About this project
If you missed out on your opportunity to back our Kickstarter campaign, you can still pre-order from our website. Just click the link below to go there now:
OnlyKey is a device taking aim at the password problem. OnlyKey removes the hassle of remembering passwords and serves as a universal two-factor authentication platform that can replace multiple hardware tokens and apps.
The p@$$w0rd problem
We all need passwords. As many security professionals have pointed out, however, passwords alone are not sufficient to protect our private documents and photos -- or anything else for that matter. We need something less prone to being stolen or compromised.
The solution has long been to use two-factor authentication. When using two-factor authentication even if your password is compromised you have something else like a passcode that changes every 30 seconds that has to be entered in order to log in.
But then the problem is how to manage two factor tokens easily and transparently. No one wants to carry a keychain with multiple tokens and a phone with multiple apps just to log in. This is where OnlyKey comes in. OnlyKey removes the hassle of forgetting your passwords and serves as a universal two factor authentication platform that can replace your multiple hardware tokens and apps.
How does the OnlyKey work?
The face of the OnlyKey has 6 capacitive touch buttons.
These buttons serve two purposes. First, in order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen it will be unusable without knowing the PIN. Secondly, the 6 buttons support multiple authentication methods, such as One Time Passwords used by Yubikey, Google Authenticator, and the new Universal 2-Factor method (U2F). OnlyKey can be configured to your desired preference. (Watch the OnlyKey project video to see how OnlyKey can be used to log into your accounts.)
What websites support OnlyKey?
OnlyKey supports two factor authentication tokens for Gmail, Dropbox, Amazon, LastPass, and Salesforce, just to name a few. Since OnlyKey supports multiple methods of two factor authentication, it supports practically all websites that support two factor authentication.
The complete list of sites can be seen here
Why we need your help?
We have spent much time and effort to design and build the working OnlyKey. Unlike many Kickstarter campaigns, we already have the functional product. Now we need your help to turn it into a great product, complete our first production run, and to develop a configuration interface that provides a top-notch user experience.
How secure is it?
Unlike other tokens and key fobs, OnlyKey supports PIN protection. If OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN. All of the keys and passwords are encrypted with military grade AES-128 encryption. If an incorrect PIN is entered, OnlyKey blinks three times. If an attacker attempts to guess the PIN, after 10 failed attempts the device will perform a factory default, wiping all sensitive data. OnlyKey is even protected from more advanced physical hacking attacks by using hardware security features (for more information see video).
Self Destruct and Plausible Deniability Features
OnlyKey is the world’s first token to implement self-destruct and plausible deniability features. A self-destruct PIN or a plausible deniability PIN can be set when you first activate your OnlyKey. With the self destruct PIN if you are ever forced to give up your PIN, the self-destruct PIN can be provided instead, causing the OnlyKey to wipe it's sensitive data.
Similarly, if you are forced to give up your PIN, the plausible deniability PIN can be provided instead, which will activate the OnlyKey using a second profile that contains passwords set up to look real -- which may even work to log into websites -- but are really just dummy accounts.
These features make it possible for journalists or anyone living in restrictive countries that ban encryption to use the OnlyKey. Since the mentioned second profile only functions as a regular password manager, it would be plausible that their OnlyKey did not utilize encryption.
What devices support OnlyKey?
OnlyKey emulates a USB keyboard device, so there is no need for special software/drivers to use it. For that reason, it supports the following environments:
- Windows 7 and later
- Mac OS X
- Android 4.0 or later
Not Currently Supported
- iOS - A special adapter is required that currently only works with older Apple devices, such as the iPad 3 and iPhone 5. We are looking into the Apple MFI program and other options, but right now iOS is not officially supported. This is OnlyKey, so if you are a developer and know of an innovative way to do this, let us know.
Now some information for our technical folks
OnlyKey is a USB based microcontroller that can be used for a variety of cryptographic purposes. Essentially, in software it is very similar to Yubikey, actually using some of Yubikey's open source code. In hardware, the OnlyKey uses a powerful ARM 32-bit Cortex-M4 processor (Teensy 3.2) which allows near unlimited options in terms of development. The form factor of the OnlyKey is a .71in x 1.8in USB dongle. Currently, less than half of the program storage space and dynamic memory are being utilized, so OnlyKey has really just scratched the surface of its potential. As an open source project, OnlyKey uses libraries integrated from other open source projects, including the following.
- PRCJ - https://www.pjrc.com/teensy/td_libs.html
- Arduino - http://playground.arduino.cc/Main/LibraryList
- Yubico - https://github.com/Yubico/
- pagong/arduino-yksim - https://github.com/pagong/arduino-yksim
- lucadentella/ArduinoLib_TOTP - https://github.com/lucadentella/ArduinoLib_TOTP
- damico/ARDUINO-OATH-TOKEN - https://github.com/damico/ARDUINO-OATH-TOKEN
- Cathedrow/Cryptosuite - https://github.com/Cathedrow/Cryptosuite
- Frank Boesing - https://github.com/FrankBoesing/Arduino-Teensy3-Flash
- Yohanes - https://github.com/yohanes/teensy-u2f Note: The key handle generation in use differs from this implementation *SEE FAQ.
- Ken MacKay - https://github.com/kmackay/micro-ecc
In regards to just scratching the surface of the OnlyKey’s potential we are open to ideas, volunteers to help with development, and partnering to make OnlyKey be the best two factor authentication platform the world has ever seen.
The short-term goals for this Kickstarter development effort are to:
- put OnlyKey into production;
- complete testing and evaluation; and
- build client-side software for Windows, OS X, and Linux with which to configure the OnlyKey.
The long-term vision for OnlyKey is to:
- support OpenPGP;
- integrate bitcoin wallet functionality; and provide a framework to build future crypto features.
One of the great things about OnlyKey is that it can adapt to technology changes quickly. For example, the NIST P256 Curve -- used by many elliptic-curve cryptography systems -- is considered by experts in the field to be insecure. If a news article came out tomorrow proving that P256 is broken and the U2F specification must be updated to support the superior Curve25519, it would be just a minor update to the OnlyKey. However, for hardware implementations of P256, this would be a huge issue, as the actual hardware would have to be replaced. In fact there are already implementations of Curve25519 that can be easily added to OnlyKey.
Risks and challenges
HARDWARE SECURITY TESTING: While the architecture of the OnlyKey is designed so that even if an adversary obtains physical access to the device it will be unusable, there are always advanced attack methods available to highly funded adversaries. Since the OnlyKey utilizes a hardware security feature of Freescale Kinetis one need we have is to evaluate if there are any hardware exploits available to compromise this feature even though the Flash Security (FSEC) registers are set to the most restrictive settings. Obviously, there is no such thing as tamper proof. (Even a FIPS 140-2 Level 4 tamper respondent enclosure can be defeated with enough time and resources.) Still, our goal is to provide a level of physical security that would deter and prevent all but the most extraordinary means of hardware hacking. Our plan is to reach out to the Hardsploit and Chipwhisperer projects to see if they would be willing to evaluate and provide input on the design in use.
SOFTWARE SECURITY TESTING: This is an open source project, so the software will be made publicly available on Github prior to shipping production units. As with all open source software it is available for public review and criticism. We consider this to be a positive factor since peer review is a good thing that results in more secure code. One of the challenges we have is to produce secure code in a short amount of time. Since the threat of software vulnerabilities are essentially impossible to completely eliminate, one direct security requirement we have for the development of the OnlyKey is that sensitive information is write only. This means that all keys and certificates can be written or overwritten to the OnlyKey's encrypted storage, but never read out. Additionally, usernames and passwords that are typed out by the OnlyKey can only be initiated from the open key (physical presence) after a correct passcode has been entered. Our plan for software testing is to develop a test plan that includes test cases for security testing publicly so that we can receive feedback in terms of possible threat models.
INTERNATIONAL SHIPPING: While the OnlyKey utilizes open source publicly available libraries we are not experts in export and import requirements. In order to make sure there are no conflicts for international shipments the OnlyKey will be shipped without the firmware loaded. This means that there will be one extra step for international customers to complete in order to use the OnlyKey. The extra step takes less than 5 minutes and is illustrated in the following video: https://youtu.be/qJUjz0gFhqg. This does not apply to US customers as firmware will be pre-loaded.Learn about accountability on Kickstarter
Support this project
- (30 days)