Review on Enhanced Security with OnlyKey FIDO2/U2F Key: Hardware Password Manager, Two Factor Authentication, Portable Encryption, PGP/SSH/Yubikey OTP Support, Windows/Linux/Mac OS/Android Compatible by Joe Griffin

The device generally works but needs additional polishing. The current firmware is beta version 0.2, it was last updated about a year ago. Therefore, the user interface and setup is inconvenient for the user and working on it is quite slow. First, what works. I'm working on Linux first, and that's where I tested it. I haven't fully tested it on Android yet. I tried it a bit and it seems to work just like on a computer. The password manager is great. You press a button and it prints whatever you want, even a website if you want. It's a bit of a setup process, but once you figure it out, it works great. It also works well as a U2F and FIDO2 token, but it took me a few tries to get it right. It also turns out that the support for U2F and FIDO2 is not enough and you can hardly find anything that supports it other than some big services (like Microsoft and Google). But at least you can use it to log into your laptop in a public place, so that's a plus. Now for the bad. First the looks. It feels sturdy and heavy, but it also looks worn and rough, like someone's making it in their basement or something. Look at the photo, it's not even cut square but has a bend. And it looks like the layers are peeling off over time. The second big problem is the position of the LED. You have to rely on the LED to work with it. For example, if the LED is off you need to enter the pin, if it is blue you need to press the button for U2F. The problem is that the LED is on the back and the buttons are on the front. It works if you plug it in before the tower, but if you use it with a laptop - not so much. I understand this was why they made the LED so bright that I'm concerned it will burn my eyes if I look directly at it (it's pretty bright even on the lowest settings). You want it to light up the room so you can see what color it is and whether or not it's on. But it's just crappy design. I don't want it to be connected to the network and constantly brightly illuminate me. Having a big blob of light in your laptop would be pretty annoying (or alternatively you'd have to plug and unplug it every time you want to go somewhere). If you're getting it for Yubikey OTP then don't do it. You can generate Yubikey OTP on this device, but they are not verified by YubiCloud. Perhaps it is Yubikey's fault that something has changed on his side since the release of the firmware for this module, but the fact is that now it does not work. In order for this to work, you need to buy a Yubikey, change the OTP key settings to match that of this device (this is easy to do, but it will somewhat destroy the validity of the Yubikey), and then register that Yubikey in your YubiCloud. (At the moment you cannot upload data without a real Yubikey). And this does not guarantee its performance. At best I can say that it has a 50/50 chance of either working or not working at all. Sometimes when testing, I can verify the keys and sometimes not. Also, Yubikey can cancel your registration entirely, so good luck with that. I think the best way is if you host your own Yubikey authentication service. Thus, it can act as a backup Yubikey OTP generator for an already reprogrammed Yubikey. But if you try to keep your original "real" generator in your Yubikey, this feature is useless because you can't install it. Even if you want to use it for Google TOTP authentication, it only works partially. . This requires either the OnlyKey app running on the device, or you need to connect to the OnlyKey website so that it can give that device time to generate a Google Authenticator (or TOTP) token. Why can't you query the hardware clock/system time? Or at least provide an opportunity, perhaps as a throwback. However, TOTP generation works well if you meet the conditions. There are also several cycles or modes that OnlyKey goes through. For example, you can only enter a PIN code a few seconds after plugging it in, and you should see an LED telling you when you can start entering the PIN code. If you try to enter the PIN code beforehand, it will not work. Apparently some other cycles don't appear there and you can't enter a PIN. So every once in a while you try to interact with the key and it just doesn't behave the way you expect it to and I suspect that the moment you try to interact with it it's some sort of internal state change goes through I've also had OnlyKey disconnecting from the app when someone tries to use it and then I had to disconnect and reconnect to get it reconnected. I haven't tested how well it works with PGP and SSH because I don't need it. I tested the web service they provided and it worked fine (webcrypt for single key base files and data). However, you'll need software that can work with OnlyKey to encrypt files for you, and support doesn't seem to be available yet (so you'd be forced to use their service or write your own). In general, this is very useful for password management and U2F functions. The protection of the pin is also excellent, so there is a safety measure even if it is lost. However, there is still a lot to be done on the surface in the application and usability. There should also be a slightly better guide to setting up some features. I also wanted to mention that while it should work with Android, it doesn't support NFC, but the manufacturer said in one of the questions that it doesn't support NFC. supply enough current to make it work properly. I think I can accept it. I just hope all the power consumption doesn't go into powering the LED. A little more power for this LED and it starts firing lasers.