Can an Only Key manage multiple website logins?

This is false. A hardware 2FA does not make it impossible to have your passwords exposed.

  • Many sites do not support 2FA or non-password single-factor logon.
  • A hardware key alone does not represent superior security to a password in any fashion.
  • Password managers are not necessarily centralized, cloud options.
  • Exploits get patched out and security improved over time. Best practices (e.g. 2FA use) mitigates the effect of existing exploits (eg social engineering, which a hardware key cannot protect you against).

You have a much better option. I’ll go ahead and detail it.

  1. Host the password manager yourself, where the database is on hardware that you control. You are a much smaller target than a Lastpass or a Bitwarden company, and if you set it up right, attacks will require physical access to your hardware or access to your network, and either way, you have ways to protect against that. I suggest using Vaultwarden. It’s got a lot of nice features as an implementation (unofficial) of Bitwarden. You are going to have to make compromises here. For example, if you need mobile access, the syncing server capacity is an attack surface - but that doesn’t mean it’s likely to be used against you. Figure out what’s reasonable in your context (Who’s going to attack you? What are they going to gain? Why would they do that? etc) and act accordingly. Either way, make sure your vault password is complex and memorable: do not write this password down anywhere or use it for anything else or keep any record of it outside the vault.

  2. Use a correcthorsebatterystaple password generator to increase the strength of all your passwords – reset all of them to unique passwords of this type. I like this generator, just remember that each password should be unique from all others and check each against haveibeenpwned.

  3. Considering removing accounts that have refused to implement 2FA or that use insecure methods for changing passwords – such as a forgot password link that sends an email with your password actually in the text.

  4. Buy 4, or 6 yubikeys or similar.

  5. Set up half the keys to handle just your password vault, so it needs password+one of these keys to unlock.

  6. Set up your accounts to require pw+key, and set up your other yubikeys as that key.

  7. Keep the first pair of keys (vault+accounts) on your person. Keep the 2nd pair in a lockbox in your home (warm backup). Put the 3rd pair in a buddy or relative’s home in a safe or lockbox (cold backup). if you’re worried about social engineering, talk to support on all these accounts, and get a note placed on your account to lock it if someone tries to deactivate the 2FA.

  8. If you want to go even further, set up keys for 2FA access to your actual devices. Do this with the same things – complex passwords (but make sure you can remember this one), backup key locked up, primary key always on your person. This step may well require Linux, btw.

With this, you should be able to significantly increase your security with hardware keys, unlike your initial plan which does not increase your security in a meaningful manner.

3 Likes