OnlyKey Thoughts

I’ve been using OnlyKey for nearly two years, starting with the “first” generation model (no RGB led, shown in photo) and currently with two “second” generation models (RGB led).

Both models have been used heavily on a daily basis. One model by a non-technical user configured as a simple gate to LastPass.

Pros

Instead of remembering a password or passphrase, you just need a pin code or remember a pattern. This allows you to extend the idea of password managers to a physical key, which can further increase the security of your password manager.

Works as a USB keyboard. I like this feature as it lets me enter passwords quickly in situations that would otherwise require a work-around (nested RDP sessions as an example).

Multiple two-factor options supported. I use OTP and U2F daily without issue.

Durability. One of the concerns I had is the pads tarnishing. This would indicate which pads were used in a pin sequence, greatly reducing the amount of guesses needed for brute-forcing a pin. Fortunately this has not proved to be a problem even after hundreds or thousands of button presses over the past few years. The backside of the hardware key is wearing to show some copper underneath the resin board, however this hasn’t caused any problems.

Support. The developer has been continually improving the device and software since I’ve been using it. Software development is slow, but this has been put together by a very small team and I’m betting this isn’t their full-time job.

Cons

Speaking of brute-forcing a pin; one of the downsides to the device–that I’m not sure can be overcome without non-volatile memory on the device–is that the lockout feature/protection is useless. You can reset the tries indefinitely by removing the device from the USB slot and re-inserting, which effectively resets the amount of tries. Time consuming, but a weakness nevertheless.

Configuration is difficult, especially for non-technical users. This has gotten better as the software (Chrome App) is improved. Recent changes include firmware updates from the application instead of requiring command-line knowledge.

Configuration more or less requires Google Chrome. This might dissuade some users who are dead set on using other browsers such as Firefox.

OTP functionality requires the OnlyKey Chrome App be on with some exceptions (such as once it’s set, you don’t have to do it again as long as the hardware remains plugged into a powered-on system). Until the hardware includes an on-board clock with memory this will always be a requirement.

Recommendations

I highly recommend these devices for technical users. I’d get two and keep a backup within short driving distance if using for work-related or otherwise critical duties.

I’d recommend these for non-technical users in conjunction with a password manager such as Lastpass. Once you have them setup with a pin and they understand the simple repeatable workflow, they should be set.