Why you can trust ZDNET
:ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission.Our process
'ZDNET Recommends': What exactly does it mean?
ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.
When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.
ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.
Many devices now use biometrics to let you log in without the inconvenience of remembering and typing a password: it's more secure, but it usually adds a little to the price of the device. If you use any devices that don't have Windows Hello, Face ID or a fingerprint sensor then you must have a password on your account anyway.
If you want to use two-factor authentication (2FA) or even go full passwordless but you still have older devices with no biometric hardware (or you prefer not to use biometrics), a FIDO2 hardware key will let you use the same cross-platform authentication that's built into Windows, MacOS, iOS, Android, ChromeOS, Linux (although you may need to do a little more setup) and an increasing number of online services like Microsoft 365, Azure AD, Google Drive and more.
The Winkeo-C FIDO2 from Neowave is a compact little security key that also supports the older FIDO U2F specification that works with AWS, Dropbox, Facebook, GitHub, Gmail, GOV.UK, Okta, Salesforce, Twitter, Zoho and dozens of other sites and services. It's small enough to keep in the USB port of your laptop most of the time, although it doesn't sit flush enough that you'd necessarily want to leave it in place when you're carrying it in a bag (the lanyard hole makes it easy to put on a keyring to carry around though). We also found it fitted very snugly into the USB-C ports on multiple test devices, so you have to tug quite hard to extract it.
You don't have to install any software – not even a driver: just set up your accounts for 2FA (you have to do that for each site or service you want to use it with) and add the Winkeo-C as your security key. For many services, that will involve setting a PIN. Whereas a password is sent to the server (and if the service provider doesn't protect their data properly a data breach could expose it to attackers), PINs never leave your device and are not synced across devices the way passwords are, so you must set them up on each system. PINs are just used to unlock the secure hardware that stores your log-on credentials, which means they can't be exposed in the same way passwords can. Even if someone tricks you into telling them your PIN, they can't use it without your security key.
Once set up, the key uses both the PIN and a tiny touch surface on the end to log into FIDO2-enabled systems and services that support passwordless: when you're using it as 2FA with a service like Gmail, you still need to fill in your password, but you must also have the security key plugged in and touch it to prove you're there. This isn't a fingerprint sensor, just a capacitive sensor that detects a live person touching it.
Usually, the interface will tell you when to touch your device: if you miss that, the Winkeo-C flashes a bright red light to attract your attention (it also lights up green when you first plug it in to show it's been detected by your device). Because it's a USB-C device you can put it either way up: the light and touch surface are more visible when it's the right way up, but because the case is slightly translucent and the touch sensor is on the end, you can still use it (and notice the light) either way round.
If you don't have a USB-C port, Neowave has a USB-A model (the Winkeo-A FIDO2), which is quite a lot larger but otherwise works in the same way.
There are plenty of FIDO2 hardware keys on the market, with Yubico being perhaps the best known, which have options like NFC or biometrics and are mostly priced around £40-50. The Neowave keys are rather cheaper – £21.99/€29.99 for the Winkeo-A and £32.50/€29.99 for the Winkeo-C – if more basic.
As a lesser-known supplier, you may have a few more hoops to jump through to use these Neowave devices: they're not listed on the common instructions for setting up a UDEV rule to FIDO2 and you may need to turn off the key restriction policies in Azure AD that limit hardware manufacturers you can use before enabling security keys for your tenant.
That doesn't mean there are any security concerns (Neowave is a Microsoft partner and its security keys are certified by ANSSI, the French national cybersecurity agency), but it does mean a little extra setup work to make logging in both simpler and more secure.
Winkeo-C FIDO2 specifications
Smart card component
Certified Common Criteria EAL5+ • up to 1024 credentials for FIDO2 and FIDO U2F
user PIN (4-63 bytes, try limit = 8) • resident keys (max number ~256 credentials)
FIDO U2F features
No security failure in case of key or password theft (Authentication requires both)
Second factor authentication fully compliant with Google services through Chrome, Edge and Firefox browsers