Multiple OnlyKeys can be used for KeepassXC challenge-response?

I have two OnlyKeys:

  1. “OnlyKey 1” has a few slots set, and is configured as hardware key for my KeepassXC database.
  2. The second key, “OnlyKey 2” has just been initialized, but is otherwise empty.

KeepassXC authentication works as expected with “OnlyKey 1” as hardware key.

However, curiously, I noticed that I can also use “OnlyKey 2” instead, which is just initialized, but otherwise nothing has been configured.

Is this expected behavior?

So any arbitrary initialized OnlyKey (not just the specific one configured with the KeepassXC database) can be used (together with the password) to unlock the KeepassXC database?

I fail to see the major security enhancement if that’s the case – or am I missing something?

Is it possible you had both keys plugged in when testing this? Another alternative is if you had restored the backup from OnlyKey 1 to OnlyKey 2 during initial setup, that way the 2nd key would have the same private value as the 1st from the backup.