OnlyKey: Hardware Password Manager | NSC #62


The OnlyKey is a really easy to use hardware password manager. It allows you to store 12 unique user accounts on the device. Each account requires a unique physical interaction on the device to activate. Couple this with a software password manager and you can use it for thousands of unique accounts. The OnlyKey is very durable, waterproof and allows on-the-fly backups. You don’t have to worry about damaging or losing the device that holds your life.

Enjoy 5% off your OnlyKey purchase using our referral link: https://onlykey.io/tpidg

OnlyKey plugged into a computer

What Does It Do?

The OnlyKey can hold 24 unique accounts including username, password and two factor authentication. It is PIN protected with a 7 to 10-digit pin utilizing strong symmetric encryption. It is compatible with everything as it is only seen as a keyboard for user account logins. OnlyKey is OpenPGP compatible, so signing and encrypting messages and decrypting and verifying messages is possible with the OnlyKey using both RSA and ECC asymmetric encryption cyphers. Basically, it is a hardware password manager.

OnlyKey Account Slots

The OnlyKey has 24 configurable slots that can each hold everything you need to login to at least one account. 12 of these slots are under your primary PIN and the rest are under your traveler PIN. The traveler accounts are for plausible deniability, so having something in there to show is a good idea, but this section is not encrypted. Because of this, we only recommend using the primary PIN for your actual accounts and using your traveler’s PIN for a cover story or for accounts that wouldn’t ruin your life if they were compromised. These slots can hold a slot label to identify the slot, account username, account password, URL for the site with the account, and a few options for two factor authentication (2FA) including: TOTp, Yubikey OTP, and U2F.

Site by Site Setup

Because the OnlyKey works just like a keyboard, each site you set up has to be tested afterwards. You may need to add delays, enters and tabs as necessary. For instance, Facebook will work as shown in the picture below, but Google requires a delay between the username and password. This is because Google has the login separated into multiple screens. While the OnlyKey supports 2FA TOTP (Time One Time Passwords), it only works while the OnlyKey app is open on your computer. The current version of OnlyKey does not have an onboard clock. This makes it pretty difficult to use on a computer other than your own. It works flawlessly while operating on a computer with app.

To access any of these accounts, you press the corresponding button to the slot. For slot 1a for instance, you simply tap the 1 on the device, and for slot 1b you hold the 1 for a few seconds and release. The only way to access any data is through a physical touch of the device. Because of this, you can’t even edit an existing slot, you have to wipe it and start over. This is to prevent anything on the computer it’s plugged into from exploiting it and gaining access to all of your login data.

Yubikey vs OnlyKey

If you use your YubiKey similar to how we do with static passwords mixed with memorable passwords, then the OnlyKey is the dongle for you. Instead of the two slots available on the YubiKey, the OnlyKey comes with a possible 24 slots for usernames, passwords, URLs, etc. While it can’t completely replace the YubiKey, it is a great alternative depending on your use case. Unlike the YubiKey, the OnlyKey is completely open source. Back in 2016 (https://www.yubico.com/2016/05/secure-hardware-vs-open-source/), Yubico decided to make the Yubikey 4 closed source because of security reasons. Yubico takes a very similar stance that Squealock (who we reviewed last issue) takes when it comes to security through obscurity.

Our stance has and always will be that open source is superior to closed source. There are many arguments against this, but we believe that open source is the way to go. So, when we find open source alternatives, we tend to use that over its closed source counterpart. With the OnlyKey being open source, it also means you can compile and flash the firmware yourself and not have to trust the company making the device. Unlike the Yubikey, you can also update the OnlyKey using this method. The only thing at this point that we are waiting on from OnlyKey that Yubikey has is KeePassXC support using HMAC-SHA1. According to an issue filed on Github though, they are in the works of changing KeePassXC’s code base to allow the OnlyKey to act as a second factor.

Githib issue for KeePassXC OnlyKey support



All the login data on the device in the primary slots are encrypted with AES 256 in GCM mode (so really strong) with the PIN that you choose during the setup process. We verified this by changing the primary PIN and trying to use one of the slots. When we did, we got this garbage:

Changing the PIN back to the original, we were able to use the slots like normal again. This only works because when you change your PIN, it doesn’t actually wipe your data. Your data is still there just in an encrypted format until it is overwritten with new data. In this case, we would have to reconfigure our slots for it to overwrite the old login data. If you want to wipe all of the data in one fell swoop, you have that option. Just enter in the wipe PIN that we mentioned earlier.

Traveler’s Edition

If you live in or are visiting a country that has banned encryption of any kind, you have two choices. You could just completely ignore the law and go about your day. Or you can load your OnlyKey with the Traveler’s edition which uses no encryption for your login data. This allows you to store your passwords, while not violating local law. With the regular edition, you have both the encrypted primary PIN and a secondary traveler’s PIN that uses no encryption for plausible deniability. We did the same PIN change that we tried with the primary PIN with the traveler’s PIN and the accounts were all intact. This confirms that no encryption is being used on the traveler’s section of the device

Durability and Waterproofness


While we are not recommending you try this at home, we have successfully tested their claim on the OnlyKey being waterproof by dropping it in a sink full of water, drying it off and plugging it in. We have also tested it’s durability by sitting on it, bending it, dropping it, stepping on it, etc. While you could definitely break it if you wanted to, it’s not going to break on accident or very easily. You don’t need to worry about accidentally washing it or dropping it and someone stepping on it.

To see just how durable the OnlyKey is, check out our article on it: https://www.tpidg.us/nsc-70-onlykey-durability-tests/

What If I Lose My OnlyKey?

If you do end up losing your OnlyKey, fear not. First and foremost, it’s encrypted, so your strong 7 to 10 number PIN would take someone from 279,936 to 60,466,176 attempts. That is as long as it’s not something obvious like your birthday. Even then, it’s just as likely that someone guesses your self-destruct PIN or traveler’s PIN before they figure out your primary PIN.

As far as losing all of your data, we recommend you take advantage of OnlyKey’s on-the-fly backup. After setting up a private key in the “Keys” tab, all you have to do is hold down the “1” button for 5+ seconds. Be patient and allow it to type out your backup. Save that file somewhere where it will not get lost. To restore your backup to any OnlyKey, add the same private key in the “Keys” tab. Then upload the backup file to your OnlyKey in the “Backup/Restore” tab. The only thing you lost at this point is the cost of the OnlyKey, which costs much less than the time it would take to recover all of your accounts.


This little guy is awesome! This cheap USB dongle has more features than we can even cover in one digital update. The ability to have a physical device with all the account logins you need is brilliant. If you have more than 12 accounts to manage, like we do, that’s perfectly fine. You can utilize one or two of the slots of the OnlyKey to log into your KeePassXC password database.

The password limit for each slot is 56 characters. Using two would give you a 112-character password, which is more than enough to keep it secure. You could also add your own memorized password to the mix essentially making it two factor authentication. This method works great with full disk authentication. Type your memorized password and add the rest of the password from one of your OnlyKey slots. We definitely recommend this device to anyone who values security or just wants an easy to use password manager to keep on their person.

Questions, Comments, Concerns?

Have any questions or something to add to the conversation? Leave us a comment below!


2 Responses

  1. […] So what’s the solution to this? A password manager is a perfect first step for both organization of passwords and generation of secure, hard to crack passwords. We’ve talked about password managers a lot in the past, so there’s no need to reiterate. Check out our past articles. Another solution is to invest in something like the OnlyKey, a hardware password manager, more details on that here. […]

  2. interesting concept, but I am concerned that it goes a bit against the spirit of 2fa as all the factors are recorded in the one device.

Leave a Reply

Your email address will not be published. Required fields are marked *