Sysadmin mode should not require config mode to set slots

I like the idea of sysadmin mode. (Being able to use backslash escapes in username/password fields.)

However I don’t like the idea than then I have to do the config mode entry procedure to change any slot after that. I don’t see any reason why the two behaviours should be linked.

Can you please unbundle these two behaviours, so they can be configured separately?

It’s a security feature. Let’s say we didn’t require config mode then you used your OnlyKey on a system that was compromised by an advanced adversary trying to target you. They could program your OnlyKey to do something like press Win+R then run a command that would do malicious things. Requiring config mode makes it so that your device can only be programmed when you authorize it on a trusted device.

This notional advanced adversary would have to have access to write data to my USB port to do this, at which point they could most likely just run whatever they liked.

I do take your point that this would be important if I was plugging my OnlyKey into untrusted computers. But I’m not.

OnlyKey has the option to lock after a timeout, or not, or do a full wipe, or not, according to its user’s security needs.

For it to allow these flexibilities, yet be rigidly opinionated about requiring config mode for slot programming when in sysadmin mode, seems rather inconsistent to me.

This notional advanced adversary would have to have access to write data to my USB port to do this

Right, but the threat model here is not that the adversary is doing bad things to the compromised computer you are right they could most likely run whatever they liked on this system. It’s that if from a compromised computer they could write a malicious command to be run from typing it out then this could then be run on other non-compromised systems to compromise them.

I.e. I’m a system admin, I plugged my OnlyKey into user Jeff’s computer to log into something to fix a problem. Jeff has advanced adversary that wants to compromise more than just Jeff’s system and try’s to overwrite sysadmin mode OnlyKey to do that. Is this likely to happen? No, but we do have to build security protections for threat models like this to ensure it doesn’t.

1 Like

But you don’t have to assume the same threat models apply to all users, though.

If I was going to plug my OnlyKey into computers outside of my direct control, I would like and want the protection of requiring config mode to change anything on the device. But for the use-cases I have programmed my current OnlyKey, that’s never going to happen, so I dislike imposition of the unnecessary extra step.

As mentioned in my previous message, other OnlyKey settings allow the user to configure them appropriately for the threat models of their own use case. So why not this one too?

But you don’t have to assume the same threat models apply to all users, though.

No, this specific threat model applies only to users that have enabled sysadmin mode. There is no way to press Win+R or other special characters that would trigger entering a command unless sysadmin mode is enabled.

In my two previous messages I have acknowledged that I understand the point of this, for OnlyKeys in sysadmin mode that get exposed to untrusted devices.

I have twice said that this is not my use-case, but you have not responded to this, instead just restating your original point each time.

We understand there are a lot of users with specific use cases. Unfortunately we can’t always implement a feature for every user’s specific use case. In this case the requested feature to meet your use case would decrease the security of the device and that is what I explained above. I will leave this thread open and if there are other users interested in this feel free to like the post here.