Already an OnlyKey owner?
Get started here



Store accounts securely with only one PIN to remember

Up to 24 unique accounts
OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager.
While most users have hundreds of accounts they need to protect, only a handful of those accounts are most valuable. With this hybrid prioritized approach you don’t just have to hope that you don’t get hacked, you can conveniently do something about it.

Password Management for Business, Teams & Enterprise

Simple. Secure. Effective

Find out more
  • Connector.

    Password Policy Compliance

    A secure password policy is easy when users don’t have to remember any passwords.

  • Connector.

    Two Factor that Just Works

    By supporting multiple methods of 2FA Onlykey is the most universally supported token available on the market today! Chances are that if an app supports two-factor authentication, OnlyKey is compatible.

  • Connector.

    Easy Management and Training

    One device to manage and one PIN to remember. Train users to access everything in an hour or less.

  • Connector.

    Integration Support

    A trusted security consultant with internationally recognized security credentials will guide you to implement best practices.

Passwords were stolen in 2016
0 billion
Confirmed data breaches involved leveraging weak or stolen passwords.
Cyber Crime Costs Projected To Reach by 2019
$0 trillion

OnlyKey is protected with a clear potting compound that provides:
1) Durability – OnlyKey is crush and impact resistant, it stands up to abuse. You can carry it on your keychain, in your pocket, etc.

2) Waterproof – Accidentally leave your OnlyKey in your pocket and it goes through the washing machine? No problem.

3) Transparency – It is possible to visually verify that things have not been tampered with and there is not a hardware backdoor installed.

To provide even more durability and style OnlyKey color cases are available. Choose a color that fits your style – Stealth Black, Guardian Blue, Hacker Green, or Resistance Red.

Buy now for $8.99, free shipping anywhere in US

International Buyers – Buy now for $8.99 plus shipping

This case fits both the OnlyKey Original and the OnlyKey Color.

First it is important to understand how accounts are hacked as there are several ways and OnlyKey has unique features that prevent each type.

1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)

If the site you use is breached the attacker may be able to get your password in a couple of ways.

a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.

If a) then it does not matter how long or complex your password is they have got it.

If b) then the attacker has to crack the passwords and only the weak passwords will be obtained.

OnlyKey addresses b) by allowing users to set strong 32 character passwords that cannot be cracked by an attacker. And they are actually usable since you don’t have to remember them, they are stored on your OnlyKey and typed out for you.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker has your password they still can’t access your account and you are protected.

2) The computer you use is hacked (you click on a malicious website or download malware accidentally)

If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. In fact if this happens you would have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.

If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.

a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords for all of your accounts.

OnlyKey addresses b) by storing everything offline. Essentially OnlyKey is secure by design so that you can only every write or wipe passwords stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can’t access your account without obtaining your one-time password. One time passwords used by Yubikey OTP are only valid once and Google Authenticator OTPs are only valid once and for a short period of time, usually 30 seconds.

3) Your cloud based password manager was compromised.

In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own.

The data stored on OnlyKey is encrypted with military grade encryption (AES-256-GCM) and most importantly is PIN protected.

What this means is that if you lose your OnlyKey it is essentially a brick without the PIN, nothing can be read from or written to it.

If an attacker tries to guess the PIN it will wipe all data after 10 failed attempts.

What about getting my accounts back? This is where the secure encrypted backup anywhere comes in. You can create encrypted backups anywhere by just holding the #1 button down on the OnlyKey. This means that only a physical person can initiate a backup (not malware) and it essentially types out the encrypted file so you can save it anywhere in a text file, email, etc.

To restore you data if you lose your OnlyKey you can restore this backup to a new OnlyKey or if you like to plan ahead then get a secondary OnlyKey and restore your backup so it is ready in case your primary is lost.

Read more about the technical physical hardware security and encrypted backup feature in the users guide here.

OnlyKey is supported by any device that would support a USB keyboard. This includes Android devices and even iPhone 7 using USB OTG adapter.

Phone Model Supported Required Adapter
iPhone/iPad (IOS 9.2+) with Lightning port Password manager and Yubikey OTP Lightning to USB OTG Adapter available here

Android with USB Micro port Password manager and Yubikey OTP USB Micro OTG w/Key chain Adapter available here

Android with USB C port Password manager and Yubikey OTP USB C OTG Adapter available here

Note: FIDO U2F via USB and Google Authenticator via USB are not currently supported on mobile devices.

First and foremost OnlyKey is open source and free of backdoors. Secret keys are generated by you and accessible only to you. Unlike our competitors, be believe in a decentralized model where you have the freedom to control and verify everything on the OnlyKey.

Why is decentralized important?

Take a real world example like Lavabit, in May 2014 the owner of the service Ladar Levison abruptly shut down his secure email service after, it is speculated he received a National Security Letter from the NSA. This service was centralized so Ladar had the ability to see his customers information. Ultimately, he decided instead to just shut down his service rather than give this up his customers “I was forced to make a difficult decision: violate the rights of the American people and my global customers or shut down. I chose Freedom.”

What is unknown is how many other companies have centralized technology and chose to not shut down and gave up their customers instead. All centralized security solutions have one thing in common, a single point of failure, and so they should never be trusted.

So what would happen if CryptoTrust received a similar letter?

We would comply with the order and at the same time 100% protect customers. This is possible because OnlyKey is a decentralized solution. We have zero knowledge of customer’s sensitive data and we don’t manage or store any keys. All of the keys are created by you either by directly loading them onto the OnlyKey or from being generated randomly using our patent pending method that uses input like the conductivity of your skin when pressing the buttons to create secure random keys

Smart Cards are commonly used to provide two-factor authentication and decryption/signing for things like email. Unfortunately, if the computer that a smart card is plugged into is compromised by an attacker then the security of the smart card is compromised. All the attacker has to do is easily capture the keyboard output (Keylogging) and they can capture the users smart card PIN. With this PIN they can then authenticate to anything that the user has access to and also decrypt/sign emails as if the user had done so. This is a serious threat and one of the reasons that the OnlyKey project was started. With OnlyKey your PIN is entered on the 6 digit keypad located on the device itself that does not in any way send this PIN to the connected computer. In this way the PIN entry is offline and inaccessible to an attacker who has compromised the connected computer.

In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. The OnlyKey is detected by the computer as a keyboard and no middleware or special drivers are required. OnlyKey can literally be plugged in and used on a computer that you have never used before and it works without installing anything.

There are a variety of hardware and software tokens out there. Some support U2F and others support Yubikey OTP and yet others support Google Authenticator (TOTP). Unfortunately for users not all websites support all of these. There is no standardization of two-factor support among websites so in order to log in using a token you often need multiple tokens and apps. OnlyKey set out to address this issue and make two-factor authentication usable by supporting the methods most commonly used by websites. Additionally, by combining this with password management we can provide users with a secure login with the touch of a button. A one touch login is the kind of user experience we think that users want and that is what OnlyKey is all about.
This is a fairly easy question to answer. SMS codes are no longer considered secure and are no longer being recommended by NIST – http://fortune.com/2016/07/26/nist-sms-two-factor/. The reason being that there are many ways that SMS messages can be intercepted by an attacker. Cellular femtocells are one way, and we already know that all cell phone calls and SMS messages are available to government agencies real-time. Even if the government agencies are not misusing this information what assurances are there that the data is being protected from bad actors considering that the government agencies themselves have been hacked in the past. Then, there is the concern of what happens when a website breach occurs, if an attacker already has access to a database with passwords they may have access to the phone numbers that are assigned to accounts as well and can change this to whatever phone number they wish. Finally, the technology itself that is used for sending SMS messages is not very secure, so much so that anyone with $30 can build a device to intercept SMS messages and crack the messages near real-time – http://hackaday.com/2013/10/22/cracking-gsm-with-rtl-sdr-for-thirty-dollars/.

In conclusion, SMS codes are definitely better than nothing but should not be used to protect accounts that you really care about.

OnlyKey is a game changer

OnlyKey is the world’s first password manager that can keep your accounts safe even if your computer is hacked or a website is breached. OnlyKey does this by storing your passwords in secure hardware offline and by supporting strong two-factor authentication methods like U2F.

  • Where Convenience and Security Meet– OnlyKey is dual use. It functions as a password manager and a two-factor token. You can plug OnlyKey into any computer, press a button, and it types out a username and password the same as if you typed it yourself; but with one big difference, you don’t have to remember passwords! OnlyKey does that for you. This allows using very complex and secure passwords that cannot be cracked by any available methods.

  • Secure by Design – Information can only be written to the OnlyKey or wiped. This protects your data even if the connected computer has been compromised. Unlike smartcards that are vulnerable to keylogger attacks, the PIN used to unlock OnlyKey is entered on the OnlyKey itself.

  • Two-Factor Options – By supporting multiple methods of 2FA Onlykey is the most universally supported token available on the market today! Chances are that if the website supports two-factor authentication, OnlyKey is compatible.

Portable and Durable

On-the-go – Comes with a keychain accessory to easily attach and detatch the OnlyKey from your keychain.

Password Manager

Manages up to 24 accounts including Username/URL, password, and 2FA method for each account.

Self-Destruct Feature

In a pinch and want to wipe your OnlyKey? Enter your self-destruct PIN to wipe EVERYTHING! Plus you can always restore from backup easily.

PIN Protected

Your A PIN code must be typed onto the 6 button keypad of the OnlyKey in order to unlock it.

Automatic Lock Feature

Want your OnlyKey to automatically lock itself after being inactive for 30 minutes? No problem, this is customizable.

Advanced Hardware Security

Once a PIN has been set on your OnlyKey it locks down the hardware so that even if an attacker gains physical access to your OnlyKey, without the correct PIN it will essentially be a brick.

OpenPGP Support

One of the great things about Onlykey is new features can be added to the open source firmware. See our new features in action

Universal Support

Supports Windows, Mac OS, Android, Linux, and Chrome OS with Google Chrome. Driverless operation – Recognized by computer as a regular keyboard.

Universal 2-Factor Token

Supports Google Authenticator (TOTP), Yubikey compatible OTP, and Universal 2nd Factor (U2F).

Plausible Deniability Feature

The first and only hardware solution where only you hold the keys + no proof there even are keys! Travel abroad without having to give up your encryption keys/passwords.

International Keyboard Layouts

OnlyKey is the first device to allow changing your keyboard layout on the fly. Traveling internationally is a breeze.

User Selectable Type Speed Feature

Want your OnlyKey to type out information faster or slower? No problem, this is customizable.

SSH Authentication

Use the OnlyKey for SSH authentication where your SSH key remains securly stored in hardware and not available to attackers.

Encrypted Backup Anywhere

OnlyKey types out the encrypted backup so it works anywhere independent of apps. See our new features in action

Compare Vs. Leading Password Manager

Already use a software password manager? No problem, store your most valuable passwords in secure hardware and keep using less secure software password manager for less valuable accounts. Find out more here.


  • Software Password Manager
  • Stores Unlimited Accounts
  • Supports 2 factor authentication to protect passwords
  • 2 factor authentication can’t be bypassed by hacker1
  • Can protect your accounts even if computer is compromised2
  • Can protect your accounts even if site is compromised3
  • Take your passwords with you even without Internet4
  • Functions as a 2-Factor Token3
  • Open Source

1As we wrote about back in 2015 here, an attacker can easily bypass Lastpass 2 factor authentication. This attack is enabled by default on Lastpass accounts.

2If an attacker has access to your computer it is game over for software password managers and all of your accounts in one fell swoop (Sometimes they don’t even need that). There are many ways that your computer can be hacked such as opening an untrusted file or even just browsing to a malicious site. Even if your software password manager has the most restrictive setting possible with 2 factor enabled all the attacker has to do is wait for you to unlock it and then dump and steal all of your passwords. Pretty scary stuff and this is why we recommend not trusting important accounts to a software password manager. OnlyKey on the other hand is offline, it requires you to enter a PIN and requires user physical presence to authenticate that even a hacker who has access to your computer can’t simulate.

3By supporting strong 2 factor methods like U2F and strong uncrackable passwords even if a site is breached and the attacker gains sensitive information, they won’t be able to log into your account.

4One of the best things about OnlyKey is it is plug-and-go. No Internet, no problem your passwords to unlock offline accounts or your laptop are still accessible.

Compare Vs. Leading Token

Yubikey NEO

  • Stores up to 2 passwords
  • N/A Does not store usernames/URLs
  • N/A Does not store Google Authenticator OTP accounts
  • Supports U2F 2 factor authentication for an unlimited number of sites
  • Supports Yubikey OTP 2 factor authentication for an unlimited number of sites
  • Device Locking – If lost or stolen no sensitive information can be obtained5
  • Open Source
  • Supports NFC (NFC only works on select Android phones and no iPhones)

5YubiKey has no locking mechanism so if you drop it and someone picks it up they can just plug it in and access your passwords or use your 2nd factor. OnlyKey automatically locks after a set period of time when plugged in and always is locked when powered off. Trying to guess a PIN will wipe the OnlyKey so no sensitive information can be obtained if lost or stolen.

For any questions regarding bulk pricing, don’t hesitate to contact us!

See How it Works

On the face of the OnlyKey is a 6 button keypad which serves two purposes.

1. In order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN.

2. In order to login to an account, the button assigned to the account must be pressed. Each button can store two accounts. Hold the button for less than one second and the first account is activated, hold for more than one second and the second account is activated. Each account can store username/URL, password, and 2FA method (Yubikey OTP, Google Authenticator, or U2F). Below is a screenshot of the App used to configure the Onlykey.

Easy 3 Step Setup!

Additional Information


Wouldn’t it be nice to know that your data is protected, and if you are in a pinch or forced to give up your PIN there is an easy way to make sure that your data does not get into the wrong hands?

Plausible Deniability (International Travel Edition and Standard Edition)

Wouldn’t it be nice to be able to be able to travel to a country where encryption is illegal or to a country where it is against the law to refuse to give up your password to authorities and be able to comply without actually giving any access to your accounts?

Read more about this feature in our user’s guide
Find out more about Plausible Deniability and how to travel internationally with digital privacy intact here!

OnlyKey Return / Refund Policy

We follow the Amazon.com return policy. You may return items within 30 days of delivery. Item must be in original packaging and in the same condition that you received it. Once we receive your item, we will inspect it and notify you that we have received your returned item. If your return is approved, we will initiate a refund to your original method of payment.