A hardware security key is a physical device — typically a USB or NFC key such as a YubiKey, Google Titan, or similar — that acts as the second factor (or, via passkey, the only factor) for your sign-in. It is the most phishing-resistant sign-in method available.
Why hardware keys are the strongest option
- They cannot be phished. The key is cryptographically bound to the genuine Credicorp domain. If you are on a fake site, the key simply will not respond — even if the site looks identical.
- There is no code to intercept or guess. Unlike a 6-digit TOTP code, hardware-key authentication uses challenge-response cryptography that cannot be replayed.
- Your private key never leaves the device. The signing operation happens inside the key itself. Credicorp (and any other service) only ever sees the public half.
How hardware keys work with Credicorp
Hardware keys can be used in two ways on your Credicorp account:
- As a passkey — the key stores a discoverable passkey credential (WebAuthn resident key). You tap the key to complete the full sign-in, no password needed.
- As a FIDO2 second factor — you enter your password, then tap the key when prompted for the second factor. The key generates a signed assertion that verifies your presence.
Compatible hardware keys
Any FIDO2/WebAuthn-compatible key will work. Widely-used options include:
- YubiKey 5 series — supports NFC, USB-A, USB-C; works across phones, tablets and computers.
- YubiKey Security Key series — a lower-cost FIDO2-only option without OTP support.
- Google Titan — USB-A, USB-C and NFC variants.
- Feitian keys — FIDO2 keys with NFC and USB options.
The key must support FIDO2 / WebAuthn. Older U2F-only keys may work as a second factor but cannot store passkeys (discoverable credentials).
Registering your hardware key
- Sign in to the portal at clients.credicorp.co.uk/login with your existing email and password.
- Go to Settings → Security → Add a passkey (or Add a security key if shown separately).
- When your browser asks, insert your key into the USB port (or hold it near the NFC reader on your phone).
- Touch the gold circle or button on your key when the indicator light flashes. This is your physical "presence" confirmation.
- Give the key a recognisable name — for example "YubiKey 5C nano" — so you can identify it in your list of enrolled keys.
Signing in with your hardware key
On the sign-in page, select Sign in with a passkey (or wait for the key prompt if you have 2FA active). Insert or tap your key when prompted, touch the button when the light flashes, and the sign-in completes. No code, no typing.
Registering a backup key
Because a hardware key is a physical object, we strongly recommend registering at least two: a primary key and a backup stored somewhere secure (not on the same keyring). If the primary key is lost or damaged, the backup gives you access without needing to go through account recovery. Register the second key in the same way — Settings → Security → Add a passkey — while you still have the primary available.
If you lose your hardware key
Sign in using a different registered sign-in method (password, backup passkey, recovery codes) and immediately go to Settings → Security to remove the lost key. This revokes the lost key and stops anyone who finds it from using it on your account. If the lost key was your only sign-in route, see recovering access after losing your two-factor authenticator.
If your hardware key flashes or your browser asks you to tap your key, and you did not just visit the sign-in page yourself, do not tap the key. An attacker may be trying to pass a challenge to your key via a relay attack. Reject the prompt and contact us if this happens repeatedly.
See also: How passkeys work on Credicorp sign-in, Setting up a passkey for your Credicorp account, Recovering access after losing your two-factor authenticator.