Difficulty getting some websites to recognize OnlyKeys

I’ve read some users have had trouble using OnlyKey with Protonmail. I’m also having trouble (just FIDO) getting Protonmail to recognize OnlyKey. I keep getting an error message (“Incorrect login credentials. Please try again.”) even though my credentials area saved in a password manager and have always worked (for years) before. This happens in Chrome, Brave, Firefox, Librewolf, & Safari.

I tried OnlyKey at WebAuthn, too, and get error messages on that site. I’m not a tech-security-afficionado. Just want to protect my accounts. I understand OnlyKey works for most people–and I like the company’s ethos. But I want to corroborate what I’ve read elsewhere on this forum–that some websites, like Protonmail, appear not to be working with some configurations including OnlyKey.

Stay safe, people.

For the password being incorrect, OnlyKey just types out whatever password is stored in that slot. So you could have it type out the password into Notepad to verify that the password is correct. The password should type out the same every time unless you have some sort of different international keyboard profile set on the computer.

For the WebAuthn, I just tested adding and logging in with OnlyKey with Proton Mail and it is working correctly.

Add OnlyKey as Security Key

image716×400 23 KB

Then logout and authenticate with security key to log in.

I am using Chrome/Brave browser. What issues are you seeing?

Hi, and thanks for replying. I’m really glad it’s working for you. It’s not working for me on Safari, Chrome, Brave, or Firefox. I consistently get an error message with Protonmail:

Protonmail won't see OnlyKey, Screen Shot 2025-02-10 at 12.07.23 PM2074×686 75.5 KB

I’m using OnlyKey just as FIDO–along with an Authenticator on my phone. Authenticator works fine.

Webauthn also throws error messages, like:

(forum won’t let me upload additional image…)

2FA via mobile authenticators works flawlessly for me. I wanted to upgrade to security keys b/c I’ve read they’re even more secure. I used Solokeys before the company went out of business. I’m happy to support open-source enterprises. I’m not technically proficient enough and don’t have the time to become so to figure out why OnlyKey isn’t working for me.

FIDO/FIDO2 is a terrific security advance, but it seems it can depend on a lot of network factors many of us aren’t experienced in changing. A lot of us need solutions that work out of the box–especially if we’re paying for a product. I may have to stick to mobile authenticators + recovery codes. Thanks again for your reply.

This is the Webauthn error message I get when using OnlyKey:

WebAuthn error message, Chrome, Screen Shot 2025-02-10 at 2.53.04 PM1920×1010 68 KB

Hello,

I use ProtonMail with an OnlyKey and an OnlyKey Duo in Firefox (for password management and 2FA authentication) across multiple platforms:

• Windows
• Linux
• My Android smartphone (with a Google OTG adapter for the OnlyKey)

Initially, I encountered an issue and reached out to ProtonMail support for assistance. They advised me to clear Firefox’s cache. Following their recommendation, I wiped everything—including cookies and browsing history—and re-registered the keys using the ProtonMail interface.

Since then, everything has been running smoothly.

Best regards,

Denis

That’s terrific, Denis, that you’ve gotten OnlyKey to work for you. I’ve already reached out to Proton support, but the problem persists. Yes, I’ve followed the standard advice to clear browser caches… Again, the problem persists. And WebAuthn continues giving error messages regardless my browser.

I’m a long-time Linux user and am acquainted with pouring over the internet for solutions to FOSS tech problems. But I didn’t think I’d have to do that for a product I’ve paid for. I was also hoping to hear back from official OnlyKey company support since I haven’t found a way to contact them directly by email or phone.

Enjoy your keys.

Hello,

To clarify, I have three OnlyKey devices and one OnlyKey DUO.

The three OnlyKeys are identical—I backed up one and restored it to the other two.

• One stays at home.
• One is on my keyring (in a custom leather case for protection).
• One is stored at a friend’s place as a precaution.

I also keep a backup on three cloud services (the encryption key is very strong).

All three keys work seamlessly with ProtonMail, GitHub, and Google for 2FA authentication on both PC (Windows/Linux) and my Android smartphone (using a Google OTG adapter or a budget-friendly alternative from a Chinese manufacturer).

Have you updated the firmware? Though, this shouldn’t be a concern.

Best regards,

Denis

Hello,

If you’re using Firefox, you might find the Firefox Multi-Account Containers plugin useful. It isolates website storage per tab, preventing cookies from crossing between containers.

If your issue stems from the browser, this could help. Plus, it enhances your online privacy.

Best regards,

Denis

Denis, thanks for taking the time to share. Proton support wasn’t able to help me–but I appreciated their attempt to help, too. I work 60+ hours a week and can’t devote any more time to this matter. I’ll settle for using the perhaps less secure open-source 2FA authentication apps on my phone. Best of luck to everybody!

This is weird.

If you have upgraded the firmware of your OnlyKey, then your key should be running the same version as mine.

And if our firmware versions are identical, your key should behave exactly as mine does.

I suggest testing your key using the Yubico Playground: Yubico demo website.

The process is straightforward: create an account, then add a security key by following the simple instructions provided.

Once done, sign out and sign back in. You will be prompted to touch your key.

I have personally tested this with my OnlyKey and OnlyKey Duo, and both worked flawlessly.

Please let me know the outcome of your test.

Best regards,

Denis

onlykey978×686 25.7 KB

Hello Expat01,

I’ve replicated the issue.

I used two OnlyKey devices, “A” and “B.” I backed up “A” and restored it to “B,” making them identical.

Testing this on the Yubico Playground, I registered “A” as a security key for 2FA and was able to authenticate using both “A” and “B,” which is expected since they contain the same software.

However, when I tried this on Proton’s website, the issue occurred. “A” works fine for 2FA, but when I register “B” alongside it, neither key works.

Since this problem doesn’t happen on the Yubico Playground, I believe the issue lies with Proton. I’ve opened a ticket with them.

Best regards.

Thanks, Denis. Watching. Fingers crossed.

Hello, I’ve received a response from Proton :

The WebAuthn specification implements a “counter” to prevent key cloning. It is a number that must always increase, for each authentication performed. If a counter lower than the last used is submitted, we mark the key as compromised and block it.

I checked, and this is correct—WebAuthn requires verifying a signature counter.

Reference: WebAuthn Specification.

Therefore, Proton’s implementation aligns with the official requirements, whereas Yubico Playground’s does not.

The signature counter is linked to the RSA public key, which pairs with a securely stored private key inside the authenticator (e.g., the OnlyKey device). The public key is sent to the authentication server, while the private key never leaves the authenticator.

Since I cloned a key, all copies shared the same public-private key pair, sending the same public key to Proton’s server—hence, they were tied to the same signature counter!

As a result, Proton rightfully blocked their use.

The solution is straightforward: I simply need to generate a unique public-private key pair for each OnlyKey device. These keys will no longer be clones, but that’s irrelevant from an authentication standpoint.

I tested this approach, and it works.

I therefore recommend ensuring that your authentication keys do not share the same RSA public key.

Regards,

Denis

Denis, thanks for your continued work on this. The Proton reply is helpful. Respectfully, I’m not sure this solution is something the average security key user is aware of or would be inclined to try. It’s great for people who use encryption technology regularly so are already familiar with these steps, not so great for people seeking an out-of-the-box alternative to authenticator apps they can download to their phones and be up and running quickly & reliably. In the meantime, I’m using some open source, vetted authenticator apps on my devices. So far so good.

Thanks, again, for all your work!

If you’re facing the same issue I did, here’s the fix.

I had two identical OnlyKey devices (clones) and discovered that Proton does not allow registering more than one. The reason, as explained in my previous post, is that both devices shared the same public/private key pair, meaning they were tied to the same signature counter.

How to Register Two OnlyKey Devices with Proton

To register both devices separately, you must generate a new key pair on one of them. This ensures each device has a unique key pair and, consequently, a distinct signature counter.

Steps to Generate a New Key Pair:

1. Fully reset one of the OnlyKey devices. This will erase all stored data!

• Follow the reset instructions: OnlyKey Reset Guide.

2. Reinstall the firmware: OnlyKey Firmware.
3. Reinitialize the device using the OnlyKey application.

• Note: The key pair is generated during initialization and cannot be changed later.

Once the reset is complete and the device is set up, you can register both OnlyKey devices separately with Proton.

Hope this helps!

If you use OnlyKey for cryptographic purposes, ensure both devices share the same cryptographic keys. This way, if one is lost, the other serves as a backup.

Important distinction:

• Cryptographic keys (used for encryption/signing) can be updated anytime without resetting the device.
• 2FA keys (COSE format) are generated during the device’s initialization and cannot be modified afterward.

This is correct, if you are going to be using multiple OnlyKeys you have to register each individually on the site. OnlyKey has a backup/restore feature but its only meant to be used for backup and restore and not for continued use of both keys. The restored key will have a higher counter and the backed up key will have a lower, so once you restore to a new key your old key is no longer valid.