OnlyKey

CTAP 2.1

Supports CTAP 2.1, including features like enforced PIN complexity, credBlob, largeBlob, and alwaysUv

More Info

FIDO2 Certification

Certified by the FIDO Alliance as conforming to FIDO2 standards

More Info

FIDO L1 Certification

Certified by the FIDO Alliance to meet L1 Security Standards

More Info

HOTP passwords

Supports Hashed One-Time-Password generation

More Info

PIN Authentication (physical)

Features a physical PIN pad for authentication

Resident Cryptographic Keys

Supports WebAuthn discoverable resident credentials, the building block of passkeys

More Info

Resident ECDSA keys

Supports ECDSA discoverable keys

Stored passwords

Supports stored, static passwords, usually configured with a vendor-specific application

Timed OTP passwords

Supports Time-based One-Time-Password generation

More Info

U2F Authentication

Conforms to the U2F Authenticator and WebAuthn standard

More Info

YubiOTP

Enables use of Yubico YubiOTP one-time-passwords

More Info

The OnlyKey is unusual in this market. It carries six physical buttons on the device, which means PIN entry happens on the key rather than on the host computer. The key itself acts as a small password manager, storing static credentials that can be typed into login forms, and supports FIDO2, U2F, Yubico OTP, OATH TOTP and HOTP, OpenPGP signing and decryption, and SSH key storage.

A self destruct PIN can wipe the key if entered. A duress PIN unlocks a separate set of credentials, designed for situations where someone is forcing you to unlock the device.

OnlyKey’s FIDO2 certification was completed relatively recently, after years of FIDO2 work being supported only through their own conformance testing.

For a smaller form factor with USB-C, see the OnlyKey DUO.