Episode: 3627
Title: HPR3627: Only Key Duo
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3627/hpr3627.mp3
Transcribed: 2025-10-25 02:23:01

---

This is Hacker Public Radio Episode 3627 for Tuesday the 28th of June 2022.
Today's show is entitled, Only Key Duo.
It is hosted by Operator and is about 16 minutes long.
It carries an explicit flag.
The summary is I talk about my new hardware password manager.
Hello everyone and welcome to another episode of Hacker Public Radio with your host Operator.
Today we'll be talking about the Only Key Duo, which is a new version of Only Key that
is a password typing tool like a UBKey, whatever if you've heard that before.
So back, I don't know when probably six months ago, maybe a year ago, they did a kickstarter
for the Only Key Duo.
Now before this, I have the old one or the current one in my hand here.
It's probably two inches, three inches long, four inches long, three and a half inches
long by an inch long.
It has six buttons and they're kind of soft buttons, like what you call it, and do
serve buttons.
They're not actual hardware buttons, they're buttons like on your phone, whatever.
It's not the same thing as your phone, but it's the non-buttony buttons.
I don't really know how to explain it.
Anyways, so there comes with six different buttons, one, two, three, four, five, six.
You can flash it, it has a LED on the bottom.
You can sign up to 20, whatever.
I think you can have multiple profiles on it.
I'm not really explaining what this is very well, but I've had it so long.
The main idea is that you have a hardware-based token, hardware-based password tool.
You plug in the USB port, you press a button, and it types your password.
But before that, you have to type in a pin that unlocks the device.
That's cool, and in fact, it allows you to have complex passwords for stuff.
It works over USB.
There's a dongle to plug it into your phone.
Now we'll say about the dongle, you have to slow the speed down to a reasonable speed.
If it types it too fast, it won't get picked up by the actual phone, so that's kind of odd.
There's also other implementations of issues with that too.
I've had BIOS boot stuff, like bootloader type of stuff for semantic, do the same thing.
If it's full speed ahead, and it's typing lightning fast, instantly fast, the delay for
the OS is not how fast it can pick it up.
You might have to adjust the speed in very rare cases.
Another case is the remote desktop over remote desktop, and sometimes there'll be some
weird shenanigans with holding down shift and pressing a button, so a capital F might
come out as a capital F, but then all the numbers are now symbols, and the rest of the
letters are capitalized, and then it might camel case at some point with the wrong password,
and of course you don't want that.
There are some issues there.
I want to say that's not hardware-based.
I want to say that's actually AutoHotkey, so I'm correcting myself out loud.
AutoHotkey will do that.
It will type out really fast, and sometimes it will mess up the shift actions.
You have to manually slow those down, or have it type the actual, hold down the shift
button, press the key, unhold the shift button, press the key, because there's a logic
in there that says, okay, if you want a capital F, obviously you want to hold down the
shift key, press F, and then go from there.
Anyways, that's the odds and ends, the edge cases with it.
The other thing is you want to have two of them, because if you have all your passwords
on one hardware device, what happens when you lose that device?
So right out of the box, they should sell you two for a cheaper price, $55 a piece.
They didn't use to be that expensive.
Yeah, $110.
What they should do is say, hey, if you've the first time ordering only key, here's first
address, people, it's only going to cost you $100, maybe you get $5 off for your first
order.
So when you get to, for your first order, because you have to have two, you can't not have
two.
I mean, you could conceivably have just one, and then when you lose it, go back to that
other computer, and I don't know, wait six months for your thing, I don't know a way
to access the passwords once they've been pulled into the hardware key, they might be able
to do it with the UI software, but it's the same, you don't want to be out a hardware
key, so you hit the buy two, that's kind of a problem.
So you're spending right out of the gate, you're spending a minimum of $110.
They used to not come with the little keychain, and I don't even know, I don't even see it
in here.
I think they started including them.
They used to have a little keychain port, and that was like $5 to, I think they come
with a little keychain port, easy way to hook, kind of like a care beener, basically.
That's the original only key, I don't have any other beast with it, you can change the
LED lightness, firmware updates are easy with the new one, the newer firmware, you can
update the firmware a lot easier, let me put my phone on silent, sorry.
And the, like I said, the newer version is a very small, I don't want to pull it out,
it's called the only key duo, and again, they did a Kickstarter back in, I don't know,
six months ago, here you go, and they took a bunch of money, it's like 60K, and then they
did the other Kickstarter, which is called, I don't remember the name of it, and they took
another, which is like upwards to $100,000 for Kickstarter, which I don't know anything
about starting businesses, that's probably not enough, but only he already had a presence,
they already have whatever, but they're open source and whatever, so that there's a separation
between the open source and the paid version, I think the actual hardware key and purchasing
it, there's probably clones out there by now, whatever, I don't know, but I thought it
was interesting, I thought it was a new approach, the problem with the old key, the traditional
the long stick only key is that obviously it sticks out, so every time I move my laptop,
I put it in my bag, I take it upstairs, I take it downstairs, I have to make sure that
I pull that key out, because what's going to happen is it's going to clip something
at some point in time and ruin the whole port, my USB-C port is not super happy right
now, just from having stress over time of that USB-C port, and it's not like USB, you
can't adjust the pins on USB-C very easily, this is a very small context, regular USB you
can go in there and take a pin, safety pin or whatever, and rejuvenize that port, try
contact cleaner on the contacts, and then you want to take that pin and shove it in the
spring, the little part that keeps the USB plugged in, so if your USB port is wobbly,
you can get a safety pin and like a magnifying glass and start pulling those down, maybe
a millimeter at a time, make sure they're even and flat, and it will kind of rejuvenate
that USB port, it'll never be the same, but it will at least hold it in there, so it's
not flopping around like a fish and disconnecting and causing you know IO errors or whatever
if you're copying stuff, so anyways the new one sticks out, Jesus, it sticks out
I don't know, maybe a quarter of an inch if that, so I was confused at first because
I'm like this is going to be a paint unplug, you know I want to have to constantly unplug
it and put it on the keychain, and it seems kind of dinky, the thickness of the new one
is I don't know, two millimeters thick, the thickness of the old one is very thick, it's
very beefy, very you know like double stacked PCB board with a round, with an o-ring
around it, so the old one was very sturdy, but the new one doesn't have to be that sturdy
because what, you're not going to unplug it that often, so that's the advantage there,
there is a USB-C little dongle that it comes with, tiny little dongle that doesn't fit
any other USB port, it's too thin, so I don't know what I can use that for, I think I
actually threw it away and got rid of it, but the idea is that the new one, you don't have
to take off, you're never going to have to take out, you're never going to have to move
it around on this, you have more than one device, and even then if you have more than one
device, the only time you should be moving it is if you're updating your passwords, so
you know even if I had ten of these, I would still only leave, I would leave them all
plugged in, until which time I would change the password on one of the devices, and even
then you would just copy it over the network if you felt so inclined, and you didn't want
to like sneak or net it over or whatever, so once you have the hardware token in plugged
in, there's no need to unplug it, unplug it, the only reason I was unplugging it before
was that it was going to clip the edge of something and ruin it, no, the beef I have so
far with it is that it's, it's a tactilely more sensitive, so you have to be careful
about where, what you're pressing the soft buttons as they were, so it sticks out, like
I said, it sticks out, if you have fat fingers, this is not for you, it sticks out about
a quarter, like I said, a quarter of an inch, and each, it is round, almost like a pinny
is sticking out of your USB port, or a dime, so this dime-sized round object sticking
out of your laptop is what types of passwords, and on one side is the one, the other side
is the two, and if you press them both together, if you touch them both together, then that's
three, so between that you can set up your pin, you can set up up to like 24, so 1, 2,
3, and then that's three different passwords, and then you have a whole long hold of 1,
2, 3, so that's what, 6, and somehow you can do 24, I don't know, but you can have multiple
profiles too, and you can switch, I think that's what they do, they do multiple profiles,
I only use four, I only have four passwords, and sort of a fifth one, but I know the fifth
one, and I actually know all my passwords except two of them, so really I only need it
for two passwords, the rest of them are pass phrases that I actually remember, because
I don't always have my USB key for personal stuff, but I do always have it for work, so
my work ones are super complex, and that seems to work, and so I have a different profile
from my work ones, but in general I really only have two complex ones that I don't know,
and the rest are in a password save or whatever, that's pretty much it, the other piece is
that I kind of complained and said, hey, you know, hello, what's going on, there's no
feedback about the Kickstarter, you guys are supposed to be shipping out the end of
last month, and there's nobody's, they hadn't said anything in like a full of 28 days,
or there was some ridiculous amount, it was like a month, so I said, look, you know,
only chatter is external chatter from people that are wondering where their stuff is,
so I put something on their official support, and it got taken down the same day my account
was suspended, so that's the little discerning that they're, you know, that's their own support
site, so that they want to moderate, they can moderate it, but it's a little discerning
that, you know, the only pace post I made on their support forums was pulled instantly
because it's kind of a rant saying, hey, if you're going to take, you know, $100,000
from $2,000, whatever 100 people, you can at least be, let them know that what's going
on, you know, you can't just go with people, so they got a little offended with that
and had it removed, and I can sort of understand that, but the only reason I found out is because
I was logging in to help them and say, hey, the new USB duo, the executable is requires
admin, so it's retarded, so if you're going to, you know, have an application that goes
along, now before the old version has a Chrome plugin that will still sort of work with
the duo, but you won't be able to actually set up the duo initially without local admin.
Now the work around that, you can do the, I actually tried to do the set compatibility
layer or whatever it's called in Windows, you can say if nobody knows about this, but
if something says you need admin to run it, you don't actually need admin, of course.
You can run it as a different context, and let me look at that real quick, hold on.
The example I gave is on my GitHub, there are scripts, auto-hockey, auto-hockey.bat, there
is a set-compat layer equals run-as-and-voker, no spaces and caps.
So that basically says it's a compatibility thing that you can right-click an executable
and say don't run as administrator for run-as, you know, whatever user.
I think that still exists in Windows, but anyways, that's one way to do it, and I ran
it, and of course it said oh, can't write to program files.
So they won't even tell you, you can't even specify where you want to install the app,
which is ridiculous.
But luckily I was able to use seven set to extract it, because it's a self-expecting
executable, and that's all it is, it's some Java script crap, but I was able to run it,
configure the duo, so I do like it, I just wish that they had, and they're probably
working on a Chrome-based setup tool that doesn't require administrator or the knowledge
to right-click extract and then run the executable that needs to be ran to get the software
to work.
I'm sure there's other ways to configure it, and I'm just, you know, a stupid person,
but I'm not going to crawl around get how they're getting how looking around for how
to do it.
I just went through their documentation and they're like download this and run it, and
it's like, it's not going to work when it runs for admin.
So a lot of people on secure systems don't run around as local admin, so if your requirement
is that people have local admin to install your hardware key foc tool, that's a little
bit ridiculous.
So I kind of want to ran about that, but I'm not going to, it's a beta thing.
You can actually buy them right now, I think, let me check only key.
Yep, they're same price, $55.
So you can get the only key, do a shipping out April 2022, which is now.
So essentially I could have ordered available pre-ordered shipping in April 2022, so I think
I could have ordered it and got it about the same time as the Kickstarter, but whatever,
it's Kickstarter, my first Kickstarter, probably blah, but that's my only beef, and I hope
that helps somebody else.
I've had an only key, but I gave it away, so I don't have anything to compare to.
Take it easy.
You have been listening to Hacker Public Radio, and Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording a podcast, you click on our contribute link to find out
how easy it really is.
Hosting for HBR has been kindly provided by Anonsthost.com, the Internet Archive, and
R-Sync.net.
On the Sadois status, today's show is released under Creative Commons, Attribution, 4.0 International