Hello My elderly father has difficulty entering complex passwords. He uses Last Pass for password management. I am considering using Only Key to make things easier for him but have a few questions:
Will OnlyKey (OK) allow him to loginto Last Pass without keyboard entry and retain the normal Lastpass functionalities? e.g. accessing his e-mail, online baking, etc. without keyboard entry of passwords?
Does OK supplement or replace cell SMS MFA?
Would he have to keep OK inserted while he is working on the computer, or can he remove it after initially logging in?
Is it possible to purchase/configure redundant OK back up dongles in case he misplaces one?
I’m responding as an enthusiastically satisfied customer, not in any official capacity.
Yes. Typically, what this means is you store your strong Lastpass password as an entry in your Onlykey. Then that you only have to remember and enter your Onlykey PIN, and then have the Onlykey type your more complex Lastpass password for you; the premise is that requiring physical possession of the Onlykey, plus the Onlykey’s brute-forcing protection, makes up for the fact that your Onlykey PIN is less complex than your Lastpass master password. You also might have your Onlykey be your second factor for Lastpass MFA (but see below), which may be weaker security compared to keeping the password and second factor separate, but is potentially more convenient - and still more secure than not having a second factor at all. At any rate, the way you use Lastpass after unlocking your vault is unchanged.
Depends on what you mean. I would assume that by “supplement” you mean are there cases where you would need both SMS MFA and to present your onlykey as a third factor (assuming the first factor was a password, whether it came from Lastpass or the Onlykey or somewhere else), and that would be an exceedingly rare case - I can’t think of anything that supports a setup like that except a rather contrived setup of a Keepass database. I would further assume that by “replace” you mean “the onlykey is used instead of receiving and entering a code by SMS,” in which case it depends on the service provider; you need them to support either FIDO2/U2F/Webauthn security keys, which Onlykey can handle beautifullly; or authenticator apps like Google Authenticator, for which Onlykey can substitute with some extra effort that I’ve personally never felt was worth it; or Yubikeys, for which Onlykey can stand in…depending on…uh…things. I’ve never used that functionality.
However, if by “supplement” you meant “serve as another option” and by “replace” you meant “function as”, then it would be “supplement.” If SMS is the only MFA the service supports, then there’s no way to use the Onlykey instead.
The onlykey needs to be inserted and unlocked when it is actively used to enter credentials or respond to one of the kinds of prompts it supports. Once you’ve logged into whatever you’re using it to log into or unlocked whatever you’re using it to unlock, you could unplug or lock it until you need it again - by default it locks itself after thirty minutes.
Yes: you can buy multiple Onlykeys, and take and restore backups to keep the spares up to date - your backup Onlykey is only as good as your latest Onlykey backup, of course.
In the specific and rather niche case of using the Yubico OTP support, my understanding is that you can only seamlessly switch to one of your restored backups if you haven’t used that feature since the backup was taken (because it’s based on a counter). I’ve yet to encounter any service that supports Yubico OTP and doesn’t support an option I like better. (I’m actually not sure I’ve come across anything that supports Yubico OTP at all.)
Hello Ox3b0b! Thanks so much for your detailed explanation! I really appreciate your time effort and advice. It sounds like 1, 3 and 4 will fit our needs. Still a little uncertain about #2, you’re interpretations of both supplement and replace are correct. For my dad, I think using OK as a replacement for SMS text would be helpful. If I understand correctly, he would enter the touch button code on the OK, then insert it. He would then press one of the buttons to navigate to authenticate Lastpass (assuming Lastpass supports FIDO2), then Last Pass would log him into whatever website/online account he wants to visit such as his MSN e-mail, etc.
If that is correct then I’m going to get one for him. How would I make the spare into a clone of the original?
Quick note: I am describing usage of the larger model Onlykey (it may be called the Onlykey Color?) with six separate buttons, not the smaller Duo, with which I have no personal experience.
You plug the Onlykey in first; it does a little light show while it gets ready, then you enter the pin to unlock it.
I believe you can get at least to the point where you could put the cursor in the browser address bar and push a button on the OK and have it unlock Lastpass for you. However, I’m not sure about getting it to open Lastpass for you and unlock it without even needing to put the cursor in the address bar. I think with advanced configuration and having a hotkey to access your browser (such as pinning it to the top of the taskbar…or the left, if you keep the taskbar horizontal for some unfathomable reason) it is some degree of possible, but I personally don’t even have my OK type in URLs for me so it’s not a mode I’m very familiar with. What I would more likely do is click the browser extension button to open its unlock dialog, put the cursor in the username field (or the password field if I let the extension remember my username), and then tap my OK button. Remember, the way credential entry works with the OK is it acts as a USB keyboard and does the typing for you. So what it can do is what a keyboard can do (and some kinds of keypress scripting require advanced mode).
Lastpass supports FIDO2 only on Premium (or family, or business plans). Apparently this information is outdated…sort of. Advanced MFA options (which, as far as I know, still includes physical security keys) are a premium-only feature. However, they apparently now support passwordless login using WebAuthn, which should work with an Onlykey. My browser isn’t cooperating at the moment so I haven’t read up on how. I personally used a slightly different arrangement, have migrated mostly away from Lastpass, and am getting ready to migrate the rest of the way.