OnlyKey FAQ

Glad you asked. The OnlyKey is designed as a single-purpose computer. The only time the OnlyKey accesses one of your passwords is when you tell it to. You do this my physically touching the OnlyKey. This is in contrast to for example smartphone apps or software where malware might get access to all of your passwords.

OnlyKey acts as a standard USB keyboard when connected to a computer so there is not need for special drivers. OnlyKey works everywhere a keyboard works including Windows, Mac, Linux, and Android. OnlyKey even can store your hard-drive encryption keys. 

The data stored on OnlyKey is encrypted with the strongest encryption available (AES-256-GCM) and most importantly is PIN protected.
What this means is that if you lose your OnlyKey it is essentially useless without the PIN, nothing can be read from or written to it.

If an attacker tries to guess the PIN it will wipe all data after 10 failed attempts.

Using the secure encrypted backup anywhere feature you can backup and restore your accounts. You can create encrypted backups anywhere by just holding the #1 button down on the OnlyKey. This means that only a physical person can initiate a backup (not malware) and you can save it to a text file, email, etc.

If you like to plan ahead then get two OnlyKeys so you always have a backup.

Yes. 

Extremely Durability – OnlyKey is drop, crush, and impact resistant, it stands up to abuse. You can carry it on your keychain, in your pocket, etc. 

Waterproof – Accidentally leave your OnlyKey in your pocket and it goes through the washing machine? No problem, it’s waterproof. 

To provide even more durability and style OnlyKey color cases are available.

Choose a color that fits your style – Stealth Black, Guardian Blue, Hacker Green, Resistance Red, or Quantum White. 

Provided with each OnlyKey is a card with useful links, next to the first link is >>START HERE: https://onlykey.io/start
This page provides step-by-step directions for setting up your OnlyKey.

First it is important to understand how accounts are hacked as there are several ways and OnlyKey has unique features that prevent each type.
1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)

If the site you use is breached the attacker may be able to get your password in a couple of ways.

a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.

If a) then it does not matter how long or complex your password is they have got it.

If b) then the attacker has to crack the passwords and only the weak passwords will be obtained.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker has your password they still can’t access your account and you are protected.

OnlyKey addresses b) by allowing users to set strong, up to 56 character passwords that cannot be cracked by an attacker. And they are actually usable since you don’t have to remember them, they are stored on your OnlyKey and typed out for you.

2) The computer you use is hacked (you click on a malicious website or download malware accidentally)

If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. In fact if this happens you would have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.

If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.

a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords for all of your accounts.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can’t access your account without obtaining your one-time password. 

OnlyKey addresses b) by storing everything on independent hardware. Essentially, OnlyKey is secure by design so that you can only every write or wipe account information stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.

3) Your cloud based password manager was compromised.

In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own..

Phone Models Supported:

iPhone/iPad (IOS 9.2+) with Lightning port
Password manager and Yubikey OTP Supported
Lightning to USB OTG adapter required

Android with USB Micro port
Password manager and Yubikey OTP Supported
USB Micro OTG adapter required

Android with USB C port
Password manager and Yubikey OTP Supported
USB C OTG adapter required

Smart Cards are commonly used to provide two-factor authentication and decryption/signing for things like email. Unfortunately, if the computer that a smart card is plugged into is compromised by an attacker then the security of the smart card is compromised. An attacker can capture the users smart card PIN when it is typed.

With this PIN they can then authenticate to anything that the user has access to and also decrypt/sign emails as if the user had done so. This is a serious threat and OnlyKey overcomes this limitation. With OnlyKey your PIN is entered on the 6 digit keypad located on the device itself, this does not in any way send this PIN to the connected computer.

In this way the PIN entry is inaccessible to an attacker who has compromised the connected computer.

In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. With our OpenPGP everywhere technology and integration with Keybase, OnlyKey can send and receive secure messages everywhere. Check out our secure messaging app here – https://apps.crp.to 

OnlyKey stores more than just passwords and two factor codes. OnlyKey stores everything you need to login including a URL to the login page, username, password and two factor for multiple sites.

There are a variety of hardware and software tokens out there. Some support FIDO U2F and others support Yubikey OTP and yet others support Google Authenticator (TOTP).

Unfortunately for users not all websites support all of these. There is no standardization of two-factor support among websites so in order to log in using a token you often need multiple tokens and apps. OnlyKey set out to address this issue and make two-factor authentication universal by supporting the methods most commonly used by websites. Additionally, by combining this with password management we can provide users with a secure login with the touch of a button.

First and foremost OnlyKey is open source and free of backdoors. Secret keys are generated by you and accessible only to you. Unlike our competitors, we believe in a decentralized model where you have the freedom to control and verify everything on the OnlyKey. Also by having a clear coat on the electronics you can actually see the hardware and would be able to see a hardware type of backdoor, by comparing it to other Onlykeys.

Why is decentralized important?

TL;DR – Because there is no single point of failure

Take a real world example like Lavabit, in May 2014 the owner of the service Ladar Levison abruptly shut down his secure email service after, it is speculated he received a National Security Letter from the NSA. This service was centralized so Ladar had the ability to see his customers information. Ultimately, he decided instead to just shut down his service rather than give up his customers “I was forced to make a difficult decision: violate the rights of the American people and my global customers or shut down. I chose Freedom.”

What is unknown is how many other companies have similar centralized services and chose to not shut down. Instead they gave up their customers (your) information instead. All centralized security solutions have one thing in common, a single point of failure, and so they should never be trusted.

So what would happen if CryptoTrust received a similar letter?

We would comply with the order and at the same time 100% protect customers. This is possible because OnlyKey is a decentralized solution. We have zero knowledge of customer’s sensitive data and we don’t manage or store any keys. All of the keys are created by you either by directly loading them onto the OnlyKey or from being generated randomly using our patent pending method that uses input like the conductivity of your skin when pressing the buttons to create secure random keys

This is a fairly easy question to answer. SMS codes are no longer considered secure and are no longer being recommended by NIST. The reason being that there are many ways that SMS messages can be intercepted by an attacker. SMS codes are definitely better than nothing but are not as secure as other two factor methods like TOTP and U2F.

Check out the OnlyKey Support Forum Check out the OnlyKey Documentation

The International Travel Edition firmware is essentially a feature limited version of the OnlyKey. It is a fully functional password manager but not utilize the same level of encryption and may be usable in countries where encryption is banned/restricted. More information here..

Depending on what your wipe mode is set to it either wipes all sensitive data (erases your usernames, passwords, keys etc.) or if you are using full wipe mode it does a complete erase of the OnlyKey including sensitive data and all firmware (this requires reloading firmware).

Whenever you wish to wipe all sensitive data from the OnlyKey and restore it to a factory default state.

The firmware is signed in a blockchain fashion. As the OnlyKey is an embedded device, things like memory are limited so verification of a complete firmware file would not be possible on the device. However, blocks of firmware can be signed along with the signature of the previous block to create a blockchain that can be verified by the OnlyKey bootloader. Additionally, firmware integrity is verified every time the device boots. In the event firmware verification fails the device is wiped and signed firmware must be reloaded.