OnlyKey is not the Only Key

By Tyler W.

July 25, 2021

OnlyKey is not the Only Key

Using a hardware key is a great additional security feature, and it is a case of the more the merrier.

When I purchased my OnlyKey I had anticipated it replacing my Yubikey, not being used in addition to it! An OnlyKey and a Yubikey are both multi factor hardware authentication devices that serve as an extra layer of protection for you passwords (or encrypted data). I have used my Yubikey for some time, as my hardware multi factor authentication tool, but wanted to see how the OnlyKey compared. To be honest, they probably do not compare. The best way to describe the two devices is a Yubikey is a much more secure version of an authentication device (e.g. Google Authenticator), and OnlyKey being a secure portable password manager (up to 12 passwords).

It is important to note that a Yubikey, or any hardware key, is not an automatic replacement for the TOTP authentication process, as this must be allowed by the host. As a for instance, Github allows a YubiKey for it’s authentication process, while Protonmail requires the TOTP verification. As a result, you will not be able to abandon Google Authenticator (as an example) is it’s entirety, however, adoption of a hardware key is still recommended.

Initially this difference between the two devices bothered me, however, as I have tested out the devices, I use both regularly. For instance the OnlyKey is used to store my most regularly visited website or log in’s and is with me always (with my Yubikey). As a result of this I do not need to decrypt my device (a separate SSD) where my password manager is stored, in order to access these log ins. Those who know me best know I sit on the far side of the security and privacy bandwagon, and so yes, accessing my password manager is not convenient, and the OnlyKey provides a means for me to access this data in a more convenient manner.

I often say the price of convenience is insecurity, however, in this instance, it is just more convenient than the alternative. In order to access the log in credentials on the OnlyKey I still must know the password to unlock the device, so if I lose this, it provides no benefit to anyone else.

The use of the OnlyKey certainly has commercial application, as it can be deployed to staff members with their secure log in details, mitigating the potential human error (which is the most common cause of breaches), and protecting your data. It is possible for this device to allow staff access to certain company resources and log ins without them ever knowing the password / log in details, as the device is updated using the locally stored application on the administrator’s device. This is a wonderful real world application from a security perspective.

Upon unlocking the device the OnlyKey effectively acts as a keyboard, with one push of the necessary button on the device it will, for example, navigate to the URL programmed and then enter the log in credentials, automatically. It effectively acts as a USB keyboard, for the purpose of several functions. As a result, even for my most commonly visited, I do not have to remember a single password.

OnlyKey or Yubikey or…

I have been an advocate for securing as many accounts as possible through multi-factor authentication for as long as I can remember, and no longer do I suggest using an Onlykey or a YubiKey, but rather using a YubiKey and an OnlyKey!

The character limits, restrict this device from being used for unintended purposes.

Part of my normal testing process is to see if these devices can be compromised and used for evil. As this devices acts as a keyboard, it is easy to think it could be used to run a simple series of scripts within the target device, however, the power of this script would be diminished with fields restricted by character length. Th ereality of this device being used for anything other than it’s anticipated purpose is quite low. That being said, never allow a third party OnlyKey device to used on your computer. This should form part of your overall device hygiene by never allowing third party USB devices access to the physical ports on your hardware.

If you want to learn more about these devices simply click on OnlyKey or Yubikey and you’ll head to their sites which provide some useful documentation. The cost of an OnlyKey us approximability $70, and a YubiKey $50, so for as little as $120 per team member, you can ensure they have increased their security. The return on this investment, from a cybersecurity perspective is incredibly high, as this set up provides increased security, and reduces the ability for device and password compromises. This protects your data, and your clients, representing a much lower payout, compared to a cyberattack. Please consider deploying these devices or something similar in your organization.

If you want to learn more about either of these devices, please do just reach out and we’ll happily arrange a digital consultation.

Thanks for reading, and stay safe online!