Frequently Asked Questions
Edit me
Just getting started with OnlyKey? Start here
OnlyKey is protected with a tamper-resistant and chemical-resistant compound that provides:
1) Durability - OnlyKey is crush and impact resistant, it stands up to abuse. You can carry it on your keychain, in your pocket, etc. Additionally, OnlyKey comes with color cases for additional durability and scratch resistance.
2) Waterproof - Accidentally leave your OnlyKey in your pocket and it goes through the washing machine? No problem.
3) Tamper-evident / Tamper-resistant - Attempts by an adversary to access the electronics inside of OnlyKey will create visible damage.
4) Transparency - The protective compound is clear so that it is possible to visually verify the electronic components (verify no hardware backdoor).
First it is important to understand how accounts are hacked as there are several ways and OnlyKey has unique features that prevent each type.

1) The site you use is breached (i.e. Yahoo, LinkedIn, Target, Anthem, Sony etc.)
If the site you use is breached the attacker may be able to get your password in a couple of ways.
a) They get a dump of all passwords in clear text.
b) They get a hashed dump of all passwords.

If a) then it does not matter how long or complex your password is they have got it.
If b) then the attacker has to crack the passwords and only the weak passwords will be obtained.

OnlyKey addresses b) by allowing users to set strong 32 character passwords that cannot be cracked by an attacker. And they are actually usable since you don't have to remember them, they are stored on your OnlyKey and typed out for you.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker has your password they still can't access your account and you are protected.

2) The computer you use is hacked (you click on a malicious website or download malware accidentally)
If the computer you use is hacked and you use a software password manager like LastPass, Dashlane, or even KeePass the attacker is in your computer and can see everything that you can see including your passwords. This is scary considering that now instead of just having one account compromised a hacker has access to everything in one fell swoop. In fact if this happens you would have been better off to have not used a password manager in the first place as a hacker would have a more difficult time in finding out what accounts you had.

If the computer you use is compromised the attacker may be able to get your passwords in a couple of ways.

a) They log all of your keyboard input (Keylogger) or clipboard if using a software password manager
b) They wait until you unlock your software password manager like Lastpass and download the entire database of passwords for all of your accounts.

OnlyKey addresses b) by storing everything offline. Essentially OnlyKey is secure by design so that you can only every write or wipe passwords stored on the OnlyKey. If an attacker gains access to your computer there are no passwords stored there to steal. Even if your OnlyKey is plugged in and unlocked there is no way to download or copy information from the OnlyKey.

OnlyKey addresses a) by making two-factor authentication usable for users and compatible with the largest number of sites. If two-factor authentication is used then even if an attacker captures your password they still can't access your account without obtaining your one-time password. One time passwords used by Yubikey OTP are only valid once and Google Authenticator OTPs are only valid once and for a short period of time, usually 30 seconds.

3) Your cloud based password manager was compromised.
In this scenario you have chosen the convenience of having passwords accessible anywhere you go with the security trade off being that they are being stored online in the cloud. The provider assures you that the accounts will never be hacked but they missed something and now an attacker has access to every account you own. With OnlyKey you can store your most important accounts offline so that they are never susceptible to this type of attack.
The data stored on OnlyKey is encrypted with military grade encryption (AES-256-GCM) and most importantly is PIN protected.

What this means is that if you lose your OnlyKey it is essentially a brick without the PIN, nothing can be read from or written to it.

If an attacker tries to guess the PIN it will wipe all data after 10 failed attempts.

What about getting my accounts back? This is where the secure encrypted backup anywhere comes in. You can create encrypted backups anywhere by just holding the #1 button down on the OnlyKey. This means that only a physical person can initiate a backup (not malware) and it essentially types out the encrypted file so you can save it anywhere in a text file, email, etc.

To restore you data if you lose your OnlyKey you can restore this backup to a new OnlyKey or if you like to plan ahead then get a secondary OnlyKey and restore your backup so it is ready in case your primary is lost.

Read more about the technical physical hardware security and encrypted backup feature here.
Smart Cards are commonly used to provide two-factor authentication and decryption/signing for things like email. Unfortunately, if the computer that a smart card is plugged into is compromised by an attacker then the security of the smart card is compromised. All the attacker has to do is capture the keyboard output (keylogging) and they can capture the users smart card PIN. With this PIN they can then authenticate to anything that the user has access to and also decrypt/sign emails as if the user had done so. With OnlyKey your PIN is entered on the 6 digit keypad located on the device itself that does not in any way send this PIN to the connected computer. In this way the PIN entry is offline and inaccessible to an attacker who has compromised the connected computer.

In addition to PIN security OnlyKey has functionality that smart cards do not like password management, SSH login, and is universally supported without the need for drivers to be installed. The OnlyKey is detected by the computer as a keyboard and no middleware or special drivers are required. OnlyKey can literally be plugged in and used on a computer that you have never used before and it works without installing anything.
There are a variety of hardware and software tokens out there. Some support U2F and others support Yubikey OTP and yet others support Google Authenticator (TOTP). Unfortunately for users not all websites support all of these. There is no standardization of two-factor support among websites so in order to log in using a token you often need multiple tokens and apps. OnlyKey set out to address this issue and make two-factor authentication usable by supporting the methods most commonly used by websites. Additionally, by combining this with password management we can provide users with a secure login with the touch of a button. A one touch login is the kind of user experience we think that users want and that is what OnlyKey is all about.
The International Travel Edition firmware is essentially a feature limited version of the OnlyKey. It is a fully functional password manager but not utilize encryption and may be usable in countries where encryption is banned/restricted. More information here..
The encryption free version of the OnlyKey may be used in countries where encryption is banned. Additionally, the two editions enable the Check out the plausible deniability feature - Read More
Depending on what your wipe mode is set to it either wipes all sensitive data (erases your usernames, passwords, keys etc.) or if you are using full wipe mode it does a complete erase of the OnlyKey including sensitive data and all firmware (this requires reloading firmware).
Whenever you wish to wipe all sensitive data from the OnlyKey and restore it to a factory default state.
This activates a second profile that stores an additional 12 accounts. When setting up OnlyKey you choose the second profile type which can either be standard or plausible deniability. The standard profile is a second profile with full functionality. The plausible deniability profile is designed to be indistinguishable from an OnlyKey with the International Travel Edition firmware, while actually running the OnlyKey Standard Edition firmware. The objective of this feature is to allow travel overseas to areas where devices using encryption might not be allowed or where it is mandatory to give up passwords/keys. More information here For more information on encryption and international travel see https://www.princeton.edu/itsecurity/encryption/encryption-and-internatio/
Whenever you wish for your OnlyKey to appear to be a simple password manager that does not utilize encryption (typically for international travel) or if you want to be able to deny that the accounts in your primary profile exist. With an OnlyKey and a plausible deniability profile your device appears to be an OnlyKey with a single profile utilizing the International Travel Edition firmware.
Plausible deniability is only good if you are in a country where your worst case scenario is that you will be fined for using encryption. If someone is holding a gun to your head or there is risk of torture plausible deniability is pretty much useless. For more information on why see this https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis.

The firmware is signed in a blockchain fashion. As the OnlyKey is an embedded device, things like memory are limited so verification of a complete firmware file would not be possible on the device. However, blocks of firmware can be signed along with the signature of the previous block to create a blockchain that can be verified by the OnlyKey bootloader. Additionally, firmware integrity is verified every time the device boots. In the event firmware verification fails the device is wiped and signed firmware must be reloaded.
We have designed OnlyKey to be as transparent as possible. You can load our firmware, review the source, or write your own firmware. Here are some of the features that allow you validate that there is no backdoor or tampering has occurred.

1) Hardware - By having a clear coat on the electronics you can actually see the hardware and would be able to see a hardware type of backdoor.

2) Open Source - OnlyKey firmware and apps are published on Github and are open to review by the security community.

3) Decentralized - Secret keys are generated by you and accessible only to you. Unlike our competitors, we believe in a decentralized model where you have the freedom to control and verify everything on the OnlyKey.

Why is decentralized important?

Take a real world example like Lavabit, in May 2014 the owner of the service Ladar Levison abruptly shut down his secure email service after, it is speculated he received a National Security Letter from the NSA. This service was centralized so Ladar had the ability to see his customers information. Ultimately, he decided instead to just shut down his service rather than give this up his customers "I was forced to make a difficult decision: violate the rights of the American people and my global customers or shut down. I chose Freedom."

What is unknown is how many other companies have centralized technology and chose to not shut down and gave up their customers instead. All centralized security solutions have one thing in common, a single point of failure.

So what would happen if CryptoTrust received a similar letter?

We would comply with the order and at the same time 100% protect customers. This is possible because OnlyKey is a decentralized solution. We have zero knowledge of customer's sensitive data and we don't manage or store any keys. All of the keys are created by you either by directly loading them onto the OnlyKey or by being generated from random input.
It currently would not be possible to support all of the features of OnlyKey over NFC for various technical reasons. We may consider an add-on in the future to provide basic NFC 2FA. Luckily, NFC is not required for most mobile apps as there are many alternative ways of authenticating such as time-based OTPs, backup codes, and SMS. These methods can be used one time to setup a phone as mobile apps typically remain trusted after the first login. After the apps are setup the alternative methods of 2FA may be disabled and then only allow stronger methods such as FIDO U2F and time-based OTPs for future logins using OnlyKey.
USB C, while definitely having its advantages and on paper looks like a great option also has a lot of disadvantages and issues to consider.

1) Connector Strength - OnlyKey has physical security provided by requiring a PIN to be entered in order to use. This makes OnlyKey a much more secure option than devices with no physical protection but it also requires that the USB connector is fairly durable and strong. USB C connectors/receptacles are smaller not very durable and more prone to breaking from say the stress of pressing on a device that is plugged in to enter a PIN. The way to resolve this issue would be to have a flexible USB C connector attached to OnlyKey. While this is possible it would be more expensive to produce and would only be slightly more compact than just using a USB C adapter connected to the current OnlyKey. For this reason we provide USB C support via a USB C adapter, as this method also provides backwards compatibility with the majority of systems in use that do not support USB C.

2) Universal Support - Currently, USB A is more widely supported and universal than USB C and it likely will be 5 - 10 years before the majority of devices out there do not support USB A. There is also inconsistency in the industry as the newest MacBook only supports USB C and the newest Microsoft Surface only supports USB A. Dongles and adapters are currently unavoidable.

3) Connector Complexity/Durability - USB C connectors contain 24 tiny connections while USB A contains 4 large connections. Additionally, the USB A connector on OnlyKey is a flat surface while USB C is not. With the current USB A the device is waterproof, you could go swimming, wipe your OnlyKey dry and its good to go. This is not the case with USB C as water can reside inside the connector where its not easy to dry and plugging a wet electrical connector in is a bad idea. The complexity of USB C is great for things like supporting a 4K monitor that requires an incredible amount of data transfer, but for OnlyKey it is just a disadvantage as there is no need for high speed data at all.
For more information on mobile adapters including USB C, Mirco USB, and iPhone Lightning see below "Is OnlyKey supported on Android and iPhone".
OnlyKey is supported by any device that would support a USB keyboard. This includes Android devices and even iPhone 7 using USB OTG adapter.
Phone Model Supported Required Adapter
iPhone/iPad (IOS 9.2+) with Lightning port Password manager and Yubikey OTP Lightning to USB OTG Adapter available here
Android with USB Micro port Password manager and Yubikey OTP (FIDO U2F, TOTP, and OpenPGP with OnlyKey App) USB Micro OTG w/Key chain Adapter available here
Android with USB C port Password manager and Yubikey OTP (FIDO U2F, TOTP, and OpenPGP with OnlyKey App) USB C OTG Adapter available here