Warning:

Already an OnlyKey owner?
Quick Start Guide

See what customers say about OnlyKey

 

Store accounts securely with only one PIN to remember

Up to 24 unique accounts
OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager.
While most users have hundreds of accounts they need to protect, only a handful of those accounts are most valuable. With this hybrid prioritized approach you don’t just have to hope that you don’t get hacked, you can conveniently do something about it.

OnlyKey is ideal for teams and small business


To get started fill out our team and small business partner form here.

  • Connector.

    Password Policy Compliance

    OnlyKey supports passwords that are completely random and with complexity that will exceed even the strictest password policy.

  • Connector.

    Two Factor Enforcement

    By supporting multiple methods of 2FA Onlykey is the most universally supported token available on the market today! Chances are that if an app supports two-factor authentication, OnlyKey is compatible.

  • Connector.

    Easy Management and Training

    One device to manage and users only remember one PIN. The first day on the job a user can be given one device programmed with all necessary accounts to hit the ground running.

  • Connector.

    Integration Support

    A trusted security consultant with internationally recognized security credentials will guide you to implement best practices.

First it is important to understand how accounts are hacked as there are several ways and OnlyKey has unique features that prevent each type.

1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)

If the site you use is breached the attacker may be able to get your password in a couple of ways.

a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.

If a) then it does not matter how long or complex your password is they have got it.

If b) then the attacker has to crack the passwords and only the weak passwords will be obtained.

OnlyKey addresses b) by allowing users to set strong 32 character passwords that cannot be cracked by an attacker. And they are actually usable since you don’t have to remember them, they are stored on your OnlyKey and typed out for you.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker has your password they still can’t access your account and you are protected.

2) The computer you use is hacked (you click on a malicious website or download malware accidentally)

If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. In fact if this happens you would have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.

If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.

a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords for all of your accounts.

OnlyKey addresses b) by storing everything offline. Essentially OnlyKey is secure by design so that you can only every write or wipe passwords stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can’t access your account without obtaining your one-time password. One time passwords used by Yubikey OTP are only valid once and Google Authenticator OTPs are only valid once and for a short period of time, usually 30 seconds.

3) Your cloud based password manager was compromised.

In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own.

Up to 24 slots can be configured, each slot can have a username or URL, a password, and a two-factor method assigned.

By setting one of the slots to just use U2F, OnlyKey can provide two-factor authentication for an unlimited number of accounts.

By setting one of the slots to just use Yubikey OTP, Onlykey can provide two-factor authentication for an unlimited number of accounts.

OnlyKey can replace but does not have to replace existing software password managers. By setting one of the slots to the login of a software password manager like Lastpass, OnlyKey can be extended to protect an unlimited number of accounts. One use case for this would be storing your most important accounts directly on the OnlyKey and then your less important accounts in a software password manager with two-factor authentication enabled.

Additionally, SSH support allows storing an SSH Private Key that can be used to authenticate to an unlimited number of devices and services using the OnlyKey Agent here.

First and foremost OnlyKey firmware is open source and you or anyone can view and modify OnlyKey’s firmware if you wish. We believe that in a day and age where companies can be compelled or forced to implement a government surveillance backdoor in their security products that the only way to ensure there is no backdoor is to use open source software.
Smart Cards are commonly used to provide two-factor authentication and decryption/signing for things like email. Unfortunately, if the computer that a smart card is plugged into is compromised by an attacker then the security of the smart card is compromised. All the attacker has to do is easily capture the keyboard output (Keylogging) and they can capture the users smart card PIN. With this PIN they can then authenticate to anything that the user has access to and also decrypt/sign emails as if the user had done so. This is a serious threat and one of the reasons that the OnlyKey project was started. With OnlyKey your PIN is entered on the 6 digit keypad located on the device itself that does not in any way send this PIN to the connected computer. In this way the PIN entry is offline and inaccessible to an attacker who has compromised the connected computer.

In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. The OnlyKey is detected by the computer as a keyboard and no middleware or special drivers are required. OnlyKey can literally be plugged in and used on a computer that you have never used before and it works without installing anything.

There are a variety of hardware and software tokens out there. Some support U2F and others support Yubikey OTP and yet others support Google Authenticator (TOTP). Unfortunately for users not all websites support all of these. There is no standardization of two-factor support among websites so in order to log in using a token you often need multiple tokens and apps. OnlyKey set out to address this issue and make two-factor authentication usable by supporting the methods most commonly used by websites. Additionally, by combining this with password management we can provide users with a secure login with the touch of a button. A one touch login is the kind of user experience we think that users want and that is what OnlyKey is all about.
This is a fairly easy question to answer. SMS codes are no longer considered secure and are no longer being recommended by NIST – http://fortune.com/2016/07/26/nist-sms-two-factor/. The reason being that there are many ways that SMS messages can be intercepted by an attacker. Cellular femtocells are one way, and we already know that all cell phone calls and SMS messages are available to government agencies real-time. Even if the government agencies are not misusing this information what assurances are there that the data is being protected from bad actors considering that the government agencies themselves have been hacked in the past. Then, there is the concern of what happens when a website breach occurs, if an attacker already has access to a database with passwords they may have access to the phone numbers that are assigned to accounts as well and can change this to whatever phone number they wish. Finally, the technology itself that is used for sending SMS messages is not very secure, so much so that anyone with $30 can build a device to intercept SMS messages and crack the messages near real-time – http://hackaday.com/2013/10/22/cracking-gsm-with-rtl-sdr-for-thirty-dollars/.

In conclusion, SMS codes are definitely better than nothing but should not be used to protect accounts that you really care about.


OnlyKey is the world’s first password manager that can keep your accounts safe even if your computer is hacked or a website is breached. OnlyKey does this by storing your passwords in secure hardware offline and by supporting strong two-factor authentication methods like U2F.


  • Where Convenience and Security Meet– OnlyKey is dual use. It functions as a password manager and a two-factor token. You can plug OnlyKey into any computer, press a button, and it types out a username and password the same as if you typed it yourself; but with one big difference, you don’t have to remember passwords! OnlyKey does that for you. This allows using very complex and secure passwords that cannot be cracked by any available methods.

  • Secure by Design – Information can only be written to the OnlyKey or wiped. This protects your data even if the connected computer has been compromised. Unlike smartcards that are vulnerable to keylogger attacks, the PIN used to unlock OnlyKey is entered on the OnlyKey itself.

  • Two-Factor Options – By supporting multiple methods of 2FA Onlykey is the most universally supported token available on the market today! Chances are that if the website supports two-factor authentication, OnlyKey is compatible.

Compare Vs. Leading Password Manager

Already use a software password manager? No problem, store your most valuable passwords in secure hardware and keep using less secure software password manager for less valuable accounts. Find out more here.

Lastpass

  • Software Password Manager
  • Stores Unlimited Accounts
  • Supports 2 factor authentication to protect passwords
  • 2 factor authentication can’t be bypassed by hacker1
  • Can protect your accounts even if computer is compromised2
  • Can protect your accounts even if site is compromised3
  • Take your passwords with you even without Internet4
  • Functions as a 2-Factor Token3
  • Open Source

1As we wrote about back in 2015 here, an attacker can easily bypass Lastpass 2 factor authentication. This attack is enabled by default on Lastpass accounts.

2If an attacker has access to your computer it is game over for software password managers and all of your accounts in one fell swoop (Sometimes they don’t even need that). There are many ways that your computer can be hacked such as opening an untrusted file or even just browsing to a malicious site. Even if your software password manager has the most restrictive setting possible with 2 factor enabled all the attacker has to do is wait for you to unlock it and then dump and steal all of your passwords. Pretty scary stuff and this is why we recommend not trusting important accounts to a software password manager. OnlyKey on the other hand is offline, it requires you to enter a PIN and requires user physical presence to authenticate that even a hacker who has access to your computer can’t simulate.

3By supporting strong 2 factor methods like U2F and strong uncrackable passwords even if a site is breached and the attacker gains sensitive information, they won’t be able to log into your account.

4One of the best things about OnlyKey is it is plug-and-go. No Internet, no problem your passwords to unlock offline accounts or your laptop are still accessible.

Compare Vs. Leading Token

Yubikey NEO

  • Stores up to 2 passwords
  • N/A Does not store usernames/URLs
  • N/A Does not store Google Authenticator OTP accounts
  • Supports U2F 2 factor authentication for an unlimited number of sites
  • Supports Yubikey OTP 2 factor authentication for an unlimited number of sites
  • Device Locking – If lost or stolen no sensitive information can be obtained5
  • Open Source
  • Supports NFC (NFC only works on select Android phones and no iPhones)

5YubiKey has no locking mechanism so if you drop it and someone picks it up they can just plug it in and access your passwords or use your 2nd factor. OnlyKey automatically locks after a set period of time when plugged in and always is locked when powered off. Trying to guess a PIN will wipe the OnlyKey so no sensitive information can be obtained if lost or stolen.

For any questions regarding bulk pricing, don’t hesitate to contact us!

Password Manager

Manages up to 24 accounts including Username/URL, password, and 2FA method for each account.

Portability

On-the-go – Comes with a keychain accessory to easily attach and detatch the OnlyKey from your keychain.

PIN Protected

A 7-10 digit PIN must be typed onto the 6 button keypad of the OnlyKey in order to unlock it. If 10 incorrect PINs are entered your OnlyKey will perform a factory reset, wiping all sensitive infromation.

Automatic Lock Feature

Want your OnlyKey to automatically lock itself after being inactive for 30 minutes? No problem, this is customizable.

Self-Destruct Feature

Wipe everything it you need to. Set this PIN code whenever you first set up your OnlyKey and then if you or anyone else ever enters it the OnlyKey wipes all of the sensitive data you have stored on it.

Advanced Hardware Security

Once a PIN has been set on your OnlyKey it locks down the hardware so that even if an attacker gains physical access to your OnlyKey, without the correct PIN it will essentially be a brick.

OpenPGP Support

One of the great things about Onlykey is new features can be added to the open source firmware. See our new features in action

Universal 2-Factor Token

Supports Google Authenticator (TOTP), Yubikey compatible OTP, and Universal 2nd Factor (U2F).

Universal Support

Driverless operation – Recognized by computer as a regular keyboard. Supports Windows, Mac OS X, and Linux with Google Chrome.

International Keyboard Layouts

Do you live in or travel to a country where the default keyboard layout is different. No problem, OnlyKey is the first device to allow changing your keyboard layout on the fly.

User Selectable Type Speed Feature

Want your OnlyKey to type out information faster or slower? No problem, this is customizable.

Plausible Deniability Feature

Travel abroad without having to give up your encryption keys/passwords. Set this PIN code whenever you first set up your OnlyKey and then if you or anyone else ever enters it the OnlyKey opens up a fake profile that is identical to the real profile of the international travel edition Onlykey. The goal of this feature is that proof that another profile even exists is impossible to prove. This way you can plausibly deny that the OnlyKey uses encryption. Is it just a basic password manager or is there another hidden profile that is only activated if you know the secret PIN?

SSH Authentication

Use the OnlyKey for SSH authentication where your SSH key remains securly stored in hardware and not available to attackers.

Encrypted Backup Anywhere

OnlyKey types out the encrypted backup so it works anywhere independent of apps. See our new features in action

See How it Works

On the face of the OnlyKey is a 6 button keypad which serves two purposes.

1. In order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN.

2. In order to login to an account, the button assigned to the account must be pressed. Each button can store two accounts. Hold the button for less than one second and the first account is activated, hold for more than one second and the second account is activated. Each account can store username/URL, password, and 2FA method (Yubikey OTP, Google Authenticator, or U2F). Below is a screenshot of the App used to configure the Onlykey.

Easy 3 Step Setup!

Additional Information

Self-Destruct

Wouldn’t it be nice to know that your data is protected, and if you are in a pinch or forced to give up your PIN there is an easy way to make sure that your data does not get into the wrong hands?

Read more about this feature in our user’s guide

Plausible Deniability (International Travel Edition and Standard Edition)

Wouldn’t it be nice to be able to be able to travel to a country where encryption is illegal or to a country where it is against the law to refuse to give up your password to authorities and be able to comply without actually giving any access to your accounts?

Read more about this feature in our user’s guide