Frequently Asked Questions
Just getting started with OnlyKey? Start here
OnlyKey is protected with a tamper-resistant and chemical-resistant compound that provides:
1) Durability - OnlyKey is crush and impact resistant, it stands up to abuse. You can carry it on your keychain, in your pocket, etc.
2) Waterproof - Accidentally leave your OnlyKey in your pocket and it goes through the washing machine? No problem.
3) Tamper-evident / Tamper-resistant - Attempts by an adversary to access the electronics inside of OnlyKey will create visible damage.
4) Transparency - The protective compound is clear so that it is possible to visually verify the electronic components (verify no hardware backdoor).
First it is important to understand how accounts are hacked as there are several ways and OnlyKey has unique features that prevent each type.

1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)
If the site you use is breached the attacker may be able to get your password in a couple of ways.
a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.

If a) this is less likely to occur as it usually requires that the service used very bad security practices. If it does occur then it does not matter how long or complex the password is that password is compromised.
If b) then the attacker has to crack the passwords and only the weak passwords will be compromised.

OnlyKey addresses b) by allowing users to set strong, up to 56 character long passwords that may not be cracked. And they are actually usable since you don't have to remember them, they are stored on your OnlyKey and typed out for you.

OnlyKey addresses a) by making two-factor authentication compatible with the largest number of sites to ensure it is used. If two-factor authentication is used then even if an attacker has your password they still can't access your account and you are protected. Additionally, by using a random password a compromise of a password on one site will not affect other accounts.

2) The computer you use is hacked (you click on a malicious website or download malware accidentally)
If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. Even if two factors are required an attacker can just wait for you to unlock your password manager, if you walk away from the computer without locking it the attacker can start copying your passwords one-by-one. In fact if this happens you might have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.

If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.

a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords or access them one-by-one.

OnlyKey addresses b) by storing everything offline (cold storage). Essentially OnlyKey is secure by design so that you can only ever write or wipe passwords stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can't access your account without obtaining your one-time password. One time passwords used by Yubikey OTP are only valid once and Google Authenticator OTPs are only valid once and for a short period of time, usually 30 seconds.

3) Your cloud based password manager was compromised.
In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own. With OnlyKey you can store your most important accounts offline so that they are never susceptible to this type of attack.
The data stored on OnlyKey is encrypted with military grade encryption (AES-256-GCM) and most importantly is PIN protected.

What this means is that if you lose your OnlyKey it is essentially a small paper weight without the PIN, nothing can be read from or written to it.

If an attacker tries to guess the PIN it will wipe all data after 10 failed attempts.

What about getting my accounts back? This is where the secure encrypted backup anywhere feature comes in. You can create encrypted backups anywhere by just holding the #1 button down on the OnlyKey. This means that only a physical person can initiate a backup (not malware) and it types out the encrypted file so you can save it anywhere in a local text file, email, etc.

To restore you data if you lose your OnlyKey you can restore this backup to a new OnlyKey or if you like to plan ahead then get a secondary OnlyKey and restore your backup so it is ready in case your primary is lost.

Read more about the technical physical hardware security and encrypted backup feature here.
Smart Cards are commonly used to provide two-factor authentication and decryption/signing for things like email. Unfortunately, if the computer that a smart card is plugged into is compromised by an attacker then the security of the smart card is compromised. All the attacker has to do is capture the keyboard output (keylogging) and they can capture the users smart card PIN. With this PIN they can then authenticate to anything that the user has access to and also decrypt/sign emails as if the user had done so. With OnlyKey your PIN is entered on the 6 digit keypad located on the device itself that does not in any way send this PIN to the connected computer. In this way the PIN entry is offline and inaccessible to an attacker who has compromised the connected computer.

In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. The OnlyKey is detected by the computer as a keyboard and no middleware or special drivers are required. OnlyKey can literally be plugged in and used on a computer that you have never used before and it works without installing anything.
There are a variety of hardware and software tokens out there. Some support FIDO U2F and others support Yubikey OTP and yet others support Google Authenticator (TOTP). Unfortunately for users not all websites support all of these. There is no standardization of two-factor support among websites so in order to log in using a token you often need multiple tokens and apps. OnlyKey set out to address this issue and make two-factor authentication usable by supporting the methods most commonly used by websites. Additionally, by combining this with password management we can provide users with a secure login with the touch of a button.
The International Travel Edition firmware is essentially a feature limited version of the OnlyKey. It is a fully functional password manager but not utilize encryption and may be usable in countries where encryption is banned/restricted. More information here..
Depending on what your wipe mode is set to it either wipes all sensitive data (erases your usernames, passwords, keys etc.) or if you are using full wipe mode it does a complete erase of the OnlyKey including sensitive data and all firmware (this requires reloading firmware).
Whenever you wish to wipe all sensitive data from the OnlyKey and restore it to a factory default state.
The firmware is signed in a blockchain fashion. As the OnlyKey is an embedded device, things like memory are limited so verification of a complete firmware file would not be possible on the device. However, blocks of firmware can be signed along with the signature of the previous block to create a blockchain that can be verified by the OnlyKey bootloader. Additionally, firmware integrity is verified every time the device boots. In the event firmware verification fails the device is wiped and signed firmware must be reloaded.
We have designed OnlyKey to be as transparent as possible. You can load our firmware, review the source, or write your own firmware. Here are some of the features that allow you validate that there is no backdoor or tampering has occurred.

1) Hardware - By having a clear coat on the electronics you can actually see the hardware and would be able to see a hardware type of backdoor.

2) Open Source - OnlyKey firmware and apps are published on Github and are open to review by the security community.

3) Decentralized - Secret keys are generated by you and accessible only to you. Unlike our competitors, we believe in a decentralized model where you have the freedom to control and verify everything on the OnlyKey.

Yes, OnlyKey is supported by any device that would support a USB keyboard. More information here
Edit me