OnlyKey Thoughts


I’ve been using OnlyKey for over two years, starting with the “first” generation model (no RGB led, shown in photo) and adding two “second” generation models (RGB led).

Both models have been used heavily on a daily basis. One RGB model has been used by a non-technical user configured as a simple gate to LastPass.

My use cases have been relatively limited compared to the feature set:

  1. Store passwords for commonly used applications such as a password manager
  2. Function as U2F token for supported applicatons
  3. Function as Google Authenticator TOTP

Pros

Instead of remembering a password or passphrase, you just need a pin code (which can also be remembered as a pattern). Once the pin has been entered, the pads become active. A single press can perform a function (e.g. type and enter a password, present U2F token, etc.), a press-and-hold can perform a completely different function. Given the six physical tabs, you have twelve functions available to you. This is plenty for most use cases, especially if you leverage a pad or two for accessing a password manager.

Works as a USB keyboard when entering passwords. I like this feature as it lets me enter passwords quickly in situations that would otherwise require a work-around (nested RDP sessions as an example). This also works with things like an OTG USB cable for a cell phone. Not convenient, but it works.

TOTP and U2F multifactor authentication options supported. I use them daily without issue. Setup was simple.

Durability has been great. One of the concerns I had is the pads tarnishing. This would indicate which pads were used in a pin sequence, greatly reducing the amount of guesses needed for brute-forcing a pin. Fortunately this has not proved to be a problem even after hundreds or thousands of button presses over the past few years. The backside of the hardware key is wearing to show some copper underneath the resin board, however this hasn’t caused any problems. I can also confirm survival of at least one wash and dry cycle (first generation model).

Improvements keep coming. The developer has been continually developing the device and software since I’ve been using it. Software development is slow, but this has been put together by a very small team and I’m betting this isn’t their full-time job.

Cons

Speaking of brute-forcing a pin; one of the downsides to the device–that I’m not sure can be overcome without non-volatile memory on the device–is that the lockout feature/protection is useless. You can reset the tries indefinitely by removing the device from the USB slot and re-inserting, which effectively resets the amount of tries. Time consuming, but a weakness nevertheless.

Configuration is difficult, especially for non-technical users. This has gotten better as the software (Chrome App) is improved. Recent changes include firmware updates from the application instead of requiring command-line knowledge.

Configuration more or less requires Google Chrome. This might dissuade some users who are dead set on using other browsers such as Firefox.

OTP functionality requires the OnlyKey Chrome App be on with some exceptions (such as once it’s set, you don’t have to do it again as long as the hardware remains plugged into a powered-on system). Until the hardware includes an on-board clock with memory this will always be a requirement.

Recommendations

I highly recommend these devices for technical users. I’d purchase two and keep a backup within short driving distance if using for work-related or otherwise critical duties.

For non-technical users, when used in conjunction with a password manager such as Lastpass, these add a great layer of security. Once you have them setup with a pin and they understand the simple repeatable workflow, they should be set.