99.99% security for logins and files with the OnlyKey security key

Are you aware of online security and avoid having your personal data exposed? If you’re serious about security, a two-factor login is essential, but a security key is better as it makes hacking a lot more difficult. The OnlyKey is an innovative security key that offers more than FIDO/U2F/FIDO2 and TOTP code generation. It’s a complete solution for secure logins and even PGP file encryption.

OnlyKey was created in 2016 to solve a problem that no other device solves, according to its developer, a security consultant and ethical hacker. His observation was that software password managers are better than nothing, but they can also be a huge security risk. I do agree with that statement, but I’d like to point out that managing or implementing a good security strategy is always going to be a hassle. And everything that’s a hassle is going to remain risky. People want to go about their business with no distractions and to most of us, security is distracting and often frustrating.

The following review is quite long at 2312 words (reading time average of 9min39sec), so here’s a chapter list:

OnlyKey versus the other
Setting it up, how it works
The OnlyKey app
My opinion
Epilogue and use case scenarios

OnlyKey versus the other

There’s OnlyKey and then there are others. Few of those matter much, except for market leader Yubikey. Yubikey 5 is the simplest security possible in my opinion with USB and NFC capability. You can use it as either a FIDO¹ / U2F² key without requiring the Yubikey Authenticator app if the website or system supports it, or as a TOTP³ / OTP ⁴ key with the Authenticator app. Yubikey has more capabilities — e.g., the ability to store two OTP passwords, changing your FIDO PIN, and setting up a PIV (Personal Identity Verification) for your computer, for example. Other than that, you can enable/disable authentication protocols to harden the key’s security somewhat more, but that’s basically it.

Physically, the Yubikey only has a touch area to activate its TOTP/OTP capabilities.

In contrast, the OnlyKey has a whole range of hardware/software combined capabilities and physically a touch-based 6-number keypad to enter a 7- to 10-digit PIN on the device. It allows you to set up two profiles and has 12 slots for each. It allows you to enter complete login sequences, including URL, user name, password and 2FA (two-factor authentication) settings. It supports FIDO/U2F, has a self-destruction capability and can be used without its partner app, although it needs it to use a TOTP as it obviously lacks an internal clock.

Perhaps most important of all: it’s an open-source design, so it can be reviewed by the security community and checked for backdoors.

The key is made of what looks to be a synthetic resin. It is drop, crush, and impact resistant and waterproof. Accidentally leaving an OnlyKey in your pocket and thrown in the washing machine shouldn’t be a problem. Around the key is a silicon rubber “jacket” that can be removed and replaced by a jacket of the same colour (in my case, it was black) or a different one.

The key comes in blister packaging and includes a heavy-duty keychain. The key is slightly bigger and bulkier than the USB/NFC Yubikey 5 NFC I tested earlier but looks much more robust. I don’t know if you can easily break a Yubikey 5. On Reddit, you’ll find some reports about Yubikey 5Ci’s brittle plastic sheathing, but that problem seems to have been resolved and Yubico was quick to offer replacement keys.

I don’t think either key will break easily. What I do know for a fact, though, is that some extension cables won’t work with either key. I initially wanted to test the keys inserted in the iMac’s USB ports which are, as efficient design demands, at the back of the machine. To fix that, I purchased a German brand 1m USB 3.0 extension cable. I know they have their cables made in China, but I hope they demand better quality. The cable quality was fine with mobile SSDs, but the keys had what seemed to be wiggle room that made them rapidly switch between a connected and a disconnected state as you touched them.

A much shorter USB extension cable worked fine, as did a CalDigit Element Hub that I repositioned on my desk for easier access.

Setting it up, how it works

When you first receive your OnlyKey the first step to set it up is to set a PIN. The PIN is entered directly on the touch-sensitive OnlyKey PIN pad to activate OnlyKey. It unlocks the OnlyKey for whatever authentication data you have on it. For example, if you register a Yubikey with Twitter for FIDO authentication, plugging in the key and tapping the sensitive spot is all it takes to log in.

Not so with the OnlyKey. Although FIDO is the easiest of all the authentication methods to set up in the OnlyKey app (it involves checking the FIDO box and that’s it), the key will not send the authentication to Twitter unless you’ve unlocked it with your PIN.

That’s an important level of security that is lacking with the Yubikey. Lose that one and any hacker who gets their hands on it and has done their homework will be able to log into every website you enabled FIDO access for.

As the OnlyKey developer points out on the website, it’s also more secure in general terms. As the PIN is entered on OnlyKey instead of on a computer, the risk the PIN gets compromised is lower than when you would enter it on a computer.

That first PIN you enter, though, is only the one that unlocks your OnlyKey’s first profile. When setting up your OnlyKey, you can skip having that second profile, but it would be a stupid thing to do. The second profile has its own PIN and unlocks the second set of 12 slots. That gives you a total of 24 slots to use.

By the way, you don’t need to remember what each slot contains. You enter a label for each of them and can have the key print out the labels in any text editor by touching the 2-button for five seconds. If you’re afraid you might lose your OnlyKey and the authentication data with it, you can also backup the data in encrypted form. That’s again done by touching a button for five seconds, and then only after you’ve set a passphrase during the guided setup.

Finally, setup enables you to set yet another PIN, which is entirely optional, to self-destruct the OnlyKey. The hardware won’t go up in flames, but everything on it will be reset to the default settings without leaving a trace.

The OnlyKey app

The OnlyKey app won’t win design awards, but it’s efficient, easy to understand and form-based. The user guide, though, might better explain that the app never reads any piece of data you add to the slots from the key. That might sound logical to a security expert, it’s not to the less security-minded.

The best is to set up your slot in as few steps as you possibly can. So, if you want to have the OnlyKey enter all the login data for your web-based mail server, for example, it is best to plan ahead and try out your entries in a text editor.

If you’ve recently gone through a traumatising experience — like I have — that makes your mind wander more than usual, you might pay attention to this line in the user guide, which should be in bold red, really. I was less focused than I usually am, ignored the sentence that warns against going live too soon, and repeated that twice. And twice I was — luckily — focused enough to have my backup code regenerated with each attempt.

I did, however, have to change my password when OnlyKey spitted out my username and password in the search field of my browser when I stupidly tried tabbing to the right form field. I ended up there while OnlyKey was already filling in everything.

So, even when testing in a text editor, you can run into some trouble, depending on the browser you use, the speed with which the pages load, how the online form is set up, etc. The fact that the slot entry page of the OnlyKey app is always empty when you re-open it, isn’t helpful. And after having it confirmed it’s not a bug but what I suspected, namely another level of security, I got to take out my pencil and a paper notepad and jotted down what I had already filled in per slot.

It’s secure, though, as no data is ever read from the key to the computer in unprotected format. In short, it’s something you must plan carefully. Still, I personally think that the average user — who isn’t fully aware of what computer security is exactly and why it matters — will be discouraged by the somewhat challenging process of going through more than one complete slot setup.

The good news is that you need to do it only once for every slot. And even better: there’s no obligation to use every data field the slots offer. You are welcome to use only the password field or the username and password field — or even just the FIDO checkbox, or any sort of combination. And all those differently for each and every of the 24 slots in total.

You can use OnlyKey not just for authentication or identification for access to your Mac or PC, or websites. You can also use it to encrypt/decrypt files with OpenPGP via end-to-end encrypted OnlyKey WebCrypt and the OnlyKey GPG Agent. OnlyKey not only generates the security keys, but also stores them.

My opinion

So, while I’ve only scratched the proverbial surface of the OnlyKey — as its physical surface takes a sharp knife to scratch, if at all possible — what do I think of it?

First, let me briefly compare with a Yubikey 5 NFC and say that I find the OnlyKey’s concept very appealing, and in one case more secure (see the section above on FIDO).

OnlyKey takes some time and effort to set up, but in use it’s very, very secure and in the long run takes less time and effort as you can avoid having to enter authentication data from a software-based password manager altogether for a total of 24 slots. Another major plus is that OnlyKey can store PGP keys for file encryption.

So, yes, it’s more complicated to set up, but afterwards, it’s as simple as any other device that you use daily. OnlyKey’s multiple levels of security are very appealing, indeed. It’s not expensive either as it retails at 48.50 EUR and is directly available from the OnlyKey website.

Epilogue and use case scenarios

Just as with the two Yubikey keys I tested before, the OnlyKey was sent to me free of charge. I have been using the USB-A Yubikey 5 NFC continuously for 2FA logins since I tested it and am now in the process of migrating those to the OnlyKey. I will probably not use the complete login options for all websites, as I use 1Password integrated with Safari and Firefox.

Most websites I log into don’t contain much of what I consider to be sensitive personal data, as I am very careful with what I disclose online (you should see my Facebook page; if everybody had one like mine, Mark Zuckerberg would be homeless).

For online management applications, though, I will use the full login credentials, as those necessitate repeated actions with every login that I would like to get off my computer and onto a secure external device.

Finally, here are a few user case scenarios that I tried out and will be using in the future.

Input the URL into the desired slot, so that it autofills the URL bar of my browser, be it Safari or Firefox
Set a 2 second delay to allow the login form page to load
Enter the username — check the OnlyKey app form’s TAB box — and enter the password — check the RETURN key box
Set a 4 second delay to allow me to select the 2FA field on the web form; in Firefox letting OnlyKey immediately fill in would result in nothing as Firefox auto-selects a checkbox that sets the browser as a Trusted one. In Safari, however, it selects something else. I therefore insert a longer delay so I can select the proper input field myself.
Send the TOTP code.

Considering the tweaking of the delays, etc, setting this up took me 10 minutes.

Protecting Bear app notes

In OnlyKey app, select an empty slot and call it “Bear Notes”
Enter the desired password in the Password field
Check the RETURN checkbox
Click Set Slot.

To protect the Bear app itself, you always need to use your Mac’s login password; I use something you wouldn’t expect: a Honeywell barcode reader that reads all existing codes, scans a laminated card with the password in barcode format.