OnlyKey or Yubikey? Add Extra Layer of Security

For years, Yubikey has been the most popular security key in the cybersecurity space. Even Google decided to equip its employees with one. But for personal use, the Kickstarter project OnlyKey offers a solution Yubikey has been lacking—external PIN pad. I have used Yubikey 4Neo for over a year, but after using OnlyKey for a while, I was overwhelmed with its capabilities and saw the limitations of Yubikey.

I should mention that I’m not affiliated with the OnlyKey project, and this post is to share my view and experience with both—OnlyKey and Yubikey.

Let’s talk about OnlyKey first

One of the essential features of OnlyKey is the external PIN iPad, as I already mentioned. Even if you lose your key, no one can access the information on it without knowing your PIN. And you can create an encrypted backup, which can restore all of your passwords and data to a new OnlyKey.

Here is a list of a few OnlyKey’s features:

• 2FA

• TOTP

• Yubico OTP (In case you need it)

• U2F

• Email/Chat message, encrypt & sign

• PGP Key storage and encryption

• Self destruct PIN

• Firmware with hidden profile; named International Profile

• SSH login

You can use the slots to store your wallet, seed, and/or private keys.

URL, User Name, and Password fields can store up to 168 characters, so there will be plenty of space for your seed or private keys.

OnlyKey & Yubikey compared

OnlyKey User Guide

OnlyKeys’s user manual is well made, and easy to understand by both—average and advanced user, and it covers all platforms.

Yubikey User Guide

Yubico’s user manual is like kryptonite intentionally written not to be understood by the average user. Windows, Linux and MacOS platforms are covered, but crucial information is still missing from their manual.

OnlyKey Desktop App

OnlyKey has native Win, Linux, MacOS app, and Google Chrome extension to set up and manage your key. TOTP keys are managed within the native OnlyKey app.

Yubikey Desktop App

Yubico has a few apps to manage your key, and separate TOTP app to manage your One Time Passwords, but it may not always working with MacOS above 10.12

Using OnlyKey on a Mobile/Tablet

I tested OnlyKey (including TOTP) on iOS iPhone and iPad, and it’s functioning with no issues. The same is valid for Android devices.

Using Yubikey on a Mobile/Tablet

You can only use a static password with Yubikey on iOS; it only supports TOTP over NFC on Android devices. Yubikey 5 NFC and 4 NEO support NFC on iOS but only Yubikey OTP.

OnlyKey TOTP

Managing TOTP entries are done the same way one would do with any mobile app by selecting “Manually Enter Secret”. Select the secret from the service you wish to add and paste it to the field in the corresponding profile/slot.

Yubikey TOTP

Yubico’s TOTP app can either scan the QR code or you can enter the secret manually. The downside is that you may not be able to password protect the app if you’re using MacOS 10.14 and Linux distros.

OnlyKey Static Password

According to the OnlyKey team, you can assign 24 different passwords, up to 168 characters on a single OnlyKey.

Yubikey Static Password

We can assign only one static password on either slot 1 or 2, up to 64 mod hex characters, or 38 ASCII characters.

Adding OpenPGP Key to OnlyKey

OpenPGP keys can be added using the OnlyKey native app or using the command line. Once your keys are added, you can use their web crypt online tool to encrypt and decrypt messages.

Adding OpenPGP Key to Yubikey

Open PGP keys can be added to Yubikey using the command line with pre-installed GnuPG software.

OnlyKey Physical Security

Even if you lose your key or get stolen, it cannot be used unless the attacker knows your PIN.

Yubikey Physical Security

If your Yubikey is set up as U2F, losing it would mean whoever finds it has the second factor authentication to every service you ever added your Yubikey.

OnlyKey’s Support

So far, I’ve had a good experience with their support team. There’s no phone support, but the few questions I asked, they would respond in the forums within a few hours.

Yubico’s Support

After the NFC on my Yubikey 4 NEO failed, I contacted their support, and despite that Yubico OTP can be verified with YubiCloud, the warranty was voided because the key was purchased from a store not listed on Yubico’s website. In other words, serial number and genuine firmware are not guaranteed to verify the genuineness of your key.

Yubico doesn’t have phone support, and the forum is read only, so if you have to seek their help, I’m not sure how efficient it will be.

Final Words

Both OnlyKey and Yubikey are waterproof and durable. Unlike OnlyKey, Yubico’s firmware is not an open-source code and cannot be reviewed for security flaws. OnlyKey is an open-source, and if you have the knowledge, you can review their firmware, which can be found on their Github page.
Yubikey for Lightning program has been floating around for about a year now, and yet iOS support is still missing. It’s possible iPhone to switch to USB-C (pure speculation) this September, so the faith of Lightning support by Yubico is unclear. If you are iOS developer, to enable Yubikey support in your app, you need to apply and get approved by Yubico to test their SDK.

Both keys are useful, but for the same price as Yubikey, OnlyKey appears to be easier to set up and used by the average user. OnlyKey is my preferred choice when used to save logins, static passwords, and GnuPG keys. It will run with most systems, phones, and tablets, where with Yubikey, you might be a bit limited.

Do your own research! Read the documentation and the information available on both websites. Only then decide which key might be more useful in your case.