There’s just a couple of problems with passwords.
First, we need them to be strong. Some 12 random characters or more. No matter if you use a password manager, trust a small company to store all your passwords in a cloud, or a big corporation to track all your logins at all, you still need a master password, and it’d better be double strong now. You can use biometrics as an alternative to the master password on your laptop, but this effectively binds you to it.
Second, there still are cases when you absolutely have to type the password manually. Basically, everything outside of desktop. One such case is full disk encryption at boot loader prompt. Or a login on an important console. And this is exactly when you need the strongest passwords.
But can you remember a single truly strong password ? I can’t.
In this article I’m going to analyze and compare two hardware devices that remember your passwords and type them for you.
YubiKey is a Xerox of authentication devices, their products come in all shapes and sizes, connectable via different ports, also with wireless support. From now on I will refer as just a YubiKey to the one device that I have, namely YubiKey Edge. It is a simple full size USB dongle, no NFC. OnlyKey is a new contender and they have just one product which is also a full size USB dongle.
I will also focus exclusively on using both in “first factor static password” mode. Despite both supporting multiple second factor modes, I’ve found it impractical to use them as a second factor. A smartphone or a dedicated $5 dongle is a better option for that.
That out of the way, let’s begin.
In concept, both devices are identical, and the idea behind them is beautiful in its simplicity. They are essentially external keyboards in a USB dongle form. You press a button on the dongle, it spits out the password as if someone typed it on a keyboard. That’s it.
Here they are side by side:
The elephant in the room is of course the number of buttons. YubiKey has one, OnlyKey has six. I will address it under Features.
Manufacturing quality is impeccable on both devices.
YubiKey feels more like a consumer utility, it is a perfectly rugged piece of plastic, something that you can forget in a pocket of your jeans being washed and it still works.
OnlyKey feels more like a serious security device, it is cut from a piece of PCB, you can see all the circuitry laminated in a transparent epoxy, and there is a separate rubber sleeve that you are supposed to put on after you have finished looking at it. It is also larger and thicker.
Buttons on both devices are not really buttons. They are copper plates that you touch, not push. No tactile feedback, but they last.
YubiKey is extremely simple. It can store two passwords. Since there is only one button, you choose which password to type by touching the button momentarily or for longer than two seconds.
OnlyKey is way more complex. It has a large LED that changes color and blinks differently, depending on what the device does. It has six buttons and can store 24 passwords. Given six buttons and the same two-seconds trick as with YubiKey, you get 12 passwords. And there are two different user profiles, a total of 24.
But the crucial difference between the two is that OnlyKey is itself password protected. You need to punch in a correct PIN after plugging it. The LED goes green and the device is ready to use. This is a major security benefit. You can leave OnlyKey anywhere and not worry who touches it. YubiKey you need to keep an eye on at all times.
Another big plus for OnlyKey is that it is way more configurable. Each of 24 entries you can set up in such a manner that it types, for example, URL, ENTER, 3 seconds pause, username, TAB, password and finally ENTER. Not just password.
There are other OnlyKey features that indicate that its makers indeed wanted a security device, not a consumer utility. So for example you can set up a fake PIN which could be entered under duress upon which the device erases itself.
YubiKey just works. It’s perfectly simple, not much else to say. You plug it in, it’s ready in three seconds, touch the button, and away it goes.
OnlyKey takes the same three seconds to boot, but then you also need to punch your PIN, which takes another four seconds, then another three seconds to decrypt before it goes green. It feels slow, but not terribly slow.
When you plug the OnlyKey to a side port of a laptop, the buttons on the OnlyKey are too close to the edge of the keyboard. It happens, although not very often, that I accidentally touch a button with the edge of a palm, and it types in the password unexpectedly. That’s a nuisance that can become a very serious security leak. You may need to be unplugging the device each time, or plugging it to a port not so easily accessible.
There is also an issue with the entire class of such devices, and it is that they send in not characters, but scan codes, meaning they imitate key presses at the keys located in certain positions of the keyboard. What's the difference ? When an international layout is activated, such as Russian or German, what you get in the password is the sequence of Cyrillic letters, or have some letters (Z vs. Y) swapped. This is especially annoying when you plug the device to a phone, it is recognized as an external keyboard and the on-screen keyboard disappears, making it impossible to switch the layout.
Both devices are programmable each using a companion application. The applications do the job, but as far as usability goes are nothing but a column of checkboxes.
The inevitable question - is it possible to use such devices with different platforms ? Both devices that I have work perfectly with Windows and Linux, also at boot loader prompt. They also worked for me with Apple devices via a Lightning-to-USB adapter.
Mobile, it’s not rosy for YubiKey. YubiKey devices seem to only support second factor over NFC, not static password, and my Android smartphone does not recognize YubiKey as an external keyboard when plugged in. What it does recognize is OnlyKey, and it is absolutely usable with Android.
Both devices I could highly recommend. Appearance aside, here is the takeout:
YubiKey is better, because it’s easier to use. And the manufacturer provides different devices that might work in your case. It is worse, because it only remembers two passwords, and they are not secured by the device.
OnlyKey is better, because it remembers a lot of not just passwords but entire arbitrary login scenarios, and they are all stored securely. It is worse, because it is not quite as easy to use.
Thank you so much for reading !
Cleaning Up Wordpress: Lessons Learned in Website Security
Wesley Handy -
Pushing Left, Like a Boss - Part 7: Code Review and Static Code Analysis
Tanya Janca -
If you were tasked to conduct a security audit on a server/database-backed web app, where would you start?
Ben Halpern -