We don’t publish many OnlyKey project updates. But when we do, it’s to announce some big news. We have been hard at work on the latest and greatest OnlyKey software which will include some major improvements and new features. Our most notable changes with the next release of OnlyKey firmware are that we are focusing on making OnlyKey easier to use and more secure.
One of the biggest drawbacks to upgrading OnlyKey is that the process currently works like this:
– Create OnlyKey data backup
– Download/Verify new firmware
– Load new firmware
– Restore private key
– Restore OnlyKey backup data
This can be a bit time consuming and intimidating to some users, so this will be the last OnlyKey firmware release that requires all of those steps. After upgrading, the new process for firmware updates will be:
– App automatically (or manually if preferred) prompts when a new update is available
– User confirms to download and install new firmware
– OnlyKey reboots itself and new features are ready to go
No backup/restore required and no messing with backup keys. The only time the backup key will be needed is during 1st setup. And things even get a bit easier, a backup passphrase can be used instead of having to deal with a backup key.
So how did we make it so much easier and also increase security?
a) We are utilizing a new bootloader (the thing that loads firmware from the computer to the OnlyKey).
b) We are cryptographically signing firmware using a blockchain design (the bootloader will only load signed firmware, signed firmware is broken into blocks).
c) We integrated everything with the OnlyKey app for a simple and easy initial setup.
Some key user benefits:
– Now you just need one app, the OnlyKey app to load firmware and manage your OnlyKey.
– Verification of signed firmware is done automatically on OnlyKey.
– Backup passphrase is set once and not required again unless a backup/restore is necessary.
– With firmware updating as a point-and-click experience, it’s really easy to take advantage of new features going forward.
That’s not all! We have some more big improvements that will be included in the next release such as:
– Selectable second profile mode.
Now we have the option to use the second profile on the OnlyKey as a 2nd full feature profile or a plausible deniability profile. It’s your choice.
– FIDO U2F improvements.
After looking at some of the issues we found with other vendor U2F tokens, we found a more secure way to implement U2F that uses double wrap encryption.
– Enable/disable challenge PIN for PGP and SSH.
While a challenge PIN is great for security, it may not integrate well in every application. The challenge PIN is on by default, but we added an option to turn off this feature if needed.
– Enable enterprise provisioning
Setting certain values on first use is now permitted to enable enterprise provisioning of OnlyKeys. For example, a backup file or passphrase can be set on first use after setting a PIN. This makes it possible for our enterprise business customers to easily provision devices as follows:
- Enterprise provisions a file (securely encrypted with a unique passphrase) for each user that contains the settings for a user’s OnlyKey
- User sets their own PIN on a new OnlyKey
- User loads encrypted file and passphrase provided by enterprise
- Device is now configured with required enterprise settings/accounts and ready to use
– Auto-calibrate sensitivity of buttons.
The touch buttons on OnlyKey will now auto-calibrate. This enables better touch detection when buttons are pressed even in more extreme temperatures.
More to come. We will provide a complete list of new features and functionality when the next firmware is released.
Also published on Medium.