Here’s the thing nobody tells you when you’re screwing a smart lock into your door: you didn’t replace your house key with a PIN or a fingerprint. You replaced it with a cloud account. The lock, the doorbell camera, the alarm, the garage door, the voice assistant that can disarm all of the above — they hang off a handful of logins. Google. Amazon. Apple. The vendor’s own app.

Which means the burglar of 2026 doesn’t need a crowbar. They need your password — and the odds are good it’s already out there.

The raw material is abundant: 149 million plaintext passwords were found sitting in one open infostealer database this year, and credential-stuffing tools test them against camera and smart-home clouds around the clock. The consequences aren’t abstract either — Russia turned Europe’s civilian doorbells and security cameras into a distributed spy network, and the DOJ just dismantled four IoT botnets that had conscripted weakly-secured home devices into record 30 Tbps DDoS cannons.

Why Codes and Push Approvals Aren’t Enough

“But I have 2FA!” If your second factor is a texted code, an authenticator app, or a push approval, understand what it protects against: someone who only has your password. Modern phishing kits proxy the real login page in real time — you type your code into a pixel-perfect clone, the kit forwards it to the real site, and the attacker walks in with a valid session. Push fatigue attacks just spam approvals until a tired thumb slips.

A FIDO2 hardware security key is different in kind, not degree. The key performs a cryptographic handshake bound to the genuine website’s origin. On a fake page, the handshake simply fails — there is no code to steal, nothing to relay, nothing to approve. Phishing stops working. Full stop.

The Key We Recommend: Nitrokey

We like Nitrokey for the same reason we like open standards in the smart home: you can check the vendor’s homework.

  • Fully open-source firmware and hardware — publicly auditable, made in Germany, secrets held in a tamper-resistant secure element
  • Nitrokey 3 with NFC — tap it against your phone to approve logins in the same apps that control your house
  • Nitrokey Passkey (~€32) — the budget FIDO2-only option; cheap enough to buy one per family member
  • Independent audits (Cure53) instead of “trust us”

Nitrokey open-source hardware security key

Buy direct from Nitrokey → or, for US households, securitygadgets.shop/nitrokey ships from a US warehouse with 2-day delivery. Our sister site has the full Nitrokey review if you want the deep dive.

The One-Evening Rollout

Work from the blast radius inward:

  1. The account your smart home hangs off — Google, Amazon, or Apple. Enroll the key, then remove SMS as a fallback (a key plus SMS fallback is just SMS with extra steps).
  2. Your email. Password resets for every camera and lock app land here. Whoever owns your inbox owns your house.
  3. Camera and lock vendor accounts — Ring, Nest, Wyze, August, whatever you run. Use the key where FIDO2/passkeys are supported; where it isn’t, use app-based TOTP and a unique password from a manager.
  4. Router and NAS admin panels. The boxes between your IoT devices and the internet deserve better than admin/admin — the FBI just unwound a 20-year, $46 million proxy empire built entirely on hacked home routers.
  5. Buy two keys. Enroll both everywhere, keep the spare in a drawer. Losing your only key is the self-inflicted lockout nobody warns you about.

One more layer for the enthusiasts: the phone you control your house from is itself a smart-home device. A NitroPhone — GrapheneOS on Pixel hardware, sold alongside the keys at securitygadgets.shop — is the de-Googled version of that remote control. (And no, running GrapheneOS doesn’t make you a criminal — it makes you the person who read the telemetry disclosures.)

Vendors Who Show Up

Nitrokey backs the security community we’re part of: at CISO.POKER, the invite-only security-leaders poker night on August 5, 2026 at The Wynn in Las Vegas, Nitrokey sponsors the final table and puts up “The Pocket” privacy-hardware kit as the third-place prize. Open firmware and skin in the community — that’s the combination that earns a recommendation here.

Bottom Line

You hardened the devices, segmented the network, changed the default passwords. But the accounts above the hardware are the real keys to the house, and passwords plus phishable codes won’t hold them. Two hardware keys and one evening of enrollment close the front door for good.

Get your Nitrokey →

Affiliate disclosure: This article contains affiliate links. If you purchase through our links we may earn a commission at no extra cost to you.