Multiple OnlyKeys can be used for KeepassXC challenge-response?

ZorgroZ · March 11, 2021, 4:00pm

I have two OnlyKeys:

“OnlyKey 1” has a few slots set, and is configured as hardware key for my KeepassXC database.
The second key, “OnlyKey 2” has just been initialized, but is otherwise empty.

KeepassXC authentication works as expected with “OnlyKey 1” as hardware key.

However, curiously, I noticed that I can also use “OnlyKey 2” instead, which is just initialized, but otherwise nothing has been configured.

Is this expected behavior?

So any arbitrary initialized OnlyKey (not just the specific one configured with the KeepassXC database) can be used (together with the password) to unlock the KeepassXC database?

I fail to see the major security enhancement if that’s the case – or am I missing something?

t11 · March 11, 2021, 5:57pm

Is it possible you had both keys plugged in when testing this? Another alternative is if you had restored the backup from OnlyKey 1 to OnlyKey 2 during initial setup, that way the 2nd key would have the same private value as the 1st from the backup.

Topic		Replies	Views
Serial Numbers per device?	1	227	August 19, 2021
OnlyKey not being recognised as Yubikey by KeePassXC Hardware Password Manager	17	1646	January 11, 2022
KeepassXC: HMAC mismatch when saving KeepassXC database after OnlyKey timeout (kinda SOLVED) Challenge-Response	8	970	April 2, 2024
Onlykey-agent fails after HMAC-SHA1/KeePassXC SSH, OpenPGP, GPG	2	261	January 26, 2022
2.1.2 firmware update-HMAC for KeepassXC Firmware Loading	10	393	February 23, 2022

Multiple OnlyKeys can be used for KeepassXC challenge-response?

Related Topics