Proceed to initial setup below
You may find it easier to remember a pattern rather than a 7 - 10 digit PIN. Kind of like patterns used to unlock an Android Lockscreen:
Read and accept the Warning and Disclaimer by checking the checkbox. On your Onlykey six digit keypad enter a PIN between 7 - 10 digits long. When you are finished select ‘‘Next’’ to continue.
Read and accept the Warning and Disclaimer by checking the checkbox. On your Onlykey six digit keypad enter a PIN between 7 - 10 digits long. When you are finished select ‘‘Next’’ to continue.
We get that there will be some users who think the idea of having a second hidden profile is awesome and others will be be like meh, I don’t want or need that. That is fine and you can still get value out of having the second profile. Using the second profile you can have up to 24 unique accounts set up instead of 12. For example, if you wanted to set up all of your personal accounts under the main profile and all of the work accounts under the hidden profile that would be fine. You can get creative and use the other profile for whatever you want.
If you lose or forget your PIN then a factory default must be completed on your OnlyKey before you can set a new PIN. This wipes all of your sensitive information and allows you to go through the Initial Setup again to configure a new OnlyKey PIN. To perform a factory default you have two options:
Method #1 - Enter your self-destruct PIN. The device will then have a solid light on that indicates that it is un-initialized and ready to reconfigure.*
Method #2 - Enter 10 incorrect PINs. You will notice that after entering 3 incorrect PINs your OnlyKey is steadily blinking. This is an intentional safeguard so that in the event that a child gets ahold of your OnlyKey the device will not be inadvertently wiped by them repeatedly pressing buttons. You must remove and reinsert your OnlyKey and enter 3 more incorrect PINs. Repeat this until 10 incorrect PINs have been entered. The device will then have a solid light on that indicates that it is un-initialized and ready to reconfigure.
Configure Basic Login Info
Now that your OnlyKey is unlocked you see this screen.
All About Slots
The Slots area of the application is where you will set up things like your usernames, passwords, and 2 factor. As you can see the word ‘‘empty’’ is shown 12 times next to a button with a number and a letter. Each of these buttons refer to one of the slots on your OnlyKey.
What are slots? On the OnlyKey you have 6 buttons and 12 available slots in your profile. Each slot can be set with a Label, URL, Username, Password, and two-factor authentication. Each slot is assigned to a button on your OnlyKey. So for example if you were to save your Google password to slot 1a, then to type out your Google password you would tap button 1 on your OnlyKey for less than one second (Slot 1a). If you were to save your Yahoo password to slot 1b, then to type our your Yahoo password you would hold button 1 on your OnlyKey for more than one second (Slot 1b).
Each button has two slots assigned to it that can be activated by holding the button for less than or more than one second.
The slots that have not been configured have no label so they are shown as ‘‘empty’’. Next, let’s set a label to slot 1a.
Set a Label
Now the label you entered is assigned to slot 1a. Slot labels are helpful if you forget which button is assigned to which account you can open the OnlyKey app at any time to see how it is set up.
What if I am using a computer without the OnlyKey app?
This is where the card you received with your OnlyKey comes in handy. You can write your labels on this and carry this in your wallet. This is a low tech solution but it works great.
Set up a Slot
The example configuration shown below would be to set up a username and password to automatically login to the Google page shown below.
Now the configuration is saved and shows up in the OnlyKey app as ‘‘Google 1’‘
Test a Slot
Once you set your desired account information to a slot then try it out by going to the login page, clicking in the login field, and pressing the corresponding button on the OnlyKey.
- The password is entered before page loads.
- Set the delay, usually 2-3 seconds works well but this may not be enough time for slow web pages or slow internet connections.
- There is a Captcha required sometimes after password
- You can either set the delay to a high value like 8 - 9 seconds to give yourself time to enter this or select None. Selecting None means that the password is entered but not submitted so you have time to enter additional information.
- Everything works fine but I really wish it typed faster.
- You can adjust the type speed in preferences.
As mentioned earlier, login pages can be different between sites and sometimes even different on the same site. For the second example we will set up another Google login, this one for a Google account where the username is already saved to the website so all you need to do is enter a password. This is the default when you have already logged into Google in the past on a computer.
Additionally, by using the URL field we can have the OnlyKey type the login page URL into the browser and browse to the login page (in this case accounts.google.com). This way a one-touch login is possible. Just select the empty URL field in the browser and the URL is automatically typed out and Return is pressed to browse to the site. Once on the site the password is entered and the login is complete.
The example configuration shown below would be to set up a URL and password to automatically login to the Google page shown below. Notice that the username is already remembered so there is not a need to set this in the OnlyKey slot.
The table below shows how to configure some common login forms that at first may seem problematic. By using the delay setting of the OnlyKey we can support practically any login field format.
|Site that does not automatically select username field after loading page (i.e.Kracken).||With URL - You will notice that the delay is set to a high value so that you have plenty of time to select the username field manually since it's not selected automatically. Without URL - Browse to the login page first and place cursor in the username field before selecting the assigned OnlyKey button.|
|Site where username is remembered after first login (i.e. Google).||Password and 2FA only - This is usually the best option if you remember your username/email address as this will work on any computer whether your username is remembered or not. This method does not include URL in case you are prompted for a password. Username Remembered w/URL - If you use your device mostly on a computer where you username is remembered this is a good option.|
|Site that does not automatically select OTP code field (i.e. Salesforce) After loading next page||You will notice that the delay before 2FA is set to a high value so that you have plenty of time to select the OTP code field manually since it's not selected automatically.|
|Site where username and password is required first and then OTP code field appears below (i.e. IT Glue)|
Generating a strong password is easy to do. Next, let’s use two different methods to generate strong uncrackable passwords.
Generate Strong Password via Browser Extension
Install a browser extension by selecting add to Chrome the same way that you installed the OnlyKey app.
Chrome Extension available from the Chrome Web Store here.
Generate Strong Passwords Online
There are many websites that allow you to generate a secure random password including the Lastpass tool.
LastPass password generation tool available here.
Configure Two Factor Authentication (2FA)
Two-factor authentication (2FA) is essentially an extra step that is required during the login process that makes it so that even if your username and password are compromised an attacker cannot login to your account. It is called two-factor authentication, or sometimes also multifactor authentication, because more than one factor is required to login. Factors can be something you know like a password, something you are like a fingerprint or iris scan, or something you have like the OnlyKey. There are three different types of 2FA supported by OnlyKey. By supporting multiple modes of 2FA OnlyKey will work with most sites that suppor 2FA - http://www.dongleauth.info/
Google Authenticator (TOTP)
DISCLAIMER - Google® is the registered trademarks of Google Inc. OnlyKey is not associated with or sponsored by Google® Inc.
The way you would typically set up Google Authenticator without OnlyKey is to download the Google Authenticator app to your smartphone. You would then enable Google Authenticator on a website and the website would provide you with a QR code that looks like this:
You would then take a picture of the QR code the website gives you. The app then starts generating a 6 digit number that changes every 30 seconds that is required to be typed into the website login prompt in addition to your username and password.
This method of two-factor authentication has some notable advantages over using features like 2nd-step verification where a website will send you an SMS message with a code to enter to login. One weakness in the SMS approach is that phone numbers can be transferred to a malicious party sometimes just by calling and asking the phone company to do this and providing some personal information. Another weakness is that more sophisticated attackers may be able to clone your phone number and then receive SMS messages sent to you. Google authenticator (TOTP) solves some of these issues by generating the code on your phone itself using a private key. Now that the background is covered we can set this up on your OnlyKey. No phone or app required for setting this up on your OnlyKey but if you wish to maintain a backup of your two-factor authentication codes it may be a good idea to download the app and scan the QR code as a backup in case you lose your OnlyKey.
As you go through the steps you will be prompted to scan a QR code (Looks like a square bar code). You can go ahead and scan the QR code using your smartphone Google Authenticator app if you wish to create a backup and then select “CAN’T SCAN IT” as shown below:
Now open the OnlyKey Chrome Configuration App. With your correct PIN entered on the OnlyKey you are able to select the Slot to configure and paste this code into the field located next to ‘‘Google Auth OTP’’ as shown below:
Once you click submit your OnlyKey is ready to generate OTPs.
Once your account has been verified you are all set. You can add a username and password to this slot so that you can do a one touch login. Keep in mind that the page may take a second or two to load where your 6 digit OTP is entered so set the delay accordingly, 4 - 5 seconds delay should be plenty of time.
Learn more about the implementation of Google Auth OTP here.
Yubico® One-Time Password
DISCLAIMER - Yubico® and Yubikey® are the registered trademarks of Yubico® AB. OnlyKey is not associated with or sponsored by Yubico® AB. Yubikey® OTP has been released by Yubico® as open source software with license found here
- First download and install the Yubikey® personalization tools
- Go into Yubico® OTP and select ‘‘Quick’’
- Select the ‘‘Hide values’’ checkbox and select ‘‘Regenerate’’ to create a Public Identify, Private Identity, and Secret Key.
- Copy and paste these into the corresponding fields on the OnlyKey Configuration App.
- Select ‘‘Save to OnlyKey’’ to write these values to your OnlyKey
- Now your OnlyKey is ready to function in Yubikey® OTP mode
- Just select a slot that you wish to use with Yubikey® OTP mode by selecting the radio button and then selecting ‘‘Submit’’. The Yubikey® OTP will be generated when the corresponding button is pressed.
The majority of Yubikey® OTP applications online require Yubicloud setup. See the Yubicloud setup section after setting up Yubico® OTP.
Learn more about Yubikey® OTP implementation here.
Yubicloud (Not Officially Support)
Some online services use Yubicloud for authentication. Yubicloud is owned by Yubico® and 3rd party devices are not supported so OnlyKey is not supported on Yubicloud. However, 3rd party devices will technically work with Yubicloud as long as you own an actual Yubikey®.
The following instructions show you how to set up a 3rd party device on Yubicloud. This is for your information only and we do not recommend setting up a 3rd party device on Yubicloud. If you choose to follow this information to set up a 3rd party device on Yubicloud you choose to do so against our recommendations and at your own risk.
Security Key - Universal 2nd Factor (U2F)
OnlyKey works just like any other U2F token. Follow the steps below to configure a slot to use U2F.
Learn more about OnlyKey’s implementation of U2F here.
Using OnlyKey With A Software Password Manager
OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager. For example, set one of the OnlyKey slots to Dashlane, Google (Smart Lock), Lastpass, etc. enable 2-factor on this slot and then use your OnlyKey to unlock your software password manager. This way you can keep your most valuable accounts in offline storage and everything else in the software password manager.
LastPass supports both Google Authenticator and Yubico® OTP. Google Authenticator is supported in the free version of LastPass and Yubico® OTP is supported in the premium version of LastPass.
To protect LastPass account with Google Authenticator 2FA follow the steps below.
DashLane supports Google Authenticator, Yubico® OTP, and U2F. The choice is yours but for beginners Google Authenticator is the best option.
SmartLock is a new password manager that is available in Google Chrome. Since this uses a Google account it supports Google Authenticator or U2F. The choice is yours but for beginners Google Authenticator is the best option.
OnlyKey has several customizable preferences that can be accessed from the preferences tab of the configuration app.
Configurable Inactivity Lockout Period
This is the amount of time that the OnlyKey should remain unlocked while not being used. The default value is 30 minutes and the maximum is 255 minutes (about 4 hours). To disable lockout altogether set the lockout to 0.
Configurable Keyboard Type Speed
Setting a custom type speed may be desirable in cases where the application you are using can not keep up with fast typing. Or if you don’t use any applications with type speed restrictions you can have the text typed at top speed for the fastest logins. Setting value to 1 will result in very slow type speed of about one character a second, setting value to 10 will result in very fast type speed that will type almost instantly.
Configurable Wipe Mode
Use Case #1 - If you are using the plausible deniability feature there is one scenario where an adversary may be able to determine that you were using the plausible deniability feature. This is possible if the adversary enters 10 incorrect PINs causing your OnlyKey to wipe all data and then they go to reconfigure the PINs. The adversary would be able to set both a regular PIN and PD PIN on the newly wiped OnlyKey and thus they would be able to conclude that you have the Standard Edition firmware. At this point the device is wiped the adversary would not have access to any sensitive information but the adversary would know that your device is capable of encryption which in some areas may be undesirable. To address this issue you can now set the wipe mode of your OnlyKey to Full Wipe. Given the same scenario with Full Wipe set when 10 incorrect PINs are entered the device will completely wipe all information including the firmware from your OnlyKey. No useful information would be available to an adversary concerning what firmware you were running and in order to use the device new firmware must be loaded.
Use Case #2 - You are just really paranoid and want to erase any trace of your OnlyKey when a factory default occurs. Doing a full wipe is one way to be absolutely sure that everything including the firmware has been eliminated from your device.
Configurable Keyboard Layouts
We now support changing your keyboard layout on the fly through the Chrome app no firmware reload required. Traveling to France from the US? No problem just set the OnlyKey keyboard to French and change it back to US when you return. Here are the options supported for international keyboards:
OnlyKey makes encryption keys easier and by storing them offline, protected even if the computer using the keys is compromised.
What is a key?
In the simplest terms an encryption key is something you have that allows you to encrypt data. This data could be emails, files, or anything really. Every time you browse to a secure website there are keys being used in the background to encrypt the information you send so that only you and the website can see the information.
Why does protecting private keys matter?
You may hear the term private key being used sometimes, we will not get into the details here but there are plenty of places to read further on this topic online. For our purposes here a private key is used to read the secure messages / data that someone sends you. Only you should have access to this key because anyone with access to the key can read all messages sent to you in the past or in the future. This is why it is important to protect the key from exposure and why storing it on the OnlyKey is better than on your computer somewhere. If it’s on your computer and your computer is hacked then all past and future messages you send may be read by the hacker.
What does OnlyKey use keys for?
The OnlyKey stores private keys. These private keys are used for four different purposes.
- Secure Encrypted Backup - OnlyKey allows using RSA or ECC private keys to backup your OnlyKey. This will backup everything including your stored accounts, preferences, and other keys to an encrypted text file. For more information see Secure Encrypted Backup.
- SSH Authentication - OnlyKey allows using ECC private keys for SSH authentication. Using the OnlyKey agent ssh authentication can be accomplished by storing a key on the OnlyKey and setting it as an authentication key. For more information see SSH Authentication.
- Email/File Decryption - Using the OnlyKey PGP Message Tool, the OnlyKey supports decryption of email and files using OpenPGP (PGP/GPG compatible). This feature is currently released as experimental, to try it out we recommend encrypting emails with Mailvelope (Using RSA 4096 Key) and decrypting with the OnlyKey PGP Message Tool. More to come here we are looking to partner to support a web based OpenPGP solution.
- Email/File Signing - Using the OnlyKey PGP Message Tool, the OnlyKey supports signing of email and files using OpenPGP (PGP/GPG compatible). This feature is currently released as proof of concept and is not available for general use.
Learn more about keys feature here.
If you are already familiar with PGP/GPG and already have keys ready to use you can jump ahead to the
Loading Keys section.
If this is your first time creating keys or if you would like to create new keys the method we will be using just requires a web browser and the Mailvelope extension/plugin. Instructions are for Chrome browser but this could also be accomplished using Firefox browser.
Loading RSA Keys
- Ensure OnlyKey is unlocked
- Hold the 6 button down for more than 5 seconds, and then release, you will see the light turn off.
- Re-enter your PIN, you will see the OnlyKey LED fade in and out continuously (Red if OnlyKey Color) while in config mode.
Select the slot where you would like to store this key, there are 4 RSA slots available.
Select the key features (what you want to use the key for) such as backup, signature, decryption, authentication. You can select them all but only one key can be set as the backup key, if you load a new key and set it as backup it will be the backup key and the old key will no longer be used for backup.
Loading ECC Keys
Loading ECC keys is a more advanced topic and requires familiarity with using terminal commands. ECC Keys are required for SSH Authentication and can be used for encrypted backups. Up to 32 ECC keys can be stored on OnlyKey.
The OpenSSL ECC Key Generation guide here provides instructions on how to generate OnlyKey compatible ECC keys and load them onto the OnlyKey
Secure Encrypted Backup Anywhere
The Secure Encrypted Backup Anywhere feature allows you to backup OnlyKey on the go. The way that this works is that the OnlyKey encrypts everything on your OnlyKey using an encryption key and then types it out. This allows saving the backup in a text file or email on any computer.
Before Getting Started
The backup feature was introduced in firmware version v0.2-beta.4, but for users who use the second profile (plausible deniability mode) make sure your OnlyKey is running firmware v0.2-beta.5 or later. You can check this once your device is configured by looking in the bottom right corner of the OnlyKey Chrome App. If you are running an earlier version follow the
Backup With OnlyKey App
Backup Without OnlyKey App
The process is the same to backup without the app. Instead of clicking in the Backup data box you could click into any text editor like notepad and when the backup is complete save the file using whatever filename you prefer. In the same way you could also click into any email client and then when the backup is complete send the email to yourself or someone else.
Restore From Backup
Using the backup file created in the Secure Encrypted Backup Anywhere section, we can restore an OnlyKey from backup. This also allows restoring to a different OnlyKey or a second OnlyKey in order to have an extra.
If you used the OnlyKey App to create the backup then the name of this file will be ‘‘onlykey-backup-
Loading OnlyKey Firmware
|OnlyKey Color (Has a square LED) OnlyKey Original (Has text "LED" visible)|
|Download OnlyKey Color Standard Edition firmware here||Download OnlyKey Original Standard Edition firmware here|
|Download OnlyKey Color International Travel Edition firmware here||Download OnlyKey Original International Travel Edition firmware here|
|File Name||SHA256 Hash|
Under The Hood - One of the great things about this method of firmware loading is that you, the user, can load your own firmware and in doing so be sure that your OnlyKey has not been tampered with. What actually happens when you load the firmware is that a mass erase is completed first. What this means is that all data is completely wiped, and then the new firmware is loaded. This way if say you suspect that your device was tampered with by someone or you just like to know for sure you can just re-load the firmware yourself.
OnlyKey Accessories / Mobile Support
The OnlyKey silicon case provides additional protection and gives OnlyKey a polished appearance. To put on the case just carefully slide the case over the OnlyKey as shown below:
Android is supported by using a USB on-the-go (OTG) adapter. There are two types of OTG adapters that can be purchased USB Micro and USB C.
Since the OnlyKey is essentially detected by Android as a keyboard, the username / password / Yubikey® OTP login features will work. Unfortunately, there is no support for U2F or Google Authenticator currently on Android.
This solution is ideal as it can be carried on a keychain for on the go use.
iPhone/iPad Support (Experimental)
This is currently in the experimental phase so there is not official support. User’s have claimed to successfully use OnlyKey on their iPhones using a USB adapter like the one shown below.
Since the OnlyKey is essentially detected by iPhone/iPad as a keyboard then the username / password / Yubikey® OTP login features will work. Unfortunately, there is no support for U2F or Google Authenticator currently.
Keychain Accessory Options
The standard keychain that comes with the OnlyKey is plastic which provides good durability and an easy quick disconnect for convenient access.
If you ever need a replacement or extra keychain one can be purchased using the link below:
Keychain DIY Customize
If you don’t like how far your OnlyKey hangs off of your keyring then follow these instructions to create a nice short keychain. You can do this yourself all that is needed is a pair of scissors.
Other Keychain Options
Various other Keychains may be used some ideas are shown below:
Below is a list of common issues and solutions.
|Accidentally press OnlyKey button||All OnlyKeys now include a silicone case accessory, this is also available for purchase on Amazon. Using the case makes it difficult to inadvertently press a button.|
|Not working with certain sites / Not entering data in correct field||We often get customers that ask how to set up a specific site with OnlyKey. There are several examples listed in the table provided in the [Set up a slot](#Set up a slot) section. If you have a use case that is not covered by this please open a new issue on the support forum.|
|Missing characters while typing / typing too fast / typing too slow||Adjust the type speed in preferences.|
|Google Authenticator types NOTSET instead of OTP code||This occurs when the OnlyKey does not have the time set. Time is set from the OnlyKey Chrome App which occurs automatically. Chrome and the OnlyKey Chrome App must be installed for the code to be generated.|
|Entering data into OnlyKey App and selecting submit but the data is not saved||The check box next to the data must be selected.|
|Yubico® OTP Error (LastPass)||The majority of Yubikey® OTP applications require Yubicloud setup including LastPass. See Yubicloud section of User's Guide.|
If you have an issue not listed here please reference the online support forum here.
Alternate Backup Method
This method has been replaced by the built-in OnlyKey secure backup method but is provided here for reference.
Standard Edition OnlyKey Backup using Veracrypt/Truecrypt 7.1a
Plausible Deniability OnlyKey Backup using Veracrypt/Truecrypt 7.1a
Documentation - https://docs.crp.to
FAQs - https://docs.crp.to/faq.html
Store – https://crp.to/ok
Github – https://github.com/trustcrypto
Getting started with OnlyKey – https://crp.to/okstart