Nitrokey

A hardware security key (USB-A, USB-C or NFC) cryptographically proves your identity to the sites you log into. The standard is FIDO2 / WebAuthn — phishing-resistant because the key's signature is tied to the exact website it's talking to, so a spoofed login page can't replay it. Infostealer malware (per the ACSC's 7 May 2026 ClickFix advisory) steals SMS codes, TOTP codes and session cookies, but it cannot steal a FIDO2 signature.

The ACSC Essential Eight requires phishing-resistant MFA from Maturity Level 2 upward, with FIDO2 (preferably Level 2 certified) explicitly recommended. NitroKey is European-made and open source — auditable firmware, no proprietary chip dependencies. AU passkey support: Ubank since mid-2024, ANZ Plus from mid-2025, with NAB, CommBank and Westpac following in 2025–2026. For setup, see our NitroKey walk-through.