diff --git a/docs/pages/guides/endpoint-security/hardware-security-keys.mdx b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx
new file mode 100644
index 00000000..48361b47
--- /dev/null
+++ b/docs/pages/guides/endpoint-security/hardware-security-keys.mdx
@@ -0,0 +1,81 @@
+---
+title: "Hardware Security Keys | Security Alliance"
+description: "Use hardware security keys on critical accounts, keep a backup enrolled, and avoid weak recovery paths."
+tags:
+  - Security Specialist
+contributors:
+  - role: wrote
+    users: [louis, dickson]
+---
+
+import { TagList, AttributionList, TagProvider, TagFilter, ContributeFooter } from '../../../../components'
+
+<TagProvider>
+<TagFilter />
+
+# Hardware Security Keys
+
+<TagList tags={frontmatter.tags} />
+<AttributionList contributors={frontmatter.contributors} />
+
+## Summary
+
+> 🔑 **Key Takeaway for Hardware Security Keys:** Use FIDO2/WebAuthn security keys on high-value accounts, register
+> at least two keys per critical account, disable SMS fallback where possible, and test recovery before you need it.
+
+Hardware security keys are one of the strongest practical defenses against phishing, credential stuffing, and
+SIM-swap-based account takeovers. They are especially valuable for email, source control, registrars, cloud platforms,
+social accounts, and any admin or financial account that could be used to pivot into the rest of your organization.
+
+## For Individuals
+
+These steps apply to personal and work accounts that support FIDO2/WebAuthn security keys or passkeys stored on a
+hardware key.
+
+### Setup Checklist
+
+- [ ] Buy at least **two** security keys from a reputable vendor such as Yubico
+- [ ] Prefer keys that match your device mix:
+  - USB-C for modern laptops and phones
+  - NFC if you regularly authenticate on mobile
+- [ ] Label one key **Primary** and the other **Backup**
+- [ ] Register both keys on every critical account that supports them:
+  - Primary email
+  - GitHub and code hosting
+  - Registrar and DNS providers
+  - Cloud and deployment platforms
+  - Banking, custody, or treasury accounts
+  - Social and communication accounts
+- [ ] Where offered, prefer:
+  - **Security key**
+  - **Passkey on hardware key**
+  - Other phishing-resistant WebAuthn/FIDO2 options
+- [ ] Disable **SMS** as a recovery or second-factor method wherever the service allows it
+- [ ] Save provider-issued backup or recovery codes offline
+- [ ] Test both the primary and backup key after enrollment
+
+### Practical Use
+
+- Keep the **Primary** key with you for normal logins
+- Store the **Backup** key in a separate secure location, not in the same bag or drawer
+- Maintain a short note in your password manager listing which critical accounts have which keys enrolled
+- If a service allows multiple authentication methods, avoid leaving weaker fallback paths enabled unless they are
+  operationally necessary
+- Replace lost or damaged keys immediately and re-test the remaining enrolled key
+
+### Recovery Discipline
+
+- Do not wait until you lose a key to learn how account recovery works
+- If you lose your only key and do not have a second enrolled key or a usable recovery path, you can lock yourself out
+  of critical accounts at the moment you most need them
+- Verify that your recovery path does not depend on a phone number if you are trying to reduce SIM-swap risk
+- If an account only supports app-based MFA or SMS, record that exception clearly and prioritize moving the account to
+  a stronger provider or stronger configuration when possible
+
+## Further Reading
+
+- [Opsek YubiKeys Cheatsheet](https://github.com/Opsek/Yubikeys-cheatsheet)
+- [Yubico: YubiKey Authenticator](https://www.yubico.com/products/yubico-authenticator/)
+
+</TagProvider>
+<ContributeFooter />
diff --git a/docs/pages/guides/endpoint-security/index.mdx b/docs/pages/guides/endpoint-security/index.mdx
index f9f5eae7..5f4c85a5 100644
--- a/docs/pages/guides/endpoint-security/index.mdx
+++ b/docs/pages/guides/endpoint-security/index.mdx
@@ -11,4 +11,5 @@ title: "Endpoint Security"
 
 ## Pages
 
+- [Hardware Security Keys](/guides/endpoint-security/hardware-security-keys)
 - [Zoom Hardening Guide](/guides/endpoint-security/zoom-hardening)
diff --git a/vocs.config.tsx b/vocs.config.tsx
index 0c7d129e..6fa7ce70 100644
--- a/vocs.config.tsx
+++ b/vocs.config.tsx
@@ -533,6 +533,7 @@ const config = {
           text: 'Endpoint Security',
           collapsed: true,
           items: [
+            { text: 'Hardware Security Keys', link: '/guides/endpoint-security/hardware-security-keys' },
             { text: 'Zoom Hardening', link: '/guides/endpoint-security/zoom-hardening' },
           ]
         },
diff --git a/wordlist.txt b/wordlist.txt
index 71349ab7..ea7cffd2 100644
--- a/wordlist.txt
+++ b/wordlist.txt
@@ -332,4 +332,5 @@ SSDF
 SLSA
 pids
 Kata
-rootfs
\ No newline at end of file
+rootfs
+Opsek
