Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
onlykey authored and onlykey committed Nov 21, 2019
1 parent fef9971 commit 2583481
Show file tree
Hide file tree
Showing 6 changed files with 98 additions and 65 deletions.
50 changes: 3 additions & 47 deletions _data/sidebars/mydoc_sidebar.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,58 +171,14 @@ entries:
url: /firmware.html
output: web, pdf

- title: Works with OnlyKey
- title: Knowledge Base
output: web, pdf
folderitems:

- title: Offline Password Managers (KeePassXC, KeePass, Password Safe)
url: /offlinepw.html
output: web, pdf

- title: Online Password Managers (LastPass, Dashlane, Bitwarden, 1Password)
url: /onlinepw.html
output: web, pdf

- title: Cloud Providers (Amazon AWS, MS Azure, Google Cloud)
url: /cloudprovider.html
output: web, pdf

- title: Cloud Storage (Dropbox, Box, OneDrive, BoxCryptor)
url: /cloudstorage.html
- title: Works with OnlyKey
url: /workswithonlykey.html
output: web, pdf

- title: Full Disk Encryption (LUKS, Bitlocker)
url: /diskencryption.html
output: web, pdf

- title: OpenPGP Providers (Protonmail, Keybase, Mailvelope)
url: /importpgp.html
output: web, pdf

- title: Privacy Focused OS (Qubes OS, Tails)
url: /qubes.html
output: web, pdf

- title: Software Development (Github, Gitlab)
url: /git.html
output: web, pdf

- title: Social Media (Facebook, Instagram, Reddit, Twitter)
url: /socialmedia.html
output: web, pdf

- title: Cryptocurrency Exchange (Kraken, Coinbase, Bitfinex, Bittrex)
url: /cryptocurrency.html
output: web, pdf

- title: Enterprise Authentication (DUO Business/Federal, Okta, SAASPASS, Azure AD)
url: /enterpriseauth.html
output: web, pdf

- title: Knowledge Base
output: web, pdf
folderitems:

- title: Firmware Upgrade Guide
url: /upgradeguide.html
output: web, pdf
Expand Down
Binary file added images/keepassxc.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/keepassxc2.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added images/keepassxc3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
48 changes: 41 additions & 7 deletions pages/mydoc/usersguide.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -495,13 +495,47 @@ Learn more about OnlyKey's implementation of FIDO2 / FIDO U2F [here.](https://do

### Using OnlyKey With A Software Password Manager {#using-onlykey-with-a-software-password-manager}

OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager. For example, set one of the OnlyKey slots to KeePassXC, Dashlane, Google (Smart Lock), Lastpass, etc. enable 2-factor on this slot and then use your OnlyKey to unlock your software password manager. This way you can keep your most valuable accounts in offline storage and everything else in the software password manager.

{% include tip.html content="This way you can keep your most valuable accounts in offline storage and everything else in the software password manager." %}

#### KeePassXC {#keepassxc}

More information coming soon. We are working with the KeePassXC team to implement OnlyKey support for KeePassXC.
OnlyKey stores up to 24 unique accounts in offline storage and can be used to secure an unlimited number of accounts if used in conjunction with a software password manager. For example, set one of the OnlyKey slots to KeePassXC, Dashlane, Google (Smart Lock), Lastpass, etc. enable 2-factor on this slot and then use your OnlyKey to unlock your software password manager. This way you can keep your most valuable accounts in offline secure hardware and everything else in the software password manager.

There are two types of software password managers:
- Online Password Managers - Less secure but more convenient because passwords sync automatically between devices
- [LastPass](https://onlykey.io/pages/secure-lastpass-with-onlykey)
- [Dashlane](https://onlykey.io/pages/secure-dashlane-with-onlykey)
- Bitwarden
- 1Password
- Offline Password Managers - More secure but less convenient because passwords don't sync automatically
- [KeePassXC](https://onlykey.io/pages/securing-keepassxc-with-onlykey)
- KeePass
- Password Safe


#### KeePassXC (Recommended) {#keepassxc}

We recommend KeePassXC because:
- Its 100% open source (verifiable security)
- Its cross platform, supports Windows, Linux, Mac (in contrast to KeePass which is for Windows)
- Its offline, no passwords in the cloud
- We collaborated with the KeePassXC team to develop a custom integration with OnlyKey that provides a major security benefit
{% include image.html file="keepassxc.png" %}

Starting with the 2.5.0 release of KeePassXC you can use OnlyKey in challenge-response mode to secure your KeePassXC password database.

What does this mean?
To unlock KeePassXC, in addition to requiring a master password, the OnlyKey flashes yellow and you must press a button on OnlyKey. By requiring a master password and an OnlyKey, your accounts are protected by essentially two layers of security. This solution is more secure than other software password managers. Here is why -

In order to unlock your KeePassXC database a hacker would need four things:
- Physical access to your computer (where the KeePass database resides)
- Physical access to your OnlyKey
- Know your OnlyKey PIN
- Know your master password

What is needed to use challenge-response feature?
No setup is required, OnlyKey generates a private key for HMAC SHA1 automatically when the device is first configured. Just create a KeePassXC database and do the following:

This comment has been minimized.

Sign in to view

Copy link
@schlomie

schlomie Nov 21, 2019

Will there be an update to the OnlyKey App to explicitly set the HMAC SHA1 secret? Can I program the same secret on to my OnlyKey as I have on my Yubikey - a backup token, of sorts.

This comment has been minimized.

Sign in to view

Copy link
@onlykey

onlykey Nov 21, 2019

You will eventually be able to set both slots through the app, for right now you can set only slot 1, slot 2 is always a derived key. Its not documented but to set this you just set ECC slot 130 with your 20 byte HMACSHA1 key
https://github.com/trustcrypto/libraries/blob/5bd1f8eb15eb0463487089f9df531f3384286886/onlykey/okcrypto.cpp#L716

image

This comment has been minimized.

Sign in to view

Copy link
@schlomie

schlomie Nov 21, 2019

Score! This does work! I successfully opened a kdbx that I had previously secured with a Yubikey, providing the 20 bytes from my HMAC, right padded with zeros to fill out the required 32 bytes.

However - one small problem. After authenticating with the HMAC secret, the OnlyKey became unresponsive to touch - it would no longer type out passwords on presses. I have to disconnect the OnlyKey, re-insert/unlock to get it to work again.

I would be glad to open an issue - should this go in the Firmware or the App repo?

This comment has been minimized.

Sign in to view

Copy link
@onlykey

onlykey Nov 25, 2019

@schlomie This would go in the firmware repo, can you provide some steps to reproduce this and details like if it always happens or just happened once.

This comment has been minimized.

Sign in to view

Copy link
@schlomie

schlomie Nov 25, 2019

I opened an issue in the Firmware Repo. Thanks!
- Select "Add additional protection"
- Select "Add YubiKey Challenge-Response"
- OnlyKey will show in the list of devices, select slot1 or slot2

After creating the KeePassXC database you will be prompted to press any button on OnlyKey (flashes yellow) to unlock your KeePassXC database. Additionally, since OnlyKey also stores static passwords you can use OnlyKey to store your KeePassXC master password in one of the available slots.

#### LastPass {#lastpass}

Expand Down
65 changes: 54 additions & 11 deletions pages/mydoc/workswithonlykey.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,26 +9,69 @@ permalink: workswithonlykey.html
folder: mydoc
---

## [Offline Password Managers (KeePassXC, KeePass, Password Safe)](https://docs.crp.to/offlinepw)
Pick from the list below to find out more about common solutions that integrate with OnlyKey:

## [Online Password Managers (LastPass, Dashlane, Bitwarden, 1Password)](https://docs.crp.to/onlinepw)
## Online Password Managers
### [LastPass](https://onlykey.io/pages/secure-lastpass-with-onlykey)
### [Dashlane](https://onlykey.io/pages/secure-dashlane-with-onlykey)
### Bitwarden
### 1Password

## [Cloud Providers (Amazon AWS, MS Azure, Google Cloud)](https://docs.crp.to/cloudprovider)
## [Offline Password Managers
### [KeePassXC](https://onlykey.io/pages/securing-keepassxc-with-onlykey)
### KeePass
### Password Safe

## [Cloud Storage (Dropbox, Box, OneDrive, BoxCryptor)](https://docs.crp.to/cloudstorage)
## Cloud Providers
### Amazon AWS
### [MS Azure](https://onlykey.io/pages/securing-azure-ad-and-office-365-with-onlykey)
### [Google Cloud](https://onlykey.io/pages/secure-google-apps-with-onlykey)

## [Full Disk Encryption (LUKS, Bitlocker)](https://docs.crp.to/diskencryption)

## [OpenPGP Providers (Protonmail, Keybase, Mailvelope)](https://docs.crp.to/openpgp)
## Cloud Storage
### Dropbox
### Box.com
### [OneDrive](https://onlykey.io/pages/securing-azure-ad-and-office-365-with-onlykey)
### [Google Drive](https://onlykey.io/pages/secure-google-apps-with-onlykey)
### BoxCryptor

## [Privacy Focused OS (Qubes OS, Tails)](https://docs.crp.to/qubes)
## Full Disk Encryption
### LUKS
### Bitlocker

## [Software Development (Github, Gitlab)](https://docs.crp.to/git)
## OpenPGP Providers
### Protonmail
### [Keybase](https://www.youtube.com/watch?v=TluqGOwyxyk)
### Mailvelope

## [Social Media (Facebook, Instagram, Reddit, Twitter)](https://docs.crp.to/socialmedia)
## Privacy Focused OS
### [Qubes OS](https://docs.crp.to/qubes.html)
### Tails

## [Cryptocurrency Exchange (Kraken, Coinbase, Bitfinex, Bittrex)](https://docs.crp.to/cryptocurrency)
## Software Development
### [Github](https://onlykey.io/pages/secure-github-and-gitlab-accounts-with-onlykey-2)
### [Gitlab](https://onlykey.io/pages/secure-github-and-gitlab-accounts-with-onlykey-2)

## [Enterprise Authentication (DUO Business/Federal, Okta, SAASPASS, Azure AD)](https://docs.crp.to/enterpriseauth)
## Social Media
### Facebook
### Instagram
### Reddit
### [Twitter](https://www.youtube.com/watch?v=CBDKx2_br3g)

## Cryptocurrency Exchange
### Kraken
### Coinbase
### Bitfinex
### Bittrex

## Enterprise Authentication
### [Google Apps](https://onlykey.io/pages/secure-google-apps-with-onlykey)
### [Office 365](https://onlykey.io/pages/securing-azure-ad-and-office-365-with-onlykey)
### [Azure AD](https://onlykey.io/pages/securing-azure-ad-and-office-365-with-onlykey)
### DUO Business/Federal
### Okta
### SAASPASS

This list includes many common solutions but OnlyKey will work with practically any service or application. If a site supports 2FA then chances are OnlyKey is supported, if a site does not support 2FA then OnlyKey is still supported for secure passwords.

{% include links.html %}

0 comments on commit 2583481

Please sign in to comment.