Two-factor authentication, which uses something you know (like your login information) with something you have (like a mobile phone), is essential for safeguarding your online accounts. Google recently announced it added the ability to use a physical USB key as the "something you have" element, which can greatly strengthen your Gmail, Google Drive, and other Google account services. But it might not be for everyone.
Don't get me wrong, the security key option is an excellent addition. Using a physical key instead of entering a code generated on your smartphone strengthens security because it means you don't have to deal with fake sites pretending to be Google. (The USB key verifies it's a genuine Google site before authenticating.) It's also just as convenient as using your smartphone--in both cases you have to have the object on you to authenticate.
I've been thinking about using a security key, not just for Google, but for other sites that enable this physical two-factor authentication method, like LastPass and my investment account.
The issue, though, are that it doesn't play well with mobile. A USB key doesn't need a mobile data connection or battery charge to work, so in that sense it's better than using a smartphone app or text messaging for security. But smartphones and iPads don't have USB ports. Also, Google's security key implementation only works for Chrome browser users.
Mobile seems to be the biggest sticking point when it comes to security. Password entry and other form-filling conveniences we have on the desktop using password managers are clunky or nonexistant on our phones or tablets. Hardware keys don't work on our mobile devices. Long, complex passwords are a royal pain to enter on the small virtual keyboards.
Use a security key if you're mainly on the desktop. It's the most secure option we have now. (Google's implementation uses a FIDO U2F system, like this $18 Yubico key.)
Here's hoping that more secure implementations of two-factor authentication for mobile users roll out soon as well.