OnlyKey is a multi-function hardware security key combining features of a password manager, two-factor authentication (2FA) token, file encryption token, and secure storage device. The device incorporates hardware storage for password and username combinations, also acting as a portable password manager.[1]
OnlyKey is notable for its physical keypad, which allows users to enter a PIN code directly on the device.[2] After 10 failed attempts to unlock, all data is erased.[2] The device also features a data-destruction code that the user can key in.[3][4] The device can store passwords, usernames/URLs, and one-time password (OTP) accounts, that can be used for online/offline access.[2][4]
Password management: OnlyKey can store and manage up to 24 passwords, usernames/URLs, and one-time password (OTP) accounts on the device itself.
Two-factor authentication (2FA): OnlyKey supports various 2FA protocols including FIDO2 WebAuthn, FIDO U2F, TOTP, Yubico OTP, and Challenge-response.[5][4] When logging in to a configured website or service, besides entering the username and password, the user also physically confirms the login attempt by pressing a button.
Security and Durability: OnlyKey is open source[2] and has upgradable firmware. [4]
Set up Apps: The device can be used via Chrome browser app, as well as desktop apps on macOS, Windows, and Linux (.deb)[6]
Cost: Compared to software-based password managers, OnlyKey requires an upfront purchase for the hardware device itself.
Learning Curve: Setting up and using OnlyKey may require familiarization with its features and functionalities compared to typical password management solutions. Complex setup process compared to security keys like YubiKey.[3][4]
Physical Loss: Losing the OnlyKey device can potentially lock the user out of their accounts if no backup options are implemented.
Limited Lockout Effectiveness: The PIN lockout feature can be bypassed by repeatedly removing and re-inserting the OnlyKey from the USB port, resetting the attempt counter. This is a potential weakness due to the lack of non-volatile memory on the device itself.[5]
Limited OTP Functionality: The absence of both an on-board clock and non-volatile memory necessitates the OnlyKey Chrome App to be running for Time-based One-Time Password (TOTP) generation. There are some exceptions when the hardware key is continuously powered.[5]
Potential for accidental total data-destruction due to user's keying error.[3]