Phishing-resistant hardware MFA — a FIDO2 security key like the YubiKey 5C NFC — is the cleanest way to satisfy the multifactor authentication requirements in the CMMC Identification & Authentication (IA) control family. Buy at least two keys per person who touches CUI, enroll a primary and a registered backup on every account, store spares in a safe, then turn off weaker methods so the key is the only path in. It supports the IA controls with strong, gradeable evidence — it doesn't make you compliant by itself.
If an assessor is going to fail a small shop on any single thing, it's usually access. Weak or missing MFA, a shared admin password, no record of who logged into what. The Identification & Authentication family is where paperwork and reality drift apart fastest — and it's also where one good piece of hardware closes the gap.
This is the setup I'd hand a five-person contractor tomorrow. Not a features tour of every security key on the market — the specific, boring, repeatable process that turns "we have MFA" into evidence an assessor can grade. Buy the right keys, enroll them properly, register a backup so nobody gets locked out, and enforce it so the weak methods can't sneak back in.
NIST 800-171 — the control set behind CMMC Level 2 — puts identity and authentication in the IA family. Strip out the jargon and the relevant requirements come down to three plain ideas: know who is logging in, prove it with more than a password, and make that proof resistant to being stolen or replayed.
The specific one people quote is the multifactor requirement: MFA for local and network access to privileged accounts, and for network access to non-privileged accounts. There's a companion requirement that leans harder — employ replay-resistant authentication mechanisms. A texted code fails that spirit the moment someone relays it through a fake login page. A hardware key doesn't, because the cryptographic handshake is bound to the real site and can't be replayed against it.
So when an assessor reviews your IA controls, they're not asking "do you have MFA turned on somewhere." They're asking: which accounts, which method, can it be phished, and can you show me the record. A security key gives you a strong, defensible answer to all four.
App-based MFA is real MFA and it counts. But it has a failure mode that hardware doesn't, and that failure mode is exactly how small contractors get compromised.
Here's the attack. A user gets a convincing email, clicks through to a page that looks like the Microsoft 365 login, and types their password. The fake page instantly relays those credentials to the real Microsoft. Microsoft asks for the six-digit code. The user, still fooled, types the code from their authenticator app into the fake page. The attacker relays that too — and they're in. The app did its job. The human got played. This is happening to real shops every week, and it's the reason CISA and NIST both push phishing-resistant authentication for anything that matters.
A FIDO2/WebAuthn key kills that attack at the protocol level. When you register a YubiKey to an account, the key ties itself to that site's real origin. Tap it on a phishing page and the handshake simply won't complete — the domain doesn't match, so there's nothing to relay. The user can't be tricked into approving the wrong site, because the key checks the site for them. That's the whole difference, and it's why hardware is the right call for CUI access.
For most small contractors the answer is the YubiKey 5C NFC, and it's not close. USB-C plugs into current laptops without a dongle. NFC taps against phones and tablets for mobile logins. And it speaks the protocols you actually need — FIDO2/WebAuthn for modern MFA, PIV smart-card for anything that wants a certificate, and OTP as a fallback. One key covers Microsoft 365 / Entra ID, Google Workspace, most VPN clients, and your password vault. If your fleet is still on older USB-A ports, the YubiKey 5 NFC (USB-A) is the same key in a different plug.
The practical default for a small DoD shop. FIDO2/WebAuthn, PIV, and OTP in one USB-C + NFC key, so it satisfies the multifactor and replay-resistant authentication requirements across nearly every service you run. Buy one per user for daily carry, a second per user as a registered backup, and a couple of spares for the safe. No subscription — you own the hardware.
View on Amazon →On quantity, the mistake is buying one key per person and stopping. A single key is a single point of failure — lose it and that person is locked out of every account it protected, sometimes for days. Plan it out like this:
None of this is hard. It's about doing it in order and writing down that you did it, because the record is half the control.
Order two keys per CUI user plus your spares in one shot. You want every user's primary and backup in hand before enrollment day, so nobody registers only one key with a "I'll add the backup later" that never happens.
Start at the front door — your identity provider. For most small shops that's Microsoft 365 / Entra ID or Google Workspace. In each user's security settings, add the YubiKey as a passkey / security key under FIDO2. Tap, set the PIN, done. Do this account first because your IdP is what gates most of the other logins.
Immediately register the second key on the same account, right then, while you're in the settings. Same process, second key. This is the non-negotiable step. Both keys now open the account; the backup goes in the safe.
Now hit the rest of the accounts that touch CUI or admin: your VPN or ZTNA client, your password vault, cloud consoles, remote access. Register both the primary and backup on each. A single 5C NFC handles all of them, so it's the same tap over and over.
This is the step that converts "we handed out keys" into an enforced control. In your IdP, require phishing-resistant MFA for the accounts in scope, then remove SMS and, where you can, downgrade or disable app-push for those accounts. If the weaker method is still available, an attacker will just target it — and an assessor will note that you have MFA but don't enforce the strong one. Enforcement is the difference between a policy and a control.
Record it in your System Security Plan: which accounts require hardware MFA, that every user has a primary and a registered backup, where spares live, and the lost-key procedure. The evidence an assessor wants isn't the box of keys — it's the documented, enforced process behind them. This is the exact paperwork the compliance kit below gives you a template for.
Where do you stand on the other 109 controls? Estimate your NIST 800-171 self-assessment score against all 110 in about two minutes — free, no consultant required.
Check my SPRS score →A security key proves who is logging in. It doesn't manage the passwords sitting behind those logins, and it doesn't produce the access logs an assessor asks to see. That's the other half of the IA and AC story, and it's where a credential vault earns its place next to the key.
The pairing I'd deploy is Keeper Security, and the reasoning is specific, not generic. Keeper is FedRAMP High Authorized and FIPS 140-3 validated — which matters because it means the vault itself meets a government-grade bar rather than just claiming to be secure. You unlock Keeper with the YubiKey, so the same phishing-resistant factor now guards every shared credential in the company. And critically, Keeper keeps access logs and provisioning records — who accessed which credential, when, and who has access to what. That's evidence for the account-management and audit-logging controls that small shops usually have no answer for.
Put plainly: the YubiKey satisfies the authentication requirement, and the vault it unlocks satisfies the credential-management and logging requirements. Together they cover more of the IA and AC families than either does alone — which is exactly why I recommend running them as a pair rather than a key on its own.
FedRAMP Authorized and FIPS 140-2 validated password and secrets manager. Store every shared and privileged credential behind the YubiKey, enforce access policy, and — the part assessors care about — export the access logs and provisioning records that prove who touched what. It's the credential-management and audit layer the security key doesn't cover on its own.
Get Keeper →Straight talk, because overselling this is how contractors get blindsided. A YubiKey supports the IA multifactor controls extremely well. It does not make you CMMC compliant. Compliance is 110 controls across fourteen families — access, audit, configuration, incident response, media protection, physical security, and the rest. Hardware MFA is one strong answer to one family. It's real, gradeable evidence, and it closes the gap assessors probe first — but it's a plank, not the floor.
Two more honest notes. First, standard YubiKey 5 Series keys provide phishing-resistant MFA that supports the IA controls; Yubico sells a separate FIPS 140-2 validated 5 Series line if a contract or your assessor specifically requires validated authenticators — buy that line only if you're told to. Second, the control isn't the key sitting in a drawer. The control is enrolled, enforced, documented, and backed up. Do the setup and write it down, and you've earned the evidence. Buy the keys and leave SMS turned on, and you've spent money without closing the gap.
The honest promise here is audit-ready preparation, not a passing grade. If your contract requires Level 2 certification, a C3PAO still runs the assessment — no product, mine included, replaces that. What good hardware and good documentation do is let you walk in with the IA family already handled instead of scrambling.
The CMMC Level 2 DIY Compliance Kit is the documentation a consultant would bill five figures to produce: a pre-written System Security Plan, all 20 required policies (including access control and identification & authentication), a POA&M template, an evidence checklist, and a per-control SPRS scorer. It's where your YubiKey rollout becomes written, enforced, assessor-ready evidence.
Want the number behind all of this? MFA is cheap; the assessment isn't. See the full CMMC cost breakdown for small business to understand where the real money goes — and read The CUI Enclave Method to shrink the boundary before anyone bills you.
No single product makes you compliant. A YubiKey directly supports the Identification and Authentication (IA) control family by providing phishing-resistant multifactor authentication for privileged and network access, which is one requirement among 110. It's strong, gradeable evidence for the MFA controls, but you still need the rest of your controls implemented and documented in your System Security Plan, and if your contract requires Level 2 certification, a C3PAO still performs the actual assessment.
Authenticator apps and SMS codes can be phished — an attacker relays the code through a fake login page in real time, or SIM-swaps the number. A FIDO2/WebAuthn hardware key like a YubiKey is bound to the real site's origin, so a phishing page physically cannot complete the handshake. NIST calls this phishing-resistant authentication, and it's the strongest way to satisfy the multifactor requirement in NIST 800-171. Apps still count as MFA, but hardware removes the failure mode assessors and attackers both probe.
Plan for at least two keys per user who touches CUI — one primary carried daily and one backup registered to the same accounts and stored securely — plus a couple of spare keys kept in a safe for onboarding and lost-key replacement. A five-person shop typically buys ten to twelve keys. Registering a backup on every account is the step people skip, and it's the one that keeps a lost key from locking someone out of a controlled system.
For most small contractors the YubiKey 5C NFC is the practical default. USB-C fits current laptops, NFC lets it tap phones and tablets, and it supports FIDO2/WebAuthn, PIV smart card, and OTP, so it covers Microsoft 365/Entra, Google Workspace, and most VPN and vault logins with one key. If your environment is standardized on older USB-A hardware, the 5 NFC (USB-A) is the equivalent.
The YubiKey proves who is logging in; a FedRAMP and FIPS 140-3 validated credential vault like Keeper stores and controls the passwords behind those logins and produces the access logs an assessor asks for. The key handles the authentication control, the vault handles the credential management and audit-logging controls. You unlock the vault with the YubiKey, and together they cover more of the IA and AC families than either does alone.
For most Level 2 authentication use it does not have to be — standard YubiKey 5 Series keys provide phishing-resistant MFA that supports the IA controls. Yubico also sells a separate FIPS 140-2 validated 5 Series line for organizations with a specific requirement to use validated cryptographic modules for authentication. If a contract or your assessor calls for FIPS-validated authenticators, buy the FIPS line; otherwise the standard 5C NFC is what most small shops deploy.