I’ve been looking for a hardware key that requires both the device itself and the user to authenticate using input on the device itself in order to perform cryptographic operations. The OnlyKey theoretically meets these requirements, although I do have a question about it. Is your PIN used to actually encrypt the secret data? Or does the microcontroller just validate the hash of the PIN to determine whether or not it can send the secret data over USB?
I saw some posts on here mentioning that an OnlyKey Plus is under development and will include encrypted storage. Does that imply that the OnlyKey does not encrypt secrets?
The PIN is just used to validate a hash. There is a detailed explanation here: About Security | Docs.
In regards to encrypting secrets, yes all secrets and other information stored on OnlyKey is encrypted. Here is how data is stored - About Security | Docs
The OnlyKey Pro would also add data storage like for example a 1TB encrypted flash drive.
Speaking of brute-forcing a pin; one of the downsides to the device–that I’m not sure can be overcome without non-volatile memory on the device–is that the lockout feature/protection is useless. You can reset the tries indefinitely by removing the device from the USB slot and re-inserting, which effectively resets the amount of tries. Time consuming, but a weakness nevertheless.
I’m just a user, but- that Chris guy is wrong. I tried it on my key. Reinserting the key does not reset the lockout count. If you enter the wrong pin 10 times it will erase the key.
Just wish I could get help building this firmware!