OnlyKey

OnlyKey
Design firm	CryptoTrust
Color	Black (changeable sleeve)

Last updated April 10, 2024

OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, also acting as a portable password manager.^[1]

Overview

OnlyKey is notable for its physical keypad, which allows users to enter a PIN code directly on the device.^[2] After 10 failed attempts to unlock, all data is erased.^[2] The device also features a data-destruction code that the user can key in.^[3]^[4] The device can store passwords, usernames/URLs, and one-time password (OTP) accounts, that can be used for online/offline access.^[2]^[4]

Features

Password management: OnlyKey can store and manage up to 24 passwords, usernames/URLs, and one-time password (OTP) accounts on the device itself.
Two-factor authentication (2FA): OnlyKey supports various 2FA protocols including FIDO2 WebAuthn, FIDO U2F, TOTP, Yubico OTP, and Challenge-response.^[5]^[4] When logging in to a configured website or service, besides entering the username and password, the user also physically confirms the login attempt by pressing a button.
Security and Durability: OnlyKey is open source^[2] and has upgradable firmware. ^[4]
Set up Apps: The device can be used via Chrome browser app, as well as desktop apps on macOS, Windows, and Linux (.deb)^[6]

Disadvantages

Cost: Compared to software-based password managers, OnlyKey requires an upfront purchase for the hardware device itself.
Learning Curve: Setting up and using OnlyKey may require familiarization with its features and functionalities compared to typical password management solutions. Complex setup process compared to security keys like YubiKey.^[3]^[4]
Physical Loss: Losing the OnlyKey device can potentially lock the user out of their accounts if no backup options are implemented.
Limited Lockout Effectiveness: The PIN lockout feature can be bypassed by repeatedly removing and re-inserting the OnlyKey from the USB port, resetting the attempt counter. This is a potential weakness due to the lack of non-volatile memory on the device itself.^[5]
Limited OTP Functionality: The absence of both an on-board clock and non-volatile memory necessitates the OnlyKey Chrome App to be running for Time-based One-Time Password (TOTP) generation. There are some exceptions when the hardware key is continuously powered.^[5]
Potential for accidental total data-destruction due to user's keying error.^[3]

Related Research Articles

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

A one-time password (OTP), also known as a one-time PIN, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless keycards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

HMAC-based one-time password (HOTP) is a one-time password (OTP) algorithm based on HMAC. It is a cornerstone of the Initiative for Open Authentication (OATH).

A software token is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated.

A password manager is a computer program that allows users to store and manage their passwords for local applications or online services such as web applications, online shops or social media. A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) using the current time as a source of uniqueness. As an extension of the HMAC-based one-time password algorithm (HOTP), it has been adopted as Internet Engineering Task Force (IETF) standard RFC 6238.

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

LinOTP is Linux-based software to manage authentication devices for two-factor authentication with one time passwords. It is implemented as a web service based on the python framework Pylons. Thus it requires a web server to run in.

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

privacyIDEA is a two factor authentication system which is multi-tenency- and multi-instance-capable. It is opensource, written in Python and hosted at GitHub. privacyIDEA is a LinOTP's fork from 2014.

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

Bitwarden is a freemium open-source password management service that stores sensitive information, such as website credentials, in an encrypted vault. The platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

NordPass is a proprietary password manager launched in 2019. It is meant to help its users to organise their passwords and secure notes, keeping them in a single encrypted password vault. This service comes in both free and premium versions, though the free version lacks much of the paid functionality like multi-device login. NordPass was developed by the same cybersecurity team that created NordVPN, a VPN service provider.

The following is a general comparison of OTP applications that are used to generate one-time passwords for two-factor authentication (2FA) systems using the time-based one-time password (TOTP) or the HMAC-based one-time password (HOTP) algorithms.

References

↑ W., Tyler (2021-07-25). "OnlyKey is not the Only Key". Cyberwise. Archived from the original on 2023-12-08. Retrieved 2024-04-03.
1 2 3 4 Wazir, Saeed (2023-12-18). "Best security keys: Secure your laptops, smartphones and apps from hackers". Pocket-lint. Archived from the original on 2024-03-29. Retrieved 2024-04-03.
1 2 3 Kingsley-Hughes, Adrian (2021-02-10). "OnlyKey: The ultimate security key for professionals". ZDNET. Archived from the original on 2024-03-24. Retrieved 2024-04-03.
1 2 3 4 5 Loeffler, John (2023-01-13). "The best security key in 2024: hardware keys for top online protection". TechRadar. Archived from the original on 2024-03-29. Retrieved 2024-04-03.
1 2 3 "Blog: OnlyKey Thoughts". It's Chris Approved. Archived from the original on 2023-06-28. Retrieved 2024-04-03.
↑ Mens, Jan-Piet (2019-08-26). "Testing an OnlyKey hardware password manager". Jan-Piet Mens. Archived from the original on 2023-09-25. Retrieved 2024-04-03.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[W._2021_o356-1] W., Tyler (2021-07-25). "OnlyKey is not the Only Key". Cyberwise. Archived from the original on 2023-12-08. Retrieved 2024-04-03.

[Wazir_2023-2] 1 2 3 4 Wazir, Saeed (2023-12-18). "Best security keys: Secure your laptops, smartphones and apps from hackers". Pocket-lint. Archived from the original on 2024-03-29. Retrieved 2024-04-03.

[Kingsley-Hughes_2021-3] 1 2 3 Kingsley-Hughes, Adrian (2021-02-10). "OnlyKey: The ultimate security key for professionals". ZDNET. Archived from the original on 2024-03-24. Retrieved 2024-04-03.

[Loeffler_2023_e619-4] 1 2 3 4 5 Loeffler, John (2023-01-13). "The best security key in 2024: hardware keys for top online protection". TechRadar. Archived from the original on 2024-03-29. Retrieved 2024-04-03.

[Its_Chris_Approved_f015-5] 1 2 3 "Blog: OnlyKey Thoughts". It's Chris Approved. Archived from the original on 2023-06-28. Retrieved 2024-04-03.

[Mens_2019-6] Mens, Jan-Piet (2019-08-26). "Testing an OnlyKey hardware password manager". Jan-Piet Mens. Archived from the original on 2023-09-25. Retrieved 2024-04-03.

[1]

[2]

[3]

[4]

[5]

[6]

v t e Password managers
Proprietary	1Password Dashlane Enpass Intuitive Password Keeper LastPass Microsoft Autofill Myki NordPass Pleasant Password Server RoboForm SafeInCloud
Open source	Bitwarden Factotum GNOME Keyring KeePass KeePassXC KeeWeb Keychain KWallet OnlyKey Pass Password Safe Seahorse
Discontinued	Encryptr Firefox Lockwise Gator eWallet KeePassX KYPS Mitro Offer Assistant
Category List of password managers