OnlyKey

OnlyKey

Design firm	CryptoTrust
Color	Black (changeable sleeve)

OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, also acting as a portable password manager.^[1]

Overview

OnlyKey is notable for its physical keypad, which allows users to enter a PIN code directly on the device.^[2] After 10 failed attempts to unlock, all data is erased.^[2] The device also features a data-destruction code that the user can key in.^[3][4] The device can store passwords, usernames/URLs, and one-time password (OTP) accounts, that can be used for online/offline access.^[2][4]

Features

• Password management: OnlyKey can store and manage up to 24 passwords, usernames/URLs, and one-time password (OTP) accounts on the device itself.
• Two-factor authentication (2FA): OnlyKey supports various 2FA protocols including FIDO2 WebAuthn, FIDO U2F, TOTP, Yubico OTP, and Challenge-response.^[5][4] When logging in to a configured website or service, besides entering the username and password, the user also physically confirms the login attempt by pressing a button.
• Security and Durability: OnlyKey is open source^[2] and has upgradable firmware. ^[4]
• Set up Apps: The device can be used via Chrome browser app, as well as desktop apps on macOS, Windows, and Linux (.deb)^[6]

Disadvantages

• Cost: Compared to software-based password managers, OnlyKey requires an upfront purchase for the hardware device itself.
• Learning Curve: Setting up and using OnlyKey may require familiarization with its features and functionalities compared to typical password management solutions. Complex setup process compared to security keys like YubiKey.^[3][4]
• Physical Loss: Losing the OnlyKey device can potentially lock the user out of their accounts if no backup options are implemented.
• Limited Lockout Effectiveness: The PIN lockout feature can be bypassed by repeatedly removing and re-inserting the OnlyKey from the USB port, resetting the attempt counter. This is a potential weakness due to the lack of non-volatile memory on the device itself.^[5]
• Limited OTP Functionality: The absence of both an on-board clock and non-volatile memory necessitates the OnlyKey Chrome App to be running for Time-based One-Time Password (TOTP) generation. There are some exceptions when the hardware key is continuously powered.^[5]
• Potential for accidental total data-destruction due to user's keying error.^[3]

References

1. W., Tyler (2021-07-25). "OnlyKey is not the Only Key". Cyberwise. Archived from the original on 2023-12-08. Retrieved 2024-04-03.
2. Wazir, Saeed (2023-12-18). "Best security keys: Secure your laptops, smartphones and apps from hackers". Pocket-lint. Archived from the original on 2024-03-29. Retrieved 2024-04-03.
3. Kingsley-Hughes, Adrian (2021-02-10). "OnlyKey: The ultimate security key for professionals". ZDNET. Archived from the original on 2024-03-24. Retrieved 2024-04-03.
4. Loeffler, John (2023-01-13). "The best security key in 2024: hardware keys for top online protection". TechRadar. Archived from the original on 2024-03-29. Retrieved 2024-04-03.
5. "Blog: OnlyKey Thoughts". It's Chris Approved. Archived from the original on 2023-06-28. Retrieved 2024-04-03.
6. Mens, Jan-Piet (2019-08-26). "Testing an OnlyKey hardware password manager". Jan-Piet Mens. Archived from the original on 2023-09-25. Retrieved 2024-04-03.