This proof-of-concept essentially demonstrates tha...
A few days ago Google announced a new “Advanced Protection Program” which they advertise as follows:
“The Advanced Protection Program safeguards the personal Google Accounts of those most at risk ...
1) Durability - OnlyKey is crush and impact resistant, it stands up to abuse. You can carry it on your keychain, in your pocket, etc.
2) Waterproof - Accidentally leave your Only...
OnlyKey Standard Edition
Ships to US, Canada, Europe, and Japan
Full featured with encrypted storage and encrypted backup anywhere
Buy now for $46 with free 2-day shipping anywhere in US
Available on Amazon US, Canada, Europe, and Japan sites.
See Amazon return policy at bottom of this page.
OnlyKey International Travel Edition
Travel internationally confidently and in compliance with encryption laws.
Store accounts securely with only one PIN to remember
Up to 24 unique accountsOnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager. Learn about password security strategy or see example here.
Password Management for Business, Teams & Enterprise
Simple. Secure. Effective
Find out more
Password Policy Compliance
A secure password policy is easy when users don’t have to remember any passwords.
Two Factor that Just Works
By supporting multiple methods of 2FA Onlykey is the most universally supported token available on the market today! Chances are that if an app supports two-factor authentication, OnlyKey is compatible.
Easy Management and Training
One device to manage and one PIN to remember. Train users to access everything in an hour or less.
A trusted security consultant with internationally recognized security credentials will guide you to implement best practices.
OnlyKey is protected with a clear potting compound that provides:
1) Durability – OnlyKey is crush and impact resistant, it stands up to abuse. You can carry it on your keychain, in your pocket, etc.
2) Waterproof – Accidentally leave your OnlyKey in your pocket and it goes through the washing machine? No problem.
3) Transparency – It is possible to visually verify that things have not been tampered with and there is not a hardware backdoor installed.
To provide even more durability and style OnlyKey color cases are available. Choose a color that fits your style – Stealth Black, Guardian Blue, Hacker Green, or Resistance Red.
Buy now for $8.99 with free shipping anywhere in US
1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)
If the site you use is breached the attacker may be able to get your password in a couple of ways.
a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.
If a) then it does not matter how long or complex your password is they have got it.
If b) then the attacker has to crack the passwords and only the weak passwords will be obtained.
OnlyKey addresses b) by allowing users to set strong 32 character passwords that cannot be cracked by an attacker. And they are actually usable since you don’t have to remember them, they are stored on your OnlyKey and typed out for you.
OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker has your password they still can’t access your account and you are protected.
2) The computer you use is hacked (you click on a malicious website or download malware accidentally)
If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. In fact if this happens you would have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.
If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.
a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords for all of your accounts.
OnlyKey addresses b) by storing everything offline. Essentially OnlyKey is secure by design so that you can only every write or wipe passwords stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.
OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can’t access your account without obtaining your one-time password. One time passwords used by Yubikey OTP are only valid once and Google Authenticator OTPs are only valid once and for a short period of time, usually 30 seconds.
3) Your cloud based password manager was compromised.
In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own.
What this means is that if you lose your OnlyKey it is essentially a brick without the PIN, nothing can be read from or written to it.
If an attacker tries to guess the PIN it will wipe all data after 10 failed attempts.
What about getting my accounts back? This is where the secure encrypted backup anywhere comes in. You can create encrypted backups anywhere by just holding the #1 button down on the OnlyKey. This means that only a physical person can initiate a backup (not malware) and it essentially types out the encrypted file so you can save it anywhere in a text file, email, etc.
To restore you data if you lose your OnlyKey you can restore this backup to a new OnlyKey or if you like to plan ahead then get a secondary OnlyKey and restore your backup so it is ready in case your primary is lost.
Read more about the technical physical hardware security and encrypted backup feature in the users guide here.
OnlyKey is supported by any device that would support a USB keyboard. This includes Android devices and even iPhone 7 using USB OTG adapter.
|Phone Model||Supported||Required Adapter|
|iPhone/iPad (IOS 9.2+) with Lightning port||Password manager and Yubikey OTP||Lightning to USB OTG Adapter available here|
|Android with USB Micro port||Password manager and Yubikey OTP||USB Micro OTG w/Key chain Adapter available here|
|Android with USB C port||Password manager and Yubikey OTP||USB C OTG Adapter available here|
Note: FIDO U2F via USB and Google Authenticator via USB are not currently supported on mobile devices.
Why is decentralized important?
Take a real world example like Lavabit, in May 2014 the owner of the service Ladar Levison abruptly shut down his secure email service after, it is speculated he received a National Security Letter from the NSA. This service was centralized so Ladar had the ability to see his customers information. Ultimately, he decided instead to just shut down his service rather than give up his customers “I was forced to make a difficult decision: violate the rights of the American people and my global customers or shut down. I chose Freedom.”
What is unknown is how many other companies have centralized technology and chose to not shut down and gave up their customers instead. All centralized security solutions have one thing in common, a single point of failure, and so they should never be trusted.
So what would happen if CryptoTrust received a similar letter?
We would comply with the order and at the same time 100% protect customers. This is possible because OnlyKey is a decentralized solution. We have zero knowledge of customer’s sensitive data and we don’t manage or store any keys. All of the keys are created by you either by directly loading them onto the OnlyKey or from being generated randomly using our patent pending method that uses input like the conductivity of your skin when pressing the buttons to create secure random keys
In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. The OnlyKey is detected by the computer as a keyboard and no middleware or special drivers are required. OnlyKey can literally be plugged in and used on a computer that you have never used before and it works without installing anything.
In conclusion, SMS codes are definitely better than nothing but should not be used to protect accounts that you really care about.
What’s Different About OnlyKey
When Onlykey was first released in 2016 it changed the game for managing secure passwords and two factor. Unlike software password managers, the OnlyKey password manager works practically everywhere and with everything. Not limited to just a browser it can be used to enter the password to unlock your computer or pretty much anything that has a password. If you can type the password, OnlyKey can type the password for you; no more remembering passwords. Everything is protected in hardware and not stored on your computer so unlike software password managers where if your computer is hacked it’s game over for all of your accounts, OnlyKey keeps your information secure offline. If you lose OnlyKey no problem, it is PIN protected and can’t be used without the PIN, enter the wrong PIN too many times the data will self destruct. Secure backups of your data are easy too and encrypted with the strongest encryption available.
OnlyKey Feature List
Portable. Durable. Waterproof
On-the-go – Easily attach and detatch the OnlyKey to your keychain and bring it everywhere you go.
Manages up to 24 accounts including Username/URL, password, and 2FA method for each account.
In a pinch and want to wipe your OnlyKey? Enter your self-destruct PIN to wipe EVERYTHING! Plus you can always restore from backup easily.
Your A PIN code must be typed onto the 6 button keypad of the OnlyKey in order to unlock it.
Automatic Lock Feature
Want your OnlyKey to automatically lock itself after being inactive for 30 minutes? No problem, this is customizable.
Advanced Hardware Security
Once a PIN has been set on your OnlyKey it locks down the hardware so that even if an attacker gains physical access to your OnlyKey, without the correct PIN it will essentially be a brick.
One of the great things about Onlykey is new features can be added to the open source firmware. See our new features in action
Supports Windows, Mac OS, Android, Linux, and Chrome OS with Google Chrome. Driverless operation – Recognized by computer as a regular keyboard.
Universal 2-Factor Token
Supports Google Authenticator (TOTP), Yubikey® compatible OTP, and Universal 2nd Factor (U2F).
Plausible Deniability Feature
The first and only hardware solution where only you hold the keys + no proof there even are keys! Travel abroad without having to give up your encryption keys/passwords.
International Keyboard Layouts
OnlyKey is the first device to allow changing your keyboard layout on the fly. Traveling internationally is a breeze.
User Selectable Type Speed Feature
Want your OnlyKey to type out information faster or slower? No problem, this is customizable.
Use the OnlyKey for SSH authentication where your SSH key remains securly stored in hardware and not available to attackers.
Encrypted Backup Anywhere
OnlyKey types out the encrypted backup so it works anywhere independent of apps. See our new features in action
Compare Vs. Leading Password Manager
Already use a software password manager? No problem, store your most valuable passwords in secure hardware and keep using less secure software password manager for less valuable accounts. Find out more here.
OnlyKey Standard Edition
1As we wrote about back in 2015 here, an attacker can easily bypass Lastpass 2 factor authentication. This attack is enabled by default on Lastpass accounts.
2If an attacker has access to your computer it is game over for software password managers and all of your accounts in one fell swoop (Sometimes they don’t even need that). There are many ways that your computer can be hacked such as opening an untrusted file or even just browsing to a malicious site. Even if your software password manager has the most restrictive setting possible with 2 factor enabled all the attacker has to do is wait for you to unlock it and then dump and steal all of your passwords. Pretty scary stuff and this is why we recommend not trusting important accounts to a software password manager. OnlyKey on the other hand is offline, it requires you to enter a PIN and requires user physical presence to authenticate that even a hacker who has access to your computer can’t simulate.
3By supporting strong 2 factor methods like U2F and strong uncrackable passwords even if a site is breached and the attacker gains sensitive information, they won’t be able to log into your account.
4One of the best things about OnlyKey is it is plug-and-go. No Internet, no problem your passwords to unlock offline accounts or your laptop are still accessible.
Compare Vs. Leading Token
OnlyKey Standard Edition
5YubiKey® has no locking mechanism so if you drop it and someone picks it up they can just plug it in and access your passwords or use your 2nd factor. OnlyKey automatically locks after a set period of time when plugged in and always is locked when powered off. Trying to guess a PIN will wipe the OnlyKey so no sensitive information can be obtained if lost or stolen.
For any questions regarding bulk pricing, don’t hesitate to contact us!
See How it Works
On the face of the OnlyKey is a 6 button keypad which serves two purposes.
1. In order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN.
2. In order to login to an account, the button assigned to the account must be pressed. Each button can store two accounts. Hold the button for less than one second and the first account is activated, hold for more than one second and the second account is activated. Each account can store username/URL, password, and 2FA method (Yubikey OTP, Google Authenticator, or U2F). Below is a screenshot of the App used to configure the Onlykey.
Easy 3 Step Setup!
Wouldn’t it be nice to know that your data is protected, and if you are in a pinch or forced to give up your PIN there is an easy way to make sure that your data does not get into the wrong hands?
Plausible Deniability (International Travel Edition and Standard Edition)
Wouldn’t it be nice to be able to be able to travel to a country where encryption is illegal or to a country where it is against the law to refuse to give up your password to authorities and be able to comply without actually giving any access to your accounts?
Find out more about Plausible Deniability and how to travel internationally with digital privacy intact here!
OnlyKey Return / Refund Policy
We follow the Amazon.com return policy. You may return items within 30 days of delivery. Item must be in original packaging and in the same condition that you received it. Once we receive your item, we will inspect it and notify you that we have received your returned item. If your return is approved, we will initiate a refund to your original method of payment.
Yubico® and Yubikey® are the registered trademarks of Yubico® AB. OnlyKey is not associated with or sponsored by Yubico® AB. Yubikey® OTP has been released by Yubico® as open source software with license found here
See website terms of service here