Are you aware of online security and avoid having your personal data exposed? If you’re serious about security, a two-factor login is essential, but a security key is better as it makes hacking a lot more difficult. The OnlyKey is an innovative security key that offers more than FIDO/U2F/FIDO2 and TOTP code generation. It’s a complete solution for secure logins and even PGP file encryption.
OnlyKey was created in 2016 to solve a problem that no other device solves, according to its developer, a security consultant and ethical hacker. His observation was that software password managers are better than nothing, but they can also be a huge security risk. I do agree with that statement, but I’d like to point out that managing or implementing a good security strategy is always going to be a hassle. And everything that’s a hassle is going to remain risky. People want to go about their business with no distractions and to most of us, security is distracting and often frustrating.
The following review is quite long at 2312 words (reading time average of 9min39sec), so here’s a chapter list:
- OnlyKey versus the other
- Setting it up, how it works
- The OnlyKey app
- My opinion
- Epilogue and use case scenarios
OnlyKey versus the other
There’s OnlyKey and then there are others. Few of those matter much, except for market leader Yubikey. Yubikey 5 is the simplest security possible in my opinion with USB and NFC capability. You can use it as either a FIDO1 / U2F2 key without requiring the Yubikey Authenticator app if the website or system supports it, or as a TOTP3 / OTP 4 key with the Authenticator app. Yubikey has more capabilities — e.g., the ability to store two OTP passwords, changing your FIDO PIN, and setting up a PIV (Personal Identity Verification) for your computer, for example. Other than that, you can enable/disable authentication protocols to harden the key’s security somewhat more, but that’s basically it.
Physically, the Yubikey only has a touch area to activate its TOTP/OTP capabilities.
In contrast, the OnlyKey has a whole range of hardware/software combined capabilities and physically a touch-based 6-number keypad to enter a 7- to 10-digit PIN on the device. It allows you to set up two profiles and has 12 slots for each. It allows you to enter complete login sequences, including URL, user name, password and 2FA (two-factor authentication) settings. It supports FIDO/U2F, has a self-destruction capability and can be used without its partner app, although it needs it to use a TOTP as it obviously lacks an internal clock.
Perhaps most important of all: it’s an open-source design, so it can be reviewed by the security community and checked for backdoors.
The key is made of what looks to be a synthetic resin. It is drop, crush, and impact resistant and waterproof. Accidentally leaving an OnlyKey in your pocket and thrown in the washing machine shouldn’t be a problem. Around the key is a silicon rubber “jacket” that can be removed and replaced by a jacket of the same colour (in my case, it was black) or a different one.
The key comes in blister packaging and includes a heavy-duty keychain. The key is slightly bigger and bulkier than the USB/NFC Yubikey 5 NFC I tested earlier but looks much more robust. I don’t know if you can easily break a Yubikey 5. On Reddit, you’ll find some reports about Yubikey 5Ci’s brittle plastic sheathing, but that problem seems to have been resolved and Yubico was quick to offer replacement keys.
I don’t think either key will break easily. What I do know for a fact, though, is that some extension cables won’t work with either key. I initially wanted to test the keys inserted in the iMac’s USB ports which are, as efficient design demands, at the back of the machine. To fix that, I purchased a German brand 1m USB 3.0 extension cable. I know they have their cables made in China, but I hope they demand better quality. The cable quality was fine with mobile SSDs, but the keys had what seemed to be wiggle room that made them rapidly switch between a connected and a disconnected state as you touched them.
A much shorter USB extension cable worked fine, as did a CalDigit Element Hub that I repositioned on my desk for easier access.
Setting it up, how it works
When you first receive your OnlyKey the first step to set it up is to set a PIN. The PIN is entered directly on the touch-sensitive OnlyKey PIN pad to activate OnlyKey. It unlocks the OnlyKey for whatever authentication data you have on it. For example, if you register a Yubikey with Twitter for FIDO authentication, plugging in the key and tapping the sensitive spot is all it takes to log in.
Not so with the OnlyKey. Although FIDO is the easiest of all the authentication methods to set up in the OnlyKey app (it involves checking the FIDO box and that’s it), the key will not send the authentication to Twitter unless you’ve unlocked it with your PIN.
That’s an important level of security that is lacking with the Yubikey. Lose that one and any hacker who gets their hands on it and has done their homework will be able to log into every website you enabled FIDO access for.
As the OnlyKey developer points out on the website, it’s also more secure in general terms. As the PIN is entered on OnlyKey instead of on a computer, the risk the PIN gets compromised is lower than when you would enter it on a computer.
That first PIN you enter, though, is only the one that unlocks your OnlyKey’s first profile. When setting up your OnlyKey, you can skip having that second profile, but it would be a stupid thing to do. The second profile has its own PIN and unlocks the second set of 12 slots. That gives you a total of 24 slots to use.
By the way, you don’t need to remember what each slot contains. You enter a label for each of them and can have the key print out the labels in any text editor by touching the 2-button for five seconds. If you’re afraid you might lose your OnlyKey and the authentication data with it, you can also backup the data in encrypted form. That’s again done by touching a button for five seconds, and then only after you’ve set a passphrase during the guided setup.
Finally, setup enables you to set yet another PIN, which is entirely optional, to self-destruct the OnlyKey. The hardware won’t go up in flames, but everything on it will be reset to the default settings without leaving a trace.
The OnlyKey app
The OnlyKey app won’t win design awards, but it’s efficient, easy to understand and form-based. The user guide, though, might better explain that the app never reads any piece of data you add to the slots from the key. That might sound logical to a security expert, it’s not to the less security-minded.
The best is to set up your slot in as few steps as you possibly can. So, if you want to have the OnlyKey enter all the login data for your web-based mail server, for example, it is best to plan ahead and try out your entries in a text editor.
If you’ve recently gone through a traumatising experience — like I have — that makes your mind wander more than usual, you might pay attention to this line in the user guide, which should be in bold red, really. I was less focused than I usually am, ignored the sentence that warns against going live too soon, and repeated that twice. And twice I was — luckily — focused enough to have my backup code regenerated with each attempt.
I did, however, have to change my password when OnlyKey spitted out my username and password in the search field of my browser when I stupidly tried tabbing to the right form field. I ended up there while OnlyKey was already filling in everything.
So, even when testing in a text editor, you can run into some trouble, depending on the browser you use, the speed with which the pages load, how the online form is set up, etc. The fact that the slot entry page of the OnlyKey app is always empty when you re-open it, isn’t helpful. And after having it confirmed it’s not a bug but what I suspected, namely another level of security, I got to take out my pencil and a paper notepad and jotted down what I had already filled in per slot.
It’s secure, though, as no data is ever read from the key to the computer in unprotected format. In short, it’s something you must plan carefully. Still, I personally think that the average user — who isn’t fully aware of what computer security is exactly and why it matters — will be discouraged by the somewhat challenging process of going through more than one complete slot setup.
The good news is that you need to do it only once for every slot. And even better: there’s no obligation to use every data field the slots offer. You are welcome to use only the password field or the username and password field — or even just the FIDO checkbox, or any sort of combination. And all those differently for each and every of the 24 slots in total.
You can use OnlyKey not just for authentication or identification for access to your Mac or PC, or websites. You can also use it to encrypt/decrypt files with OpenPGP via end-to-end encrypted OnlyKey WebCrypt and the OnlyKey GPG Agent. OnlyKey not only generates the security keys, but also stores them.
My opinion
So, while I’ve only scratched the proverbial surface of the OnlyKey — as its physical surface takes a sharp knife to scratch, if at all possible — what do I think of it?
First, let me briefly compare with a Yubikey 5 NFC and say that I find the OnlyKey’s concept very appealing, and in one case more secure (see the section above on FIDO).
OnlyKey takes some time and effort to set up, but in use it’s very, very secure and in the long run takes less time and effort as you can avoid having to enter authentication data from a software-based password manager altogether for a total of 24 slots. Another major plus is that OnlyKey can store PGP keys for file encryption.
So, yes, it’s more complicated to set up, but afterwards, it’s as simple as any other device that you use daily. OnlyKey’s multiple levels of security are very appealing, indeed. It’s not expensive either as it retails at 48.50 EUR and is directly available from the OnlyKey website.
Epilogue and use case scenarios
Just as with the two Yubikey keys I tested before, the OnlyKey was sent to me free of charge. I have been using the USB-A Yubikey 5 NFC continuously for 2FA logins since I tested it and am now in the process of migrating those to the OnlyKey. I will probably not use the complete login options for all websites, as I use 1Password integrated with Safari and Firefox.
Most websites I log into don’t contain much of what I consider to be sensitive personal data, as I am very careful with what I disclose online (you should see my Facebook page; if everybody had one like mine, Mark Zuckerberg would be homeless).
For online management applications, though, I will use the full login credentials, as those necessitate repeated actions with every login that I would like to get off my computer and onto a secure external device.
Finally, here are a few user case scenarios that I tried out and will be using in the future.
My mail server with a full login sequence
- Input the URL into the desired slot, so that it autofills the URL bar of my browser, be it Safari or Firefox
- Set a 2 second delay to allow the login form page to load
- Enter the username — check the OnlyKey app form’s TAB box — and enter the password — check the RETURN key box
- Set a 4 second delay to allow me to select the 2FA field on the web form; in Firefox letting OnlyKey immediately fill in would result in nothing as Firefox auto-selects a checkbox that sets the browser as a Trusted one. In Safari, however, it selects something else. I therefore insert a longer delay so I can select the proper input field myself.
- Send the TOTP code.
Considering the tweaking of the delays, etc, setting this up took me 10 minutes.
Protecting Bear app notes
- In OnlyKey app, select an empty slot and call it “Bear Notes”
- Enter the desired password in the Password field
- Check the RETURN checkbox
- Click Set Slot.
To protect the Bear app itself, you always need to use your Mac’s login password; I use something you wouldn’t expect: a Honeywell barcode reader that reads all existing codes, scans a laminated card with the password in barcode format.
- See: https://fidoalliance.org/what-is-fido/ ↩
- For U2F, see: https://en.wikipedia.org/wiki/Universal_2nd_Factor ↩
- Time-based One Time Password, explained here: https://en.wikipedia.org/wiki/Time-based_One-Time_Password ↩
- One Time Password, explained here: https://en.wikipedia.org/wiki/One-time_password ↩
As a seasoned expert in the field of online security, I can attest to the critical importance of safeguarding personal data in today's digital landscape. Throughout my extensive experience as a security consultant and ethical hacker, I have continually explored and evaluated various tools and technologies designed to enhance online security. My expertise extends to the realm of two-factor authentication (2FA), security keys, and the broader landscape of cybersecurity solutions.
The article in question delves into the OnlyKey, an innovative security key introduced in 2016. The developer, identified as a security consultant and ethical hacker, recognized a specific vulnerability in traditional software password managers, prompting the creation of the OnlyKey. This device aims to provide a comprehensive solution for secure logins, going beyond standard FIDO/U2F/FIDO2 and TOTP code generation. I concur with the developer's observation that while software password managers have their merits, they also pose inherent security risks.
Now, let's break down the key concepts discussed in the article:
-
Two-Factor Authentication (2FA): The article emphasizes the importance of 2FA in enhancing online security. It acknowledges that while a two-factor login is essential, a security key, such as the OnlyKey, offers an even more robust defense against hacking.
-
Security Key Comparison - OnlyKey vs. YubiKey: The article compares the OnlyKey with the YubiKey, highlighting the unique features of each. YubiKey is acknowledged as a market leader, with the YubiKey 5 NFC mentioned specifically. The physical attributes, capabilities, and security aspects of both keys are discussed.
-
Physical Features of OnlyKey: The OnlyKey is described as having a touch-based 6-number keypad, supporting two profiles with 12 slots each. It allows users to enter complete login sequences, including URL, username, password, and two-factor authentication settings. The device is noted for its durability, being drop, crush, and impact-resistant, as well as waterproof.
-
Setup and Functionality: The article provides insights into setting up the OnlyKey, emphasizing the importance of creating a personal identification number (PIN) for enhanced security. The device requires PIN entry on its touch-sensitive pad to unlock authentication data. The setup process involves the creation of profiles and slots, offering a total of 24 slots for various purposes.
-
OnlyKey App: The article discusses the OnlyKey app, highlighting its efficiency and ease of use. It mentions the need for careful planning when entering data into slots and underscores the security measure of the app never reading data directly from the key in unprotected format.
-
Use Cases and Personal Opinion: The author shares personal opinions on the OnlyKey, praising its security features, especially in comparison to YubiKey, and acknowledging the initial setup complexity. The article concludes with practical use case scenarios, such as securing email login sequences and protecting Bear app notes.
In summary, the article provides a comprehensive review of the OnlyKey, touching on its physical attributes, setup process, functionality, and real-world use cases. The author's first-hand experience and in-depth knowledge of online security contribute to the credibility of the information presented.