Your password will be compromised. It is a matter of time. Major services like Adobe, Dropbox, Yahoo, have had password databases stolen over the years. You can even check to see if your information is in one of the leaked databases on Have I Been Pwned. Ultimately it comes down to one truth:
On a long enough timeline a password’s survival rate drops to zero.
The solution is Unique Passwords and Two-Factor Authentication (2FA) or (U2F).
You may be familiar with one-time use PINs in text messages. This is 2FA. A good first line of defense. Yet high profile celebrities, CEO, and journalists, can be targeted by ‘Unauthorized SIM Swaps‘ where a motivated attacker bribes a mobile carrier employee to transfer numbers temporarily to them.
Advance protection comes of Security Keys with Universal Two-Factor Authentication or (U2F). This is generally a USB device tap when you login. Modern versions include NFC and Bluetooth variants. Earlier this year Google announced that the company wide deployment of their security key stopped phishing completely.
Now, let’s assume you’ve been kidnapped by a hostile entity. You’re in the chair of a grungy warehouse. The nameless captures appears in front of you. They want your password. They drop a bag on the floor and sound pours out from the tools that lay at your feet. We’ve seen enough movies to fill in the unfortunate blanks.
The OnlyKey that may save your situation is properly called: The OnlyKey.
The OnlyKey by CryptoTrust is the Swiss Army knife of authentication.
The OnlyKey is one of those mythological ideas that came from Kickstarter to become a real product. I picked up the second generation, The OnlyKey Color which includes a LED light to visually assist with input. It was designed by serious security professionals and includes about every feature missing from competitors Feitian and Yubico.
Should a hostile agent acquire your OnlyKey and password, you are still protected by the PIN. Oh, you have time before they get you? You can type in a self destruct PIN. Wait, New Zealand is requiring you to give a device password? (Yes, that’s a thing.) Give them a Plausible Deniability PIN. They took the OnlyKey out of your sight? Flash the firmware.
This is a good time to remind you if you’ve read this far, you should have a VPN by now.
The OnlyKey is the encryption tool every hackspace should issue.
With all it’s merits there are two things preventing wide-spread adoption. First, the marketing is non-existent. Second the user interface is a dumpster fire. Non-technical users were unable to setup the key, while technical users spent upwards of 30 minutes for first time setup.
Features Unique to OnlyKey
- PIN Protection: Bypasses key loggers that may be installed on the computer
- Plausible Deniability: A travel mode where it hides the encrypted bits.
- SELF DESTRUCT: A number of wrong tries, or a PIN, will wipe the key.
- Firmware: Ability to update for new features, load international firmware for travel, or wipe the key.
- Encrypted Backup: You will need this.
- Open Source: They’re on Github.
What’s really wrong:
- OnlyKey branding: Should my OnlyKey fall into the wrong hands, why do I want to direct them to the website to figure out what it is?
- Key Chain Cord Broke.
- LED Can’t Be Turned Off*. There may be a way, but I haven’t found it.
- Garbage UI: The user interface is utter trash.
- This is an engineer’s solution.
- Those familiar with server admin took 30-40 minutes to setup it up in our trials.
- U2F slot works, but isn’t checked. Other functions follow suit. (Beta 6 & 7)
- No ‘Are you sure?’ prompts mean misclicks and be end game.
We cannot recommend The OnlyKey Color, despite it being the most secure U2F key we’ve tested. The user interface causes too many headaches and could lead to devastating errors (as of the time of writing this.) If you know your way around Linux and are a high value target, then it’s worth the headache as long as you make frequent backups.
If you’re an average user looking for U2F, then pick up a Google Titan Security Key instead.