-and-using-token2-usb-security-keys-with-userlock-mfa) devices. Once the UserLock administrator enables and configures MFA, end users can enroll in just two steps:

1. **Plug the key** into the computer’s USB port. UserLock automatically detects the device and programs the key
2. **Press the “Success” or “Valid” button** and tap the device’s button. UserLock displays a 6-digit code and enrollment is complete.

### MFA with YubiKey

UserLock supports Yubico’s security keys to secure Active Directory user logins with secure MFA.

### MFA with Token2

UserLock supports Token2 programmable tokens to protect user access to Windows systems.

## Resistant to phishing attacks

Hardware authentication devices remove the user from the authentication process, a common vulnerability exploited in phishing attacks. This makes hardware tokens and keys the MFA method of choice for organizations that want to choose an MFA method that’s most [resistant to phishing attacks](/blog/mfa/phishing-scams-that-target-mfa-and-how-you-can-avoid-them).

## Choose the MFA method that fits your team

IT admins can choose to offer hardware tokens and keys in addition to other MFA methods for users.

UserLock also supports:

- [Push notifications](/userlock/features/two-factor-push-notification)
- [Authenticator apps](/userlock/features/two-factor-authentication-applications)
