OnlyKey International Version
Note: User’s are free to change the version of their OnlyKey anytime by loading open source firmware.
OnlyKey Color Pre-order now open!
Want one? – We are accepting pre-orders here:
OnlyKey Color (US Version)
1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)
If the site you use is breached the attacker may be able to get your password in a couple of ways.
a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.
If a) then it does not matter how long or complex your password is they have got it.
If b) then the attacker has to crack the passwords and only the weak passwords will be obtained.
OnlyKey addresses b) by allowing users to set strong 32 character passwords that cannot be cracked by an attacker. And they are actually usable since you don’t have to remember them, they are stored on your OnlyKey and typed out for you.
OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker has your password they still can’t access your account and you are protected.
2) The computer you use is hacked (you click on a malicious website or download malware accidentally)
If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. In fact if this happens you would have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.
If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.
a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords for all of your accounts.
OnlyKey addresses b) by storing everything offline. Essentially OnlyKey is secure by design so that you can only every write or wipe passwords stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.
OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can’t access your account without obtaining your one-time password. One time passwords used by Yubikey OTP are only valid once and Google Authenticator OTPs are only valid once and for a short period of time, usually 30 seconds.
3) Your cloud based password manager was compromised.
In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own.
By setting one of the slots to just use U2F, OnlyKey can provide two-factor authentication for an unlimited number of accounts.
By setting one of the slots to just use Yubikey OTP, Onlykey can provide two-factor authentication for an unlimited number of accounts.
OnlyKey can replace but does not have to replace existing software password managers. By setting one of the slots to the login of a software password manager like Lastpass, OnlyKey can be extended to protect an unlimited number of accounts. One use case for this would be storing your most important accounts directly on the OnlyKey and then your less important accounts in a software password manager with two-factor authentication enabled.
Additionally, SSH support allows storing an SSH Private Key that can be used to authenticate to an unlimited number of devices and services using the OnlyKey Agent here.
In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. The OnlyKey is detected by the computer as a keyboard and no middleware or special drivers are required. OnlyKey can literally be plugged in and used on a computer that you have never used before and it works without installing anything.
In conclusion, SMS codes are definitely better than nothing but should not be used to protect accounts that you really care about.
OnlyKey is the world’s first password manager that can keep your accounts safe even if your computer is hacked or a website is breached. OnlyKey does this by storing your passwords in secure hardware offline and by supporting strong two-factor authentication methods like U2F.
Compare Vs. Leading Password Manager
OnlyKey U.S. Version
1As we wrote about back in 2015 here, an attacker can easily bypass Lastpass 2 factor authentication. This attack is enabled by default on Lastpass accounts.
2If an attacker has access to your computer it is game over for software password managers and all of your accounts in one fell swoop (Sometimes they don’t even need that). There are many ways that your computer can be hacked such as opening an untrusted file or even just browsing to a malicious site. Even if your software password manager has the most restrictive setting possible with 2 factor enabled all the attacker has to do is wait for you to unlock it and then dump and steal all of your passwords. Pretty scary stuff and this is why we recommend not trusting important accounts to a software password manager. OnlyKey on the other hand is offline, it requires you to enter a PIN and requires user physical presence to authenticate that even a hacker who has access to your computer can’t simulate.
3By supporting strong 2 factor methods like U2F and strong uncrackable passwords even if a site is breached and the attacker gains sensitive information, they won’t be able to log into your account.
4One of the best things about OnlyKey is it is plug-and-go. No Internet, no problem your passwords to unlock offline accounts or your laptop are still accessible.
Compare Vs. Leading Token
OnlyKey U.S. Version
5YubiKey has no locking mechanism so if you drop it and someone picks it up they can just plug it in and access your passwords or use your 2nd factor. OnlyKey automatically locks after a set period of time when plugged in and always is locked when powered off trying to guess a PIN will wipe the OnlyKey so no sensitive information can be obtained if lost or stolen.
For any questions regarding bulk pricing, don’t hesitate to contact us!
Manages up to 24 accounts including Username/URL, password, and 2FA method for each account.
On-the-go – Comes with a keychain accessory to easily attach and detatch the OnlyKey from your keychain.
A 7-10 digit PIN must be typed onto the 6 button keypad of the OnlyKey in order to unlock it. If 10 incorrect PINs are entered your OnlyKey will perform a factory reset, wiping all sensitive infromation.
Set this PIN code whenever you first set up your OnlyKey and then if you or anyone else ever enters it the OnlyKey wipes all of the sensitive data you have stored on it.
Advanced Hardware Security
Once a PIN has been set on your OnlyKey it locks down the hardware so that even if an attacker gains physical access to your OnlyKey, without the correct PIN it will essentially be a brick.
Automatic Lock Feature
Want your OnlyKey to automatically lock itself after being inactive for 30 minutes? No problem, this is customizable.
PGP Support (Coming Soon)
One of the great things about Onlykey is new features can be added to the open source firmware.
Universal 2-Factor Token
Supports Google Authenticator (TOTP), Yubikey compatible OTP, and Universal 2nd Factor (U2F).
Driverless operation – Recognized by computer as a regular keyboard. Supports Windows, Mac OS X, and Linux with Google Chrome.
International Keyboard Layouts
Do you live in or travel to a country where the default keyboard layout is different. No problem, OnlyKey is the first device to allow changing your keyboard layout on the fly.
Plausible Deniability Feature
Set this PIN code whenever you first set up your OnlyKey and then if you or anyone else ever enters it the OnlyKey opens up a fake profile that is identical to the real profile of the international version Onlykey. The goal of this feature is that proof that another profile even exists is impossible to prove. This way you can plausibly deny that the OnlyKey uses encryption. Is it just a basic password manager or is there another hidden profile that is only activated if you know the secret PIN? Travel abroad with confidence keeping your data encrypted while there being no proof that you are doing so.
User Selectable Type Speed Feature
Want your OnlyKey to type out information faster or slower? No problem, this is customizable.
Copy of SSH Authentication
Use the OnlyKey for SSH authentication where your SSH key remains securly stored in hardware and not available to attackers.
See How it Works
On the face of the OnlyKey is a 6 button keypad which serves two purposes.
1. In order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN.
2. In order to login to an account, the button assigned to the account must be pressed. Each button can store two accounts. Hold the button for less than one second and the first account is activated, hold for more than one second and the second account is activated. Each account can store username/URL, password, and 2FA method (Yubikey OTP, Google Authenticator, or U2F). Below is a screenshot of the App used to configure the Onlykey.
Easy 3 Step Setup!
Wouldn’t it be nice to know that your data is protected, and if you are in a pinch or forced to give up your PIN there is an easy way to make sure that your data does not get into the wrong hands?
Plausible Deniability (International and U.S. Versions of Firmware)
Wouldn’t it be nice to be able to be able to travel to a country where encryption is illegal or to a country where it is against the law to refuse to give up your password to authorities and be able to comply without actually giving any access to your accounts?