OnlyKey User's Guide

The OnlyKey user's guide provides step-by-step instructions for configuring and using OnlyKey.

Start Here - Unpacking OnlyKey

Step 1. Remove the OnlyKey and the metal quick-connect keychain from packaging.

Step 2. Attach the quick-connect to the OnlyKey, the other end of the quick-connect can be attached to your keyring.

Step 3. (Optional) Check out OnlyKey accessories - color cases, mobile adapter (USB-C, Lightning), business workstation.

Proceed to setup below

Setting up OnlyKey

There are two options for setting up your OnlyKey.

OnlyKey Quick Setup (No app required, 1-3 minute setup time)

Pro Tip: Prefer a how-to video? Watch one here that demonstrates setting up a new OnlyKey with Quick Setup

How-To: Setting up OnlyKey with Quick Setup

OnlyKey Setup Using OnlyKey App (App install required, 5-10 minute setup time)

Pro Tip: Prefer a how-to video? Watch one here that demonstrates setting up a new OnlyKey using the OnlyKey App

OnlyKey Quick Setup

Important: Quick setup is the quickest way to set up a new OnlyKey and there are no apps required. However, a computer with a US layout keyboard is required and to take advantage of many of the OnlyKey features the OnlyKey app is required.

To complete OnlyKey quick setup follow the instructions below:

Open a text editor such as notepad on a trusted computer
Click inside the text editor
Insert OnlyKey into the USB port on your computer
Hold button #3 on your OnlyKey down for 5+ seconds and then release

OnlyKey will type out instructions for you to follow into the text editor. Follow these instructions to set PINs on OnlyKey and a backup passphrase. You can choose to have OnlyKey automatically generate random PINs or set PINs yourself. When setting a PIN keep in mind that remembering a pattern may be easier than remembering numbers.

When you are complete the quick setup you will see the text ‘SETUP COMPLETE, DELETE THIS TEXT’
Make sure you have carefully written down your PINs and backup passphrase and store this in a secure location
When finished enter your PIN onto OnlyKey to start using your new device, OnlyKey is ready for use as a security key (FIDO2/U2F) and for challenge-response

To use OnlyKey for password management, file encryption, and other two factor authentication methods use the steps below to install the OnlyKey app.

Install OnlyKey Desktop App

Step 1. Download installer

macOS

Windows

Linux

Note: Linux users, if a UDEV rule has not been created previously follow the following instructions here, additionally the OnlyKey app may now be installed via snapcraft - Linux Guide

Chrome OS / Chrome App

Step 2. Install and launch the app.

Pro Tip: You can ensure the integrity of your downloaded file by verifying the checksum.
macOS SHA 256 CHECKSUM: 38a20e11e0a3219c874b55c9f41d809c426296041c297e2c3e717ebd35403a25
Windows SHA 256 CHECKSUM: 7145b5fddc125b9dd60dc6de261b6ecd0adbdb136caa06274e4c77d461abc3f4
Linux SHA 256 CHECKSUM: 10611139e7cb601e49453dd9297aa8be767956c8ff37ebebeae1ac9076008e63
Linux App GPG Public Key A1D6 4A3B 496C B0F3 6E12 B46F 9A9F 520D 44EA 53D1

Pro Tip: As you use the OnlyKey app you can hover over icons for tooltips and click on icon’s to browse to that topic in the documentation

Proceed to OnlyKey setup below

OnlyKey Setup Using OnlyKey App

If you have already setup OnlyKey using quick setup proceed to Account Setup

Step 1. Insert OnlyKey and select [Next] to get started.

Pro Tip: Before setting a PIN

You may find it easier to remember a pattern rather than a 7 - 10 digit PIN. Kind of like patterns used to unlock a phone lock screen:

Step 2. Enter a PIN code on the OnlyKey Keypad, check the disclaimer box, and select [Next].

Step 3. Re-enter PIN code, and select [Next].

Step 4. Enter a PIN code for second profile, check the disclaimer box, and select [Next].

Step 5. If you wish to set a self-destruct PIN enter a PIN code, check the disclaimer box, and select [Next].

Step 6. Re-enter PIN code, and select [Next].

Step 7. Follow the instructions to enter a Backup Passphrase and select [Next].

Step 8. If you have an OnlyKey backup to restore, select [Choose File] and select your OnlyKey backup file and then select [Next] to load it onto your OnlyKey. If you do not have a backup just select [Next] to complete the setup.

Your device is now set up and will automatically reboot. You will be prompted to enter your PIN from now on when using the OnlyKey.

Pro Tip: Forget your PIN?

If you lose or forget your PIN then a factory default must be completed on your OnlyKey before you can set a new PIN. This wipes all of your sensitive information and allows you to go through the Setup again to configure a new OnlyKey PIN. To perform a factory default you have two options:

Method #1 - Enter your self-destruct PIN.

Method #2 - Enter 10 incorrect PINs. You will notice that after entering 3 incorrect PINs your OnlyKey is steadily blinking red. This is an intentional safeguard so that your OnlyKey will not be inadvertently wiped by repeatedly pressing buttons. You must remove and reinsert your OnlyKey and enter 3 more incorrect PINs. Repeat this until 10 incorrect PINs have been entered. The device will then have a solid green light on that indicates that it is ready to set up.

If you want to learn more about features like Self-Destruct and Plausible Deniability see OnlyKey Features.

Proceed to setup accounts below

Setting up accounts

Pro Tip: Set aside some time to set up accounts as this can be time consuming the first time you set it up. After you configure your profiles once you won’t have to do this again unless you add a new account. Think of all the time you will save not having to remember and type usernames, passwords, and getting your phone out to type codes etc. This is a huge time saver in the long run.

Prefer a how-to video? Watch one here that demonstrates setting up a new OnlyKey

How-To: Setup Accounts and Customize OnlyKey Preferences

Configure Basic Login Info

Enter your PIN - After setup you are prompted to enter the PIN you set onto your OnlyKey six button keypad.

Now that your OnlyKey is unlocked you see this screen.

All About Slots

The Slots area of the application is where you will set up things like your usernames, passwords, and 2 factor. As you can see the word ‘‘empty’’ is shown 12 times next to a button with a number and a letter. Each of these buttons refer to one of the slots on your OnlyKey.

What are slots? On the OnlyKey you have 6 buttons and 12 available slots in each profile. Each slot can be set with a Label, URL, Username, Password, and two-factor authentication. Each slot is assigned to a button on your OnlyKey. So for example if you were to save your Google password to slot 1a, then to type out your Google password you would tap button 1 on your OnlyKey for less than one second (Slot 1a). If you were to save your Yahoo password to slot 1b, then to type out your Yahoo password you would hold button 1 on your OnlyKey for more than one second (Slot 1b).

Each button has two slots assigned to it that can be activated by holding the button for less than or more than one second.

The slots that have not been configured have no label so they are shown as ‘‘empty’’. Next, let’s set a label to slot 1a.

Set a Label

Step 1. Click the 1a button in the OnlyKey app and see the Slot 1a Configuration

Step 2. Enter a label such as Gmail in the Label field, check the box next to Label, and click Submit.

Now the label you entered is assigned to slot 1a. Slot labels are helpful if you forget which button is assigned to which account you can open the OnlyKey app at any time to see how it is set up.

OnlyKey On-The-Go

What if I am using a computer without the OnlyKey app?

Open a text editor and then hold down the 2 button on OnlyKey for 5+ seconds. OnlyKey will type out your slot labels which may look something like this:

1a Google
2a Bank
3a Email
4a VPN
5a School
6a U2F
1b Amazon
2b Dropbox
3b
4b
5b
6b Lastpass

Since OnlyKey types out this information this method works on all computers and even mobile devices.

Another low tech option is to write your labels on a card/paper and carry this in your wallet.

Important: Obviously, no sensitive information should be written on card/paper or saved to your slot labels. Just something that helps you remember which account is assigned there.

Find out more about mobile support on-the-go?

Find out more about TOTP support on-the-go?

Next, let’s assign a username and password to slot 1a.

Set up a Slot

The example configuration shown below would be to set up a username and password to automatically login to the Google page shown below.

Step 1. To configure OnlyKey to log into the example Google page, Click the 1a button in the OnlyKey app, click the checkboxes and enter values as shown:

Step 2. Click submit to save the configuration to OnlyKey:

Now the configuration is saved and shows up in the OnlyKey app as ‘‘Google 1’‘

Note: Since not all Login pages are the same OnlyKey has options like tab (use to go to the next field) and Return (submit). These essentially press either the tab or return key so if you are unsure of how to set up your OnlyKey configuration try logging into your login page first by using just your keyboard. For the example above you would do this by entering your username, pressing the Return/Enter key, on the next page entering your password and then pressing the Return/Enter key to complete your login.

Before testing a configuration in your web browser it is a good idea to try it out in a text editor like notepad, just to make sure it looks right. The last thing you want is to find that you accidentally are typing your password out in the wrong field and now have to change the password.

If you need OnlyKey to fill a custom form that does not fit into the template? i.e. You need to perform the following:

Enter the Username
Press TAB
Press RETURN
Enter the password
Press TAB
Press RETURN

You can enter ‘ \t’ or ‘ \r’ inline with slot data to type the extra TAB or Return.
i.e.

Where in the password field the value is set to:
```
 \r password \t  \r
```
You can chain together multiple ‘ \t’ or ‘ \r’ in the fields. Its one space to start and one space to end so if your chaining together multiple tabs it would have a double space in between like:
```
 \t  \t  \t  \t  \t password \r
```
To do even more like press special keys such as Ctrl-Alt-Del OnlyKey has a special mode that enables filling virtually any form or login. See Sysadmin Mode for more details.

Test a Slot

Once you set your desired account information to a slot then try it out by going to the login page, clicking in the login field, and pressing the corresponding button on the OnlyKey.

Common issues:

The password is entered before page loads.
- Set the delay, usually 2-3 seconds works well but this may not be enough time for slow web pages or slow internet connections.
There is a Captcha required sometimes after password
- You can either set the delay to a high value like 8 - 9 seconds to give yourself time to enter this or select None. Selecting None means that the password is entered but not submitted so you have time to enter additional information.
Everything works fine but I really wish it typed faster.
- You can adjust the type speed in preferences.

As mentioned earlier, login pages can be different between sites and sometimes even different on the same site. For the second example we will set up another Google login, this one for a Google account where the username is already saved to the website so all you need to do is enter a password. This is the default when you have already logged into Google in the past on a computer.

Additionally, by using the URL field we can have the OnlyKey type the login page URL into the browser and browse to the login page (in this case accounts.google.com). This way a one-touch login is possible. Just select the empty URL field in the browser and the URL is automatically typed out and Return is pressed to browse to the site. Once on the site the password is entered and the login is complete.

Pro Tip: Using the URL field provides protection against spear phishing attacks as this provides assurance that the site you are entering your password into is the legitimate site. For example, if you receive an email asking you to log into your account to verify something instead of clicking the link in the email to login you would use OnlyKey to browse to the correct site to login.
Need a URL longer than 56 characters? Try using a URL shortner like Bit.ly

The example configuration shown below would be to set up a URL and password to automatically login to the Google page shown below. Notice that the username is already remembered by the website, so there is not a need to set this in the OnlyKey slot.

These examples illustrate how to use OnlyKey in two real world scenarios. A key takeaway here is that you can configure OnlyKey to automatically do what you would normally do manually. Any combination of the fields shown in the slot configuration may be used or not used to fit login format.

The table below shows how to configure some common login forms that at first may seem problematic.

Login Format	Configuration
Site that does not automatically select username field after loading page (i.e.Kracken).	With URL - You will notice that "Tab before UserName" is checked. This will select the username field as it is not automatically selected when the page loads. Without URL - Browse to the login page first and place cursor in the username field before selecting the assigned OnlyKey button.
Site where username is remembered after first login (i.e. Google).	Password and 2FA only - This is usually the best option if you remember your username/email address as this will work on any computer whether your username is remembered or not. This method does not include URL in case you are prompted for a password. Username Remembered w/URL - If you use your device mostly on a computer where you username is remembered this is a good option. If you use this configuration on a computer where username is not remembered then you must output of the login information into notepad and paste into login fields.
Site that does not automatically select OTP code field (i.e. Salesforce) After loading next page	You will notice that "Tab before OTP" is checked. This will select the OTP field as it is not automatically selected when the page loads.
Site where username and password is required first and then OTP code field appears below (i.e. IT Glue)

Important: NO WEAK PASSWORDS - While OnlyKey makes it possible for your accounts to be more secure than remembering passwords or than using a software password manager one thing to remember is that it is up to you to use strong passwords. If you set your password to something like ‘‘Summer2021!’’ this is not secure, in fact we recommend using randomly generated strong passwords that cannot be guessed or cracked by a hacker.

Generating a strong password is easy to do. Next, let’s use two different methods to generate strong uncrackable passwords.

Generate Strong Passwords Online

There are many websites that allow you to generate a secure random password such as passwordsgenerator.net and there are also tools built into many software password managers.

Password manager built into KeePassXC
Passwordsgenerator.net password generation tool available here
LastPass password generation tool available here

Generate Strong Password via Browser Extension

Install a browser extension by selecting add to Chrome the same way that you installed the OnlyKey app.

Chrome Extension available from the Chrome Web Store here.

Configure Two Factor Authentication (2FA)

Two-factor authentication (2FA) is essentially an extra step that is required during the login process that makes it so that even if your username and password are compromised an attacker cannot login to your account. It is called two-factor authentication, or sometimes also multifactor authentication, because more than one factor is required to login. Factors can be something you know like a password, something you are like a fingerprint or iris scan, or something you have like the OnlyKey. There are four different types of 2FA supported by OnlyKey. By supporting multiple modes of 2FA OnlyKey will work with most sites that support 2FA - http://www.dongleauth.info/

1) FIDO2 and FIDO Universal 2nd Factor Authentication (U2F) 2) OATH TOTP 3) Yubico® One-Time Password 4) Challenge-Response

OATH TOTP (Google Authenticator)

DISCLAIMER - Google® is the registered trademarks of Google Inc. OnlyKey is not associated with or sponsored by Google® Inc.

Pro Tip: If you are not a 2FA guru then this is the recommended method to use. Six digit codes will be typed automatically by OnlyKey.

Background Information

The way you would typically set this up without OnlyKey is to download an authenticator app to your smartphone. You would then enable TOTP MFA on a website and the website would provide you with a QR code that looks like this:

You would then take a picture of the QR code the website gives you in your authenticator app. The app then starts generating a 6 digit number that changes every 30 seconds that is required to be typed into the website login prompt in addition to your username and password.

This method of two-factor authentication has some notable advantages over using features like 2nd-step verification where a website will send you an SMS message with a code to enter to login. Now that the background is covered we can set this up on your OnlyKey. No phone or app required for setting this up on your OnlyKey but if you wish to maintain a backup of your two-factor authentication codes it may be a good idea to download the app and scan the QR code as a backup in case you lose your OnlyKey.

Step 1. Enable MFA (TOTP) on Website - If you are unsure if the website you want to setup supports TOTP check here. For example to do this for your Google Account you must first enable 2-Step Verification and then you select ‘‘SETUP’’ as shown below:

As you go through the steps you will be prompted to scan a QR code (Looks like a square bar code). You can go ahead and scan the QR code using your smartphone Authenticator app if you wish to create a backup and then select “CAN’T SCAN IT” as shown below:

Step 2. Copy and Paste Code into app - Selecting ‘‘CAN’T SCAN IT’’ will display the private code. Select this text and copy it as shown below:

Now open the OnlyKey App and unlock your OnlyKey. Select the Slot to configure and paste this code into the field located next to ‘‘Google Auth OTP’’ as shown below:

Once you click submit your OnlyKey is ready to generate OTPs.

Step 3. Generate OTP - Place your cursor in the ‘‘Enter code’’ field and press the button that corresponds to the slot that was set. In the example above we set slot 2a so we press the #2 button to generate the OTP.

Once your account has been verified you are all set. You can add a username and password to this slot so that you can do a one touch login. Keep in mind that the page may take a second or two to load where your 6 digit OTP is entered so set the delay accordingly, 4 - 5 seconds delay should work in most cases.

If you are looking for step-by-step guides on setting up other popular sites with 2FA check out the guides here. Just as with the steps mentioned above, instead of scanning the QR code with an app, click “CAN’T SCAN IT” to copy and paste the text into the Google Auth OTP field of the OnlyKey app.

To find out if a specific website is supported there is a full list of websites and wether or not they support 2FA here. To see if a certain site is supported see that there is a check next to “One Time Passwords (OTP)”

TOTP (Google Authenticator) On-The-Go

One requirement of TOTP (Time-based One-time Password) is having the correct time. If OnlyKey is used on a system where the OnlyKey app is not running it will type out “NOTSET” instead of the OTP code. Because OnlyKey has no battery it requires an app to send it the correct time to be able to generate TOTP codes. For this reason it is important to ensure the OnlyKey app is permitted to autostart.

However, OnlyKey TOTP will work on-the-go without the app running. All you have to do is browse to our web app https://apps.crp.to in Google Chrome or Firefox. This web app in addition to being used to send encrypted messages sets the current time on OnlyKey and login with TOTP will function as normal.

Yubico® One-Time Password

DISCLAIMER - Yubico® and Yubikey® are the registered trademarks of Yubico® AB. OnlyKey is not associated with or sponsored by Yubico® AB. Yubikey® OTP has been released by Yubico® as open source software with license found here

Pro Tip: The majority of Yubikey® OTP applications online require Yubicloud setup. See the Yubicloud setup section after setting up Yubico® OTP.

First download and install the Yubikey® personalization tools
Go into Yubico® OTP and select ‘‘Quick’’

Select the ‘‘Hide values’’ checkbox and select ‘‘Regenerate’’ to create a Public Identify, Private Identity, and Secret Key.

Copy and paste these into the corresponding fields in the OnlyKey App (Advanced Tab).

Select ‘‘Save to OnlyKey’’ to write these values to your OnlyKey
Now your OnlyKey is ready to function in Yubikey® OTP mode
Just select a slot that you wish to use with Yubikey® OTP mode by selecting the radio button and then selecting ‘‘Submit’’. The Yubikey® OTP will be generated when the corresponding button is pressed.

Important: Keep in mind that Yubico® OTP is a counter based authenticator so you can have only one authenticator set with the same values. If you provision multiple OnlyKeys or Yubikeys with the same values only one device will work. The majority of Yubikey® OTP applications online require Yubicloud setup. See the Yubicloud setup section after setting up Yubico® OTP.

Yubicloud (Not Officially Supported)

Some online services use Yubicloud for authentication. Yubicloud is owned by Yubico® and 3rd party devices are not supported so OnlyKey is not supported on Yubicloud. However, 3rd party devices will technically work with Yubicloud as long as you own an actual Yubikey®.

The following instructions show you how to set up a 3rd party device on Yubicloud. This is for your information only and we do not recommend setting up a 3rd party device on Yubicloud. If you choose to follow this information to set up a 3rd party device on Yubicloud you choose to do so against our recommendations and at your own risk.

Step 1. Download and install the Yubikey® personalization tools

Step 2. Go into Yubico® OTP and select ‘‘Quick’’

Step 3. Insert Yubikey®, select a configuration slot, and click ‘‘Write configuration’’ button

Step 4. Set the values shown in the Public Identity, Private Identity, and Secret Key to your OnlyKey.

Step 5. Once this is complete select ‘‘Upload to Yubico®’’

Step 6. This will open a web browser, to complete the registration enter the OTP in the ‘‘OTP from the Yubikey®’’ field by pressing the button on your OnlyKey.

Step 7. Once the form is complete enter the Captcha and select Upload AES key.

Step 8. Now you can test your OTP generated by OnlyKey on the site https://demo.yubico.com/otp/verify

Pro Tip: Keep in mind that once you write this configuration to OnlyKey you can no longer use a Yubikey with the same configuration. Attempting to do this causes one of the devices to be out of sync.

Security Key - FIDO2, FIDO U2F, and WebAuthn

The terminology for security keys can be a bit confusing so here are some quick definitions to make sense of it.

When websites use the term security key they typically are referring to one of these:

Universal 2nd Factor (FIDO U2F) - Security key is used just as a 2nd factor along with your password.
FIDO2 - A replacement for FIDO U2F released in 2019, security key may be used as a 2nd factor along with your password or may be used as a passwordless security key on supported applications. Passwordless authentication allows logging in with just a security key and a PIN code.

The term WebAuthn is sometimes used instead of FIDO2, essentially WebAuthn is the web browser standard and is part of the larger FIDO2 project.

OnlyKey works just like any other FIDO2 or FIDO U2F token. The first step to use a security key is to register the key and then once registered you can login to that site with the key.

To use OnlyKey as a security key follow the instructions given by the website where you wish to register OnlyKey. When using Onlykey as a security key you will see the light flash blue, press any button on the OnlyKey to register or login to a site.

Pro Tip: If I press an OnlyKey button where a password is already assigned won’t OnlyKey type out my password? No, while OnlyKey is flashing blue it will not type out any information, OnlyKey also has a 2 second cool off period to ensure this does not happen accidentally. While you can press any button, some user’s may prefer to always press the button of unused slot for FIDO authentication. For example, keep slot 6a unused and always press OnlyKey button 6 for FIDO authentication.

Security Key Advanced

As mentioned above, FIDO U2F works as a 2nd factor and is supported for an unlimited number of sites. FIDO2 has some additional options such as resident credentials and extensions that are not yet supported by most sites or applications.

FIDO2 Resident Credentials

With resident credentials you can create a smoother, username-less login experience by saving some of the user data on the security key. To try it out we recommend using https://www.passwordless.dev/usernameless. As shown on the site not all browsers support this feature:

One drawback of resident credentials is that physical devices have limited storage. OnlyKey stores up to 12 resident credentials. In the event this fills up resident credentials can be managed and removed with the OnlyKey CLI

FIDO2 Extensions

FIDO2 allows support of extensions such as the HMAC SHA1 extension for challenge-response which is supported by OnlyKey.

One Touch Login

No setup is required to use OnlyKey as a security key. However, one touch login may be configured to both enter credentials and perform FIDO U2F login with one button press by setting the following:

Step 1. Select a slot that you wish to use with U2F mode by selecting the radio button and then selecting ‘‘Submit’’.

Step 2. Go to the website that you wish to register a new security token and when you select to register a token you will notice the OnlyKey light flashing blue, on and off. Press the button corresponding to the slot you set to U2F in step 1 to register token.

Step 3. Once registered, your token can be used to authenticate by pressing the button. You can also add username and password to this slot to have a one touch login.

Pro Tip: There are two ways to use FIDO U2F on OnlyKey:

1) Press any button when OnlyKey flashes blue to register/login (no set up required)

2) One Touch Login. i.e. Set slot 1a as Dropbox login and include URL, Username, Password, and U2F all in one profile like this:
U2F Example

Now you can register your security key by pressing button 1. But won’t it type out my information while registering? No, while your device is flashing blue you can press the button to register and typing is disabled. Once your security key is registered you can log out and now you have a one touch login configured:
- Automatically type out and browse to login page (https://www.dropbox.com/login).
- Three second delay ensures login page has time to load, this can be increased if using slow internet connections.
- Username and password are entered in login field.
- Two second delay ensures security key page has time to load.
- U2F authentication completes automatically.

Challenge-Response

Challenge response is a form of authentication where an application sends a unique challenge and OnlyKey sends back an HMACSHA1 response. This response may be used for things like encryption of data which is used by software such as KeePassXC. OnlyKey flashes yellow when a challenge is received and user presses any button on OnlyKey to authorize the response. OnlyKey supports customizable “HMAC User Input Mode” which allows the user to select if button press is required for challenge-response.

By default, no setup is required for challenge-response as OnlyKey has random HMAC key set by default and two available HMAC slots.

Advanced

Challenge-response is compatible with Yubikey devices. This permits OnlyKey and Yubikey to be used interchangeably for challenge-response with supported applications. In order to use OnlyKey and Yubikey interchangeably both must have the same HMAC key set. To set HMAC key on YubiKey we recommend using the Yubikey Personalization Tool.

For example, a random secret key may be generated and loaded into slots 1 and 2 on Yubikey:

The same secret key may be loaded into HMAC slots 1 and 2 using the OnlyKey App. Make sure to pad the end with 0s like this: You will see a success message in the app “Last message received: Successfully set” indicating it loaded successfully

This may also be loaded into slots 1 (130 in CLI) and 2 (129 in CLI) using the OnlyKey CLI.

Setting the same HMAC key (40 characters, 20 bytes hex) allows OnlyKey/Yubikey devices to generate the same responses and be used interchangeably.

Using OnlyKey With A Software Password Manager

OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager. For example, set one of the OnlyKey slots to KeePassXC, Dashlane, Google (Smart Lock), Lastpass, etc. enable 2-factor on this slot and then use your OnlyKey to unlock your software password manager. This way you can keep your most valuable accounts in offline secure hardware and everything else in the software password manager.

There are two types of software password managers:

Online Password Managers - Less secure but more convenient because passwords sync automatically between devices
- LastPass
- Dashlane
- Bitwarden
- 1Password
Offline Password Managers - More secure but less convenient because passwords don’t sync automatically
- KeePassXC
- KeePass
- Password Safe

KeePassXC

What’s great about KeePassXC:

Its 100% open source (verifiable security)
Its cross platform, supports Windows, Linux, Mac (in contrast to KeePass which is for Windows)
Its offline, no passwords in the cloud
We collaborated with the KeePassXC team to develop a custom integration with OnlyKey that provides a major security benefit

Starting with the 2.5.0 release of KeePassXC you can use OnlyKey in challenge-response mode to secure your KeePassXC password database.

Windows Install

Download and install KeePassXC from https://keepassxc.org/download/#windows

macOS Install

Download and install KeePassXC from https://keepassxc.org/download/#mac
An additional step is required in macOS 10.15 Catalina
- Go to Settings -> Security & Privacy -> Input Monitoring
- Unlock and click the +
- Select KeePassXC and click open

This additional step is required so that KeePassXC has permission to access your OnlyKey

Linux Install

Download and install KeePassXC from https://keepassxc.org/download/#linux

KeePassXC Setup

You can either import passwords to a create a new KeePassXC database by going to Database -> Import, or create a new empty KeePassXC database by selecting “Create a new KeePassXC database”

Pro Tip: Not sure how to export the passwords from your old password manager?
- Chrome/Brave - Go to Settings -> Passwords -> click … and select Export passwords

Give your Password database a name and continue
Select continue again to keep default encryption settings
Enter a master password for your password database, click the dice to randomly generate one
(Optional) Copy the master password and save it to one of your OnlyKey slots using the OnlyKey app
Select “Add additional protection”
Select “Add YubiKey Challenge-Response”
OnlyKey will show in the list of devices, select slot1 or slot2 and click done
OnlyKey will flash yellow, press any button, if importing OnlyKey may flash yellow several times, press any button when it does this to complete import
Congrats! You now have a new password database

Warning: Remember to securely delete your exported password file after you have imported it into KeePassXC

KeePassXC Settings/Sync

Click on the wrench icon in KeePassXC to customize settings
To enable browser integration (where KeePassXC can autofill account information in browser) click the Browser Integration icon, check the Enable browser integration checkbox, and select the browsers to enable
Install the KeePassXC Browser plugin https://keepassxc.org/docs/keepassxc-browser-migration/
To enable the SSH Agent click the SSH Agent icon and check the Enable SSH Agent checkbox. With this feature enabled your OnlyKey will be required to SSH.

KeePassXC Cloud Sync While your KeePassXC database is encrypted and can be synced to multiple devices by copying it to cloud drive a better option that we recommend is to use Cryptomator.

Download and install Cryptomator
Create a vault inside of your cloud drive synced folder (i.e. Onedrive, Google Drive, etc)
You can optionally store the vault password in one of your OnlyKey slots
Move your KeePassXC kbdx file to your Cryptomator vault
Congrats! You now can access your new password database from any computer with Internet access, Cryptomator, and your OnlyKey.

Pro Tip: So now your passwords are very secure, but you need to make sure they aren’t so secure that you lock yourself out. Create a backup of both your KeePassXC database and your OnlyKey and keep it somewhere safe, like in an actual safe. If you don’t keep your Cryptomator password and KeePassXC password on your OnlyKey make sure you have a backup of those as well. Be sure to keep your OnlyKey backup passphrase in a safe location too in case you forget.

What is needed to use the challenge-response feature? No setup is required, OnlyKey generates a private key for HMACSHA1 automatically when the device is first configured. After creating the KeePassXC database you will be prompted to press any button on OnlyKey (flashes yellow) to unlock your KeePassXC database. Additionally, since OnlyKey also stores static passwords you can use OnlyKey to store your KeePassXC master password in one of the available slots.

What is challenge-response? Your passwords are stored in an encrypted Keepass container, in addition to requiring a master password to decrypt, a response (HMAC SHA1) from OnlyKey is required. The OnlyKey flashes yellow and you must press a button on OnlyKey. By requiring a master password and an OnlyKey, your accounts are protected by two layers of security. This solution is more secure than software password managers that only rely on a master password. Here is a threat model explaining why -

In order to unlock your KeePassXC database a hacker would need four things:

Access to your computer (where the KeePass database resides)
Physical access to your OnlyKey
Know your OnlyKey PIN
Know your master password

LastPass

LastPass supports both Google Authenticator and Yubico® OTP. Google Authenticator is supported in the free version of LastPass and Yubico® OTP is supported in the premium version of LastPass.

To protect LastPass account with Google Authenticator 2FA follow the steps below.

Step 1. Go into Account settings-> Multi-factor Options and select the edit button in the Google Authenticator column.

Step 2. Change to enabled and select View button next to Private Key

Step 3. You will be prompted to enter your master password and then the key is displayed.

Step 4. Copy and paste the key into the Google Auth OTP field of the OnlyKey app for the slot that you want to set up.

Step 5. Make sure to check the radio button next to Google Auth OTP and select Submit.

Step 6. Go back to the LastPass app and select Update. You will be prompted for your password again and then your current verification code. Click inside the verification code box and press the button assigned to the slot you set up on your OnlyKey to type out the verification code.

DashLane

DashLane supports Google Authenticator, Yubico® OTP, and Security Keys. The security key (FIDO2 / U2F) option is the most secure option.

Google SmartLock

SmartLock is a password manager that is available in Google Chrome, it supports Google Authenticator and Security Keys. The security key (FIDO2 / U2F) option is the most secure option.

OpenPGP File Encryption

OnlyKey is OpenPGP compatible and the worlds first plug and play encryption device. It is universally supported and does not require special software or drivers. There are two ways to use OnlyKey with OpenPGP.

1) OnlyKey WebCrypt - Provides a way to securely use OnlyKey for OpenPGP in the browser. The Webcrypt app loads everything necessary to encrypt messages and files directly in the local browser without the need to send messages or files over the Internet. Data between OnlyKey and the local browser is end-to-end encrypted. This provides encryption everywhere on-the-go and supports macOS, Windows, Linux, Chrome OS, Android, and iPhone (Safari on iOS 13.3+). More information on mobile support here. 2) OnlyKey GPG Agent - Provides a way to securely use OnlyKey for OpenPGP on a local computer. Instead of keeping keys on a computer, OnlyKey generates and securely stores your keys off of the computer and you can still easily use GPG to do things like sign emails, git commits, software packages etc.

Pro Tip: Watch a video here that demonstrates using OnlyKey WebCrypt for file encryption

How-To: Use OnlyKey WebCrypt for file encryption

Note: Private keys are securely stored on OnlyKey and are not accessible to the app or to the browser. This is in contrast to for example PGP/GPG software, webmail (i.e. Protonmail), and smartphone apps. Additionally, physical user presence is required to process secure messages/files. This is in contrast to Smart Cards which only require a PIN code that can be captured and replayed without physical user presence.

How WebCrypt works

Step 1. Find a Keybase User - The first step in sending a secure message or file is to identify who to send it to. Browse to https://apps.crp.to/search to use our custom Keybase search tool to search Keybase users by:
- Twitter, Github, Reddit, or Hackernews Usernames
- Web domains
- PGP fingerprint
- Or Automatically search for best match

Step 2. Send a user encrypted message or file - Click the link in the search results to send the selected user encrypted message/file. You can also browse to https://apps.crp.to/encrypt to send a secure message or browse to https://apps.crp.to/encrypt-file to send a secure file if you already know the recipient. To encrypt files for yourself just use your Keybase username as the recipient.

Step 3. Receive an encrypted message or file - To decrypt a message or file browse to https://apps.crp.to/decrypt or https://apps.crp.to/decrypt-file.

Pro Tip: You can receive encrypted messages and files from anyone, no tech skills are required!

Receiving encrypted files is as easy as putting a custom link in your email signature:

Bob Smith
Email: [email protected]
Phone: 111.222.3333
Send me a secure message or file
More info

- Link the text ‘message’ to: https://apps.crp.to/app/encrypt?type=e&recipients=bobsmith2

- Link the text ‘file’ to: https://apps.crp.to/app/encrypt-file?type=e&recipients=bobsmith2

- Change bobsmith2 in the link to your Keybase user name

- Add a ‘More info’ link to: https://onlykey.io/pages/webcrypt
This link provides information to let your sender know what WebCrypt is, why it’s secure, and includes a quick 30 second video that will shows how to use it.

Preferences

OnlyKey has several customizable preferences that can be accessed from the preferences tab of the configuration app.

Configurable Inactivity Lockout Period

This is the amount of time that the OnlyKey should remain unlocked while not being used. The default value is 30 minutes and the maximum is 255 minutes (about 4 hours). To disable lockout altogether set the lockout to 0.

Configurable Keyboard Type Speed

Setting a custom type speed may be desirable in cases where the application you are using can not keep up with fast typing. Or if you don’t use any applications with type speed restrictions you can have the text typed at top speed for the fastest logins. Setting value to 1 will result in very slow type speed of about one character a second, setting value to 10 will result in very fast type speed that will type almost instantly.

Configurable Keyboard Layouts

You can change your keyboard layout on the fly through the OnlyKey app preferences. Traveling to France from the US? No problem just set the OnlyKey keyboard to French and change it back to US when you return. Here are the options supported for international keyboards:

US_ENGLISH
CANADIAN_FRENCH
CANADIAN_MULTILINGUAL
FINNISH
FRENCH
FRENCH_BELGIAN
FRENCH_SWISS
GERMAN
GERMAN_MAC
GERMAN_SWISS
ICELANDIC
IRISH
ITALIAN
NORWEGIAN
PORTUGUESE
PORTUGUESE_BRAZILIAN
SPANISH
SPANISH_LATIN_AMERICA
SWEDISH
TURKISH
UNITED_KINGDOM
US_INTERNATIONAL
CZECH
SERBIAN_LATIN_ONLY

Note: These additional keyboard layouts are available but cannot currently be set using the OnlyKey app. To set these keyboard layouts use the OnlyKey CLI here.

DANISH MAC
HUNGARIAN
US_DVORAK

Derived Key User Input Mode

OnlyKey supports automatic generation of keys that may be used for SSH and PGP/GPG with the OnlyKey Agent.

The default setting is “Challenge Code Required” which requires a 3 digit challenge code to be entered on OnlyKey to perform SSH or PGP/GPG operation. This is great for security but for some users a more convenient approach may be preferred. With “Button Press Required”, a physical press on any key is all that is required to perform the operation.

Stored Key User Input Mode

OnlyKey supports import of existing OpenPGP keys using the OnlyKey app. These keys once imported are securely stored in OnlyKey hardware and may be used to perform SSH or PGP/GPG operations with the OnlyKey Agent or in the browser with the OnlyKey WebCrypt.

By default, you must enter a 3 digit challenge code on OnlyKey to perform SSH or PGP/GPG operation. If a more convenient approach is preferred “Button Press Required” may be set so that a physical press on any key is all that is required.

HMAC Mode

OnlyKey supports HMAC challenge-response. By default, user input (button press) is required on OnlyKey to perform HMAC operation. For some use cases such as full-disk encryption no button press may be preferred. With “Button Press Not Required”, HMAC challenge-response operations may be performed without user interaction.

Backup Key Mode

You can change your backup key/passphrase at any time by entering your PIN to put the device in config mode. By setting backup key mode to locked, the backup key/passphrase may not be changed. This setting provides extra security so that even if an adversary has your PIN and has physical access to your device they would not be able to backup and restore your data.

Configurable Wipe Mode

Setting wipe mode to “Full Wipe” ensures that not only is your sensitive data wiped when a factory default occurs but also the firmware is wiped. This ensures that no data or meta data such as what version of firmware you had would be accessible to an adversary that steals or otherwise obtains a user’s OnlyKey and then performs a factory default. The tradeoff of setting wipe mode to full wipe is that this cannot be changed once set and when a factory default occurs the firmware must be reloaded using the firmware upgrade guide. For user’s desiring the highest level of security we recommend enabling full wipe.

Sysadmin Mode

By default, OnlyKey may only type regular keyboard characters, TAB, and RETURN. This is useful for entering usernames, passwords, etc. For more advanced use cases such as for system administrators it may be helpful to utilize modifier keys to save time while entering common keystrokes such as CTRL-ALT-DEL, and then entering a username/password. With “Sysadmin Mode” set this permits the use of the following modifier and additional keys to be stored and typed by OnlyKey:

Ctrl (\c)
Shift (\s)
Alt (\a)
Windows (PC) or Clover (Mac) (\g)
Tab (\t)
Return (\r)
Printscreen (\p)
Home (\h)
Page Up (\u)
Page Down (\o)
End (\e)
Delete (\d)
Backspace (\b)
Arrow-Up (\U)
Arrow-Down (\D)
Arrow-Left (\L)
Arrow-Right (\R)
Escape (\E)
Delay (#) # is number of seconds to wait

Important: Once you enable this feature you will no longer be able to set slot values without first putting OnlyKey into config mode. This adds an extra layer of security for system administrators.

Once enabled, this can be used like this:

i.e. To press Ctrl-Alt-Del, release Ctrl-Alt-Del, delay 3 seconds, press TAB, enter username, and enter password:

 \c\a\d  \3 USERNAME \t PASSWORD

Notice that a space followed by the ‘' character is used to begin “ \c\a\d “ and one space is used to end (resets modifier keys). To use one space to start and one to end for multiple actions there will be two spaces in between actions. Here are some other common examples:

To open terminal in Linux, then delay two seconds, then enter a command into terminal (2 second delays added)

 \g  \2 terminal \r  \2 ssh [email protected] \r

To press Windows key and open run box, then delay, then enter a powershell command (2 second delays added)
```
 \g  \2 run \2  \r  \2 powershell.exe ls \r
```
To press Windows key and run cmd command to open calculator (2 second delays added)
```
 \g  \2 cmd \r calc \2  \r
```
To enter text into fields 1, 3, and 5 of a multiple field form and then submit
```
 \t textfield1 \t  \t textfield3 \t  \t textfield5 \r
```

Configurable Lock Button

One of the buttons on OnlyKey can be configured as a lock button. When the lock button is pressed the OnlyKey locks and the OnlyKey sends keystrokes to lock the computer (Windows+L for Windows and Linux, CTRL+SHIFT+EJECT for Mac).

Configurable Indicator Light (LED) Brightness

The multicolor LED on OnlyKey is set to medium (8) brightness by default. Brightness may be adjusted between 1 (dimmest) and 10 (brightest).

Change your PIN

To change PIN go to the [Setup] tab, put OnlyKey in config mode, and follow the instruction in the app to set a new PIN.

Encryption Keys

OnlyKey makes encryption keys easier and more secure by storing them offline, protected even if the computer using the encryption key is compromised.

Key FAQ

What is a key?

In the simplest terms an encryption key is something you have that allows you to encrypt or sign data. This data could be emails, files, or anything really. Every time you browse to a secure website there are keys being used in the background to encrypt the information you send so that only you and the website can see the information.

Why does protecting private keys matter?

You may hear the term private key being used sometimes, we will not get into the details here but there are plenty of places to read further on this topic online. For our purposes here a private key is used to read the secure messages / data that someone sends you. Only you should have access to this key because anyone with access to the key can read all messages sent to you in the past or in the future. This is why it is important to protect the key from exposure and why storing it securely on the OnlyKey is better than on your computer somewhere.

What does OnlyKey use keys for?

The OnlyKey stores private keys. These private keys are used for three different purposes.

Signing and Encrypted Messages/Files (OpenPGP)
- OnlyKey WebCrypt - Provides a way to securely use OnlyKey for OpenPGP in the browser. The Webcrypt app loads everything necessary to encrypt messages and files directly in the local browser without the need to send messages or files over the Internet. Data between OnlyKey and the local browser is end-to-end encrypted. This provides encryption everywhere on-the-go and supports macOS, Windows, Linux, Chrome OS, Android, and iPhone (Safari on iOS 13.3+). More information on mobile support here.
- OnlyKey GPG Agent - Provides a way to securely use OnlyKey for OpenPGP on a local computer. Instead of keeping keys on a computer, OnlyKey generates and securely stores your keys off of the computer and you can still easily use GPG to do things like sign emails, git commits, software packages etc.
SSH Authentication - SSH is a popular remote access tool that is often used by administrators. Thanks to the OnlyKey SSH Agent remote access can be passwordless and more secure. For information on using OnlyKey for SSH authentication see OnlyKey SSH Agent.
Secure Encrypted Backup - This will backup everything including your stored accounts, preferences, and other keys to an encrypted text file. For information on backing up OnlyKey see Secure Encrypted Backup.

How do I get started?

By default, no setup is required to use OnlyKey GPG Agent and OnlyKey SSH Agent as OnlyKey uses random key (derived keys) by default.

To use OnlyKey WebCrypt or OnlyKey Agent with your own OpenPGP keys (stored keys) follow the guide here to generate and load OpenPGP keys onto OnlyKey.

Secure Encrypted Backup Anywhere

The Secure Encrypted Backup Anywhere feature allows you to backup OnlyKey on the go. The way that this works is that the OnlyKey encrypts everything on your OnlyKey using an encryption key and then types it out. This allows saving the backup in a text file or email on any computer.

Backup With OnlyKey App

Step 1. First, you must have a backup passphrase or key set on your OnlyKey.

Step 2. Click on the Backup/Restore tab of the OnlyKey app.

Step 3. Click inside the Backup data box and then hold down the 1 button on your OnlyKey for 5 seconds or more and then release. This will type out an encrypted backup of your OnlyKey configuration into the box. Select save file to save the backup file which has a timestamp so you can keep track of the latest backup file.

Pro Tip: Backup can take a long time if your Keyboard Type Speed is set to a low setting. To speed this up go to Preferences in the OnlyKey app and select a higher setting, 9 usually works well

Backup Without OnlyKey App

The process is the same to backup without the app. OnlyKey can type out your encrypted backup anywhere.

Save to a text file - Instead of clicking in the Backup data box you could click into any text editor like notepad and when the backup is complete save the text file using whatever filename you prefer.

Save it in an email - In the same way you could also click into any email client and then when the backup is complete send the email to yourself or someone else.

Restore From Backup

Using the backup file created in the Secure Encrypted Backup Anywhere section, OnlyKey can be restored to a previous state. This also allows restoring to a different OnlyKey or a second OnlyKey in order to have an extra.

Note: The way that a restore works is that it overwrites the current information on your OnlyKey with the information stored in the backup. So if you for example have a backup file that contains a password in slot 1 and you do a restore to an OnlyKey that already has a username and password in slot 1 the result would be that the username would remain unchanged and the password would be overwritten.

Step 1. Ensure that a PIN is set on the target OnlyKey by completing the Initial Setup section and ensure that the same passphrase/key is loaded onto the OnlyKey that was used to backup.

Step 2. Put the OnlyKey into config mode by holding the 6 button down for more than 5 seconds, and then re-entering your PIN. You will see the OnlyKey LED fade in and out continuously (Red) while in config mode.

Step 3. Click on the Backup/Restore tab of the OnlyKey App and then click Choose File to select your OnlyKey backup file. Click Restore to OnlyKey.

If you used the OnlyKey App to create the backup then the name of this file will be ‘‘onlykey-backup-.txt''. The timestamp can be used to make sure you are loading the latest backup.

Step 4. Restore may take a minute or two depending on the amount of data to restore. You will know that the restore is complete when the OnlyKey reboots automatically.

Loading OnlyKey Firmware

Follow the upgrade guide below to load the latest OnlyKey firmware:

Firmware upgrade guide

If you received a message in the OnlyKey app stating “This application is designed to work with a newer version of OnlyKey firmware.” or if your OnlyKey has firmware v0.2-beta.6x or earlier follow the link below:

Legacy firmware upgrade guide (v0.2-beta.6x or earlier)

OnlyKey Accessories / Mobile Support

OnlyKey Case

The OnlyKey case provides additional protection and lets you select a custom OnlyKey color.

Choose a color that fits your style – Stealth Black, Guardian Blue, Hacker Green, Resistance Red, or Quantum White.

Purchase in OnlyKey Store

Purchase on Amazon

Android/iOS Support

Android and iOS is supported by using a USB on-the-go (OTG) adapter. For more information read Using OnlyKey with Mobile Devices (Android and iOS)

Troubleshooting

Common Issues

Below is a list of common issues and solutions.

Issue	Solution
White Light on OnlyKey	If full wipe mode is enabled (disabled by default) the OnlyKey will wipe both data and firmware. Follow instructions in the upgrade guide here to load firmware.
Not working with certain sites / Not entering data in correct field	We often get customers that ask how to set up a specific site with OnlyKey. There are several examples listed in the table provided in the Set up a slot section. If you have a use case that is not covered by this please open a new issue on the support forum.
Missing characters while typing / typing too fast / typing too slow	Adjust the type speed in preferences.
Google Authenticator types NOTSET instead of OTP code	This occurs when the OnlyKey does not have the time set. Time is set from the OnlyKey app which occurs automatically. The OnlyKey app must be installed for the code to be generated.
Entering data into OnlyKey App and selecting submit but the data is not saved	The check box next to the data must be selected.
Yubico® OTP Error	The majority of Yubikey® OTP applications require Yubicloud setup including LastPass. See Yubicloud section of User's Guide.

If you have an issue not listed here please reference the online support forum here.

Web Links

Documentation - https://docs.crp.to

FAQs - https://docs.crp.to/faq.html

Forum - https://forum.onlykey.io

Store – https://crp.to/ok

Github – https://github.com/trustcrypto

Getting started with OnlyKey – https://onlykey.io/start

Tags:

Edit me