Share this project

Done

Share this project

Done
Finally, a simple solution to the password and two-factor authentication problem.
By supporting multiple methods of 2FA OnlyKey is the most universally supported token available on the market today! Chances are that if the website supports two-factor authentication, OnlyKey is compatible. For more info visit https://crp.to/p
By supporting multiple methods of 2FA OnlyKey is the most universally supported token available on the market today! Chances are that if the website supports two-factor authentication, OnlyKey is compatible. For more info visit https://crp.to/p
616 backers pledged $31,291 to help bring this project to life.

About

OnlyKey - The Two-factor Authentication & Password Solution project video thumbnail
Replay with sound
Play with
sound

OnlyKey - The Two-factor Authentication & Password Solution

$31,291

616

If you missed out on your opportunity to back our Kickstarter campaign, you can still pre-order from our website. Just click the link below to go there now:

Pre-order Now!

OnlyKey is a device taking aim at the password problem. OnlyKey removes the hassle of remembering passwords and serves as a universal two-factor authentication platform that can replace multiple hardware tokens and apps. 

The p@$$w0rd problem

We all need passwords. As many security professionals have pointed out, however, passwords alone are not sufficient to protect our private documents and photos -- or anything else for that matter. We need something less prone to being stolen or compromised.

The solution has long been to use two-factor authentication. When using two-factor authentication even if your password is compromised you have something else like a passcode that changes every 30 seconds that has to be entered in order to log in. 

But then the problem is how to manage two factor tokens easily and transparently. No one wants to carry a keychain with multiple tokens and a phone with multiple apps just to log in. This is where OnlyKey comes in. OnlyKey removes the hassle of forgetting your passwords and serves as a universal two factor authentication platform that can replace your multiple hardware tokens and apps.

How does the OnlyKey work?

The face of the OnlyKey has 6 capacitive touch buttons. 

OnlyKey 6 Button Interface
OnlyKey 6 Button Interface

These buttons serve two purposes. First, in order to enable the device for use, a PIN must be entered. This way if OnlyKey is ever lost or stolen it will be unusable without knowing the PIN. Secondly, the 6 buttons support multiple authentication methods, such as One Time Passwords used by Yubikey, Google Authenticator, and the new Universal 2-Factor method (U2F). OnlyKey can be configured to your desired preference. (Watch the OnlyKey project video to see how OnlyKey can be used to log into your accounts.)

What websites support OnlyKey?

OnlyKey supports two factor authentication tokens for Gmail, Dropbox, Amazon, LastPass, and Salesforce, just to name a few. Since OnlyKey supports multiple methods of two factor authentication, it supports practically all websites that support two factor authentication.

The complete list of sites can be seen here

Why we need your help?

We have spent much time and effort to design and build the working OnlyKey. Unlike many Kickstarter campaigns, we already have the functional product. Now we need your help to turn it into a great product, complete our first production run, and to develop a configuration interface that provides a top-notch user experience.

How secure is it?

Unlike other tokens and key fobs, OnlyKey supports PIN protection. If OnlyKey is ever lost or stolen, it will be unusable without knowing the PIN. All of the keys and passwords are encrypted with military grade AES-128 encryption. If an incorrect PIN is entered, OnlyKey blinks three times. If an attacker attempts to guess the PIN, after 10 failed attempts the device will perform a factory default, wiping all sensitive data. OnlyKey is even protected from more advanced physical hacking attacks by using hardware security features (for more information see video).

Self Destruct and Plausible Deniability Features

OnlyKey is the world’s first token to implement self-destruct and plausible deniability features. A self-destruct PIN or a plausible deniability PIN can be set when you first activate your OnlyKey. With the self destruct PIN if you are ever forced to give up your PIN, the self-destruct PIN can be provided instead, causing the OnlyKey to wipe it's sensitive data.

Self Destruct Feature
Self Destruct Feature

Similarly, if you are forced to give up your PIN, the plausible deniability PIN can be provided instead, which will activate the OnlyKey using a second profile that contains passwords set up to look real -- which may even work to log into websites -- but are really just dummy accounts.

Plausible Deniability Feature
Plausible Deniability Feature

These features make it possible for journalists or anyone living in restrictive countries that ban encryption to use the OnlyKey. Since the mentioned second profile only functions as a regular password manager, it would be plausible that their OnlyKey did not utilize encryption.

What devices support OnlyKey?

OnlyKey emulates a USB keyboard device, so there is no need for special software/drivers to use it. For that reason, it supports the following environments:

  • Windows 7 and later
  • Mac OS X 
  • Linux 
  • Android 4.0 or later

Not Currently Supported 

  • iOS - A special adapter is required that currently only works with older Apple devices, such as the iPad 3 and iPhone 5. We are looking into the Apple MFI program and other options, but right now iOS is not officially supported. This is OnlyKey, so if you are a developer and know of an innovative way to do this, let us know.

Now some information for our technical folks

OnlyKey is a USB based microcontroller that can be used for a variety of cryptographic purposes. Essentially, in software it is very similar to Yubikey, actually using some of Yubikey's open source code. In hardware, the OnlyKey uses a powerful ARM 32-bit Cortex-M4 processor (Teensy 3.2) which allows near unlimited options in terms of development. The form factor of the OnlyKey is a .71in x 1.8in USB dongle. Currently, less than half of the program storage space and dynamic memory are being utilized, so OnlyKey has really just scratched the surface of its potential. As an open source project, OnlyKey uses libraries integrated from other open source projects, including the following.

Thanks to:

In regards to just scratching the surface of the OnlyKey’s potential we are open to ideas, volunteers to help with development, and partnering to make OnlyKey be the best two factor authentication platform the world has ever seen. 

The short-term goals for this Kickstarter development effort are to:

  • put OnlyKey into production; 
  • complete testing and evaluation; and 
  • build client-side software for Windows, OS X, and Linux with which to configure the OnlyKey. 

The long-term vision for OnlyKey is to:

  • support OpenPGP; 
  • integrate bitcoin wallet functionality; and provide a framework to build future crypto features.

One of the great things about OnlyKey is that it can adapt to technology changes quickly. For example, the NIST P256 Curve -- used by many elliptic-curve cryptography systems -- is considered by experts in the field to be insecure. If a news article came out tomorrow proving that P256 is broken and the U2F specification must be updated to support the superior Curve25519, it would be just a minor update to the OnlyKey. However, for hardware implementations of P256, this would be a huge issue, as the actual hardware would have to be replaced. In fact there are already implementations of Curve25519 that can be easily added to OnlyKey.

Our Team

OnlyKey Team
OnlyKey Team

Risks and challenges

HARDWARE SECURITY TESTING: While the architecture of the OnlyKey is designed so that even if an adversary obtains physical access to the device it will be unusable, there are always advanced attack methods available to highly funded adversaries. Since the OnlyKey utilizes a hardware security feature of Freescale Kinetis one need we have is to evaluate if there are any hardware exploits available to compromise this feature even though the Flash Security (FSEC) registers are set to the most restrictive settings. Obviously, there is no such thing as tamper proof. (Even a FIPS 140-2 Level 4 tamper respondent enclosure can be defeated with enough time and resources.) Still, our goal is to provide a level of physical security that would deter and prevent all but the most extraordinary means of hardware hacking. Our plan is to reach out to the Hardsploit and Chipwhisperer projects to see if they would be willing to evaluate and provide input on the design in use.

SOFTWARE SECURITY TESTING: This is an open source project, so the software will be made publicly available on Github prior to shipping production units. As with all open source software it is available for public review and criticism. We consider this to be a positive factor since peer review is a good thing that results in more secure code. One of the challenges we have is to produce secure code in a short amount of time. Since the threat of software vulnerabilities are essentially impossible to completely eliminate, one direct security requirement we have for the development of the OnlyKey is that sensitive information is write only. This means that all keys and certificates can be written or overwritten to the OnlyKey's encrypted storage, but never read out. Additionally, usernames and passwords that are typed out by the OnlyKey can only be initiated from the open key (physical presence) after a correct passcode has been entered. Our plan for software testing is to develop a test plan that includes test cases for security testing publicly so that we can receive feedback in terms of possible threat models.

INTERNATIONAL SHIPPING: While the OnlyKey utilizes open source publicly available libraries we are not experts in export and import requirements. In order to make sure there are no conflicts for international shipments the OnlyKey will be shipped without the firmware loaded. This means that there will be one extra step for international customers to complete in order to use the OnlyKey. The extra step takes less than 5 minutes and is illustrated in the following video: https://youtu.be/qJUjz0gFhqg. This does not apply to US customers as firmware will be pre-loaded.

Learn about accountability on Kickstarter

Questions about this project? Check out the FAQ

Support

  1. Select this reward

    Pledge US$ 5 or more About $5

    THANK YOU: We will send you a thank you email for your support. You'll also have access to regular OpenKey updates.

    Less
    Estimated delivery
    9 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  2. Reward no longer available

    Pledge $32 or more About $32

    EARLY BIRD SPECIAL: One OpenKey with key ring and quick start guide

    ~15% off retail price

    Less
    Estimated delivery
    Ships to Anywhere in the world
    Reward no longer available 50 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  3. Reward no longer available

    Pledge $34 or more About $34

    LIMITED QUANTITY SPECIAL: OpenKey with key ring and quick start guide

    ~10% off retail price

    Less
    Estimated delivery
    Ships to Anywhere in the world
    Reward no longer available 100 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  4. Select this reward

    Pledge $38 or more About $38

    One OpenKey with key ring and quick start guide

    Less
    Estimated delivery
    Ships to Anywhere in the world
    338 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  5. Select this reward

    Pledge $72 or more About $72

    Two OpenKeys with key rings and quick start guides

    ~5% off retail price

    Less
    Estimated delivery
    Ships to Anywhere in the world
    81 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  6. Select this reward

    Pledge $125 or more About $125

    DEVELOPER KIT: Two OpenKeys with key rings, quick start guides, and a pre-configured development environment.

    Less
    Estimated delivery
    Ships to Anywhere in the world
    15 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  7. Select this reward

    Pledge $141 or more About $141

    Four OpenKeys with key rings and quick start guides

    ~7% off retail price

    Less
    Estimated delivery
    Ships to Anywhere in the world
    7 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  8. Select this reward

    Pledge $342 or more About $342

    Ten OpenKeys with key rings and quick start guides

    ~10% off retail price

    Less
    Estimated delivery
    Ships to Anywhere in the world
    6 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.
  9. Select this reward

    Pledge US$ 2,000 or more About $2,000

    SPONSOR: As a sponsor you will have the opportunity to meet with the OpenKey team in North Carolina and receive your name or company name on the OpenKey web site as an official sponsor. You will receive a custom OpenKey configured to your preferences and personalized training. Dinner included, travel expenses not included.

    Less
    Estimated delivery
    0 backers
    $
    Kickstarter is not a store.

    It's a way to bring creative projects to life.

    Learn more about accountability.

Funding period

- (30 days)