Frequently Asked Questions
Who is responsible for the crypto stuff and what is his background (e.g. which articles he published).
We understand that "the crypto stuff" is a very specialized field. That is why instead of reinventing the wheel and trying to design our own crypto implementation, we are using open source implementations that are already in use. For example, the AES library currently used is the one created by Yubico, https://github.com/Yubico/yubico-c. The ECC implementation is a popular implementation created by Ken MacKay, https://github.com/kmackay/micro-ecc. We are also open to recommendations for other open source crypto implementations. Keep in mind that whatever implementation is used will be documented and publicly available for expert review.Last updated:
Our top priorities to this point has been security, functionality, durability, cost and making sure people get their OnlyKey on time. A hardware redesign is possible and if we get an abundance of pledges we will definitely evaluate the pros/cons of going that route. But for now the reason we are able to do such a low cost point is we are using already available hardware (Teensy 3.2) with modifications.Last updated:
This library is a perfect example of how a proof of concept implementation of U2F functions but also a perfect example of how proof of concept implementations are not ready for operational use without a thorough code review. We are using the proof of concept implementation that is provided in this library but not the key handle generation due to a flaw ( using XOR). This will also be one of the first pieces of this project that we complete so that there will be ample time for code review to be conducted. Our approach for key handle generation will model that of Yubikey key wrapping as their implementation is the most mature that we have seen https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/
This would be achieved using the Cathedrow HMAC-SHA256 implementation.Last updated:
There are several good PRNG options. Here is a thread that discusses this topic - https://forum.pjrc.com/threads/25369-Best-Teensy-3-1-Random-Number-Generator
And here are some good options
Additionally, to make sure that numbers are completely random, OnlyKey will add a user provided random input. If you have ever used TrueCrypt you will remember that before key generation you had to move the mouse around which generated entropy. The more you moved the mouse the more entropy was added to the key generation. This results in a cryptographically secure random number that can not be predicted or reproduced. OnlyKey has capacitive touch buttons so during random number generation the user will move their finger or thumb around in a random pattern on the keypad, the capacitive touch readings of the user's skin will be used as a completely random input to the PRNG.Last updated:
It is true that some may prefer to use push notification to a mobile device for 2FA but keep in mind that this method has some limitations that OnlyKey does not have.
1) If your mobile device is compromised (hacked) it is game over for your 2FA.
2) If you are in an area that does not allow mobile devices or has no cellular/data connection you will be unable to login to your account.
3) The 2FA is outside of your control (i.e. DUO is a 3rd party you are only as secure as they are or are not able to protect your account), (SMS is sent over the cellular network, there are several attacks such as device cloning, GSM cracking, or Govt surveillance that can intercept your OTP).Last updated:
It is true that some may prefer to use Yubikey, and that is great it is a good product. We are using some of their open source code and we like Yubikey, but keep in mind that it has some limitations that OnlyKey does not have.
1) Yubikey generates the custom certificate and master secret key that is used during the manufacturing process and this can not be changed by the user - http://forum.yubico.com/viewtopic.php?f=33&t=1666
2) Yubikey supports 2 configurable slots. So for example you can have one configured with a static password and one configured for OTP. OnlyKey has 12 configurable slots, each slot stores a username, password, and 2FA (U2F, Google Auth, OTP). So not only more slots but each slot holds everything you need in order to log in so it is a one touch operation.
3) Yubikey requires an external application - Yubico Authenticator, in order to support TOTP (Google Authenticator). OnlyKey supports TOTP without an external application, all OnlyKey requires is a Chrome extension (to send the current time to the OnlyKey, required for time-based OTP). This means that you can use OnlyKey to authenticate even if you are not able to install software on the system you are using to log in. If the system you are using has Chrome (which is the world's most popular browser), you can add the Chrome extension and go.Last updated:
1) We are using already made hardware, the Teensy 3.2 there is an abundance of information out there about the hardware. Here is the schematic https://www.pjrc.com/teensy/schematic.html
2) Since the OnlyKey does not utilize hardware crypto (like smartcards) this is not a traditional "secure element" design. The OnlyKey does crypto in firmware so unlike secure element hardware implementations that are many times unverifiable you can verify how our crypto is done yourself. The data protection of the OnlyKey is provided by the Freescale Kinetis Security Lock Bytes - http://cache.nxp.com/files/microcontrollers/doc/app_note/AN4507.pdf
3) We have the security lock bytes set to the most restrictive setting. This means that the chip is basically a brick, no reading from or writing to, it just doesn't respond to anything until the lock bytes are unlocked. When you perform a factory default the sensitive data is overwritten with random data and then as the last step it unlocks the lock bytes so you can read and write, but at this point all data has been sanitized.Last updated:
There are 12 configurable slots. 1-6 are activated by pressing the button for one to two seconds, 7-12 are activated by pressing the button for more than two seconds. Each slot can contain the following values:
- Label (i.e. Bob's Lastpass)
- Username (i.e. bob1234)
- TAB/ENTER (You enter this to go from the username field to the password field)
- Delay (i.e. 3 - your internet is slow and it takes 3 seconds to load the next page asking for your password)
- Password (i.e. e=~5v*h@`D#RrdYgtC(!) * Since you don't have to remember it you can use a more complex and completely random password
- TAB/ENTER (You enter this to go from the password field to the OTP field)
- Delay (i.e. 3 - your internet is slow and it takes 3 seconds to load the next page asking for your OTP)
- OTPtype - (i.e. Google Authenticator (TOTP), Yubikey, or U2F)
- OTPkey - (i.e. Google Auth 10-20 character key, Yubikey (private, public, secret))
How do you configure these values on the OnlyKey? This will be using a chrome extension that will have configuration fields that look similar to this - https://drive.google.com/file/d/0B7SBNa10_4RhSi1Oc0kzNlNxNUE/view?usp=sharing
So yes, this could be used to replace your Lastpass (12 of your stored accounts) although you may want to use this in addition to your Lastpass. You could store up to 11 of your more important accounts on Onlykey and then store your Lastpass account as well.Last updated:
Don't see the answer to your question? Ask the project creator directly.Ask a question