Security keys are the heart of security and we desperately need open-source solutions on this. Kudos for doing it.<p>Now, I must point out a few things:<p>1. Please don't call your solution "Open-source", when you do not have not even the schematics uploaded to github.<p>2. (this item is an open problem without a solution yet) how do I make sure the source code and the (still missing) hardware information actually corresponds to the hardware I'm buying?<p>If we do take item 2 seriously, one may say that buying Yubico is actually "safer" than your open-source solution, mainly due to company reputation and credibility.<p>Again, sorry the harsh words, but I take my keys seriously.
Thanks for all of the interest in OnlyKey! Full disclosure, I work for CryptoTrust and am on the team that makes OnlyKey. I wanted to try to address the questions/concerns in this thread in one place and provide some useful links for more information. OnlyKey started from a successful kickstarter launch in 2016 and has grown to become a popular product for businesses and individuals.<p>- OPEN SOURCE - If you are looking for OnlyKey source you will find it here <a href="https://github.com/trustcrypto" rel="nofollow">https://github.com/trustcrypto</a> all of our apps and firmware is open source. OnlyKey is not open hardware, however the hardware design is very transparent, literally. The device has a clear protective coating on the hardware which in addition to adding durability allows visually verifying everything.<p>- ABOUT SECURITY - Security documentation is here <a href="https://docs.crp.to/security.html" rel="nofollow">https://docs.crp.to/security.html</a> and provides information on how OnlyKey random number generator works, supply chain, side-channel attacks etc. One thing that you will notice about OnlyKey that differentiates it from other security keys is the on key PIN entry. While no device is immune to hacking, this feature mitigates many traditional threat models. We are always open to discussing specific threat models openly on our support forum.<p>- WHERE TO GO FOR MORE INFO
Get started - <a href="https://onlykey.io/start" rel="nofollow">https://onlykey.io/start</a>
General documentation - <a href="https://docs.crp.to/" rel="nofollow">https://docs.crp.to/</a>
FAQs - <a href="https://docs.crp.to/faq.html" rel="nofollow">https://docs.crp.to/faq.html</a>
Compare to Yubikey - <a href="https://crp.to/p/" rel="nofollow">https://crp.to/p/</a>
Setup and User's Guide - <a href="https://docs.crp.to/usersguide.html" rel="nofollow">https://docs.crp.to/usersguide.html</a>
Features - <a href="https://docs.crp.to/features.html" rel="nofollow">https://docs.crp.to/features.html</a>
Support - <a href="https://forum.onlykey.io/" rel="nofollow">https://forum.onlykey.io/</a>
List of supported services - <a href="https://onlykey.io/pages/works-with-onlykey" rel="nofollow">https://onlykey.io/pages/works-with-onlykey</a>
Setting aside problems with this particular device, the whole "trust the open-source hardware" model is inherently flawed. Every useful security hardware will be commoditized, then faked and/or trojaned. We can't take the open-source software approach and rely on many volunteer eyes catching vulnerabilities and backdoors. First, there just aren't enough skilled professionals capable of proper hardware review. And second, how can you be sure the device in your hand strictly meets its specs? there's no such things as digital signatures and reproducible builds for hardware. Vendor reputation is all we have for now.<p>Can we do something about this?
I really like the concept. I bought 4 of them a while ago (maybe a couple of years?) mostly to support them. I used one onlykey as my daily driver, I tried to integrate it with pass (my password manager at that time) without much luck. The software itself was very rough, the key was not meant to be used in your keychain: clear signs of usage after about a month, the usb port started to "fade", it was hard to use the touch buttons, it factory resetted at some point (out of nowhere). Overall: I'm going to keep an eye, try them again in the future, but I fee the product needs one or two more iterations before I can depend on them as my daily security driver. Oh, and LED lights stopped working after a few weeks.<p>one huge disadvantage (which is the same for yubikey) is that I use programmers dvorak as my keyboard layout: had to change it every time to English to input the passwords/token.
This seems to predate FIDO2. <a href="https://solokeys.com/" rel="nofollow">https://solokeys.com/</a> would be a better option if you prefer separate keys for each site (via FIDO2) and open source hardware.
The only true open hardware and open source key is the Nitrokey Start, running Gnuk firmware. Other nitrokeys are open hardware but run a smartcard (hsm or pgpcard) and those firmwares are not fully open. Yubikey is closed source and this posts bugger is closed as well. Go for a Nitrokey if you value true openness.
I've owned and used an OnlyKey for around a year and a half now and have had a really positive experience using mine. There is one issue, unfortunately the LED lights do not work when the key is plugged into a USB 3 port. The key itself works, but you do not get any LED feedback which can make unlocking and using it a little difficult. Be sure to keep this in mind if you're thinking about purchasing one.
Are the schematic files and PCB/Gerber files available? I understand that they only claim to be Open-Source and not Open Source Hardware but it would still be nice to see and have the hardware schematics.
In concept I like it, but one of the biggest yubikey advantages is how unobtrusive it is. I realize the tradeoff they're going for: Absolute security in the event that it's stolen... but I think that's actually bad for me since I'd rather have a tiny button to press as a second factor, than absolute security with a big dongle.<p>It'd be great if they just released a direct yubikey style clone.
Trezor T is vastly superior solution for U2F / WebAuthn and also fully open source. The main advantage is super mature backup (Shamir's secret sharing) and PIN-locking with exponential escape. Being a Bitcoin hardware wallet, security is very well tested.
Solo was the first open source alternative to YubiKey. I'm using one of their products and have been happy with it so far: <a href="https://solokeys.com/" rel="nofollow">https://solokeys.com/</a>
I honestly don't understand how a YubiKey is supposed to help me secure my accounts if I get locked out of my accounts when I lose it. I an trivially copy a keepass database anywhere and have dozens of backups. If I want to do the same with a YubiKey I first have to buy multiple YubiKeys and then I have to register each one on each site. This means they cannot be used as a primary authentication method because they always require a fallback option in case you want to reset your credentials because you lost your YubiKey. If I can't use the YubiKey to secure my E-Mail account then what's the point? I'll still need to use password based login and store that E-Mail password in a conventional password manager that I then backup a dozen times.<p>YubiKeys only seem to make sense in a corporate environment where you can always request a new YubiKey and reregister it based on your ID.
If the device doesn't have a secure element, how can anyone take it seriously as a strong root of trust? The page lists several recent attacks on secure element, but that's not really enough to convince me that no secure element is needed.
OnlyKey's ability to type passwords differentiates it for my use cases.<p>I can use OnlyKey to type long BIOS, disc, user and root passwords without worrying about people around or security cameras.
Bought two of those last March. Mostly positive experience so far.<p>Previous firmware didn't restore U2F key from backup, but current one does. It also didn't have any kind of lockdown, so I did it via UDEV rules, luckily current firmware has a lock button, which even sends "Super-l".<p>I would also love onlykey-cli be ported to Python3.<p>Somebody mentioned here that onlykey isn't fit for keychain use, yet mine is totally fine and USB port shows virtually no signs of wear.
Can this device function as an SSD, holding, for example, a Keepass2Android APK file and a KeePass database -- as well as being able to open said datanbase via one of the stored profiles? It doesn't need to have a lot of storage... 640 MB ought to be enough for anyone's KeePass databases.
This thing seems fishy to me. If you want something that is mostly under your control to which you can install open source stuff into then buy some smart cards and card readers e.g. from <a href="https://www.javacardsdk.com" rel="nofollow">https://www.javacardsdk.com</a>
Something way more solid apparently does exist: USB Armory.<p><a href="https://inversepath.com/usbarmory.html" rel="nofollow">https://inversepath.com/usbarmory.html</a><p>The hardware is open, the software is mentioned without much detail; I suppose it's not shipping yet.
One thing I immediately noticed is that apparently it supports exporting full backups of the device? Surely this is a terrible idea? I'm far from a security expert but I'd have thought you'd want to make it so that it is extremely difficult to extract key material from a security key, not offer it as a feature?
ykpass (<a href="https://github.com/noliran/ykpass" rel="nofollow">https://github.com/noliran/ykpass</a>) takes another approach at this. It generates unique strong passwords for every website, which are fully restorable without needing constant backups, thus providing a solution for non-U2F websites, which is - honestly - most of the internet at the moment
Unless you have a provable chain of trust that the code compiled is the code running on this thing then... Nah.<p>I trust Google’s Titan keys. <i>shrug</i>.