
OnlyKey: Open-Source Alternative to YubiKey - mcone
https://onlykey.io/
======
klhugo
Security keys are the heart of security and we desperately need open-source
solutions on this. Kudos for doing it.

Now, I must point out a few things:

1\. Please don't call your solution "Open-source", when you do not have not
even the schematics uploaded to github.

2\. (this item is an open problem without a solution yet) how do I make sure
the source code and the (still missing) hardware information actually
corresponds to the hardware I'm buying?

If we do take item 2 seriously, one may say that buying Yubico is actually
"safer" than your open-source solution, mainly due to company reputation and
credibility.

Again, sorry the harsh words, but I take my keys seriously.

~~~
Tharre
The "security" of this device is a joke, just look at how randomness is
derived:

    
    
      unsigned int analog1 = analogRead(ANALOGPIN1);
      RNG.stir((uint8_t *)analog1, sizeof(analog1), sizeof(analog1)*2);
      unsigned int analog2 = analogRead(ANALOGPIN2);
      RNG.stir((uint8_t *)analog2, sizeof(analog2), sizeof(analog2)*2);
    
    

(See [0] for a comprehensive summary of why this is a terrible thing to do)

And yeah, analogRead() is a function from the Arduino library because .. well,
apparently there's an Arduino compatible chip inside that does all the
cryptographic operations. Meaning that there is no hardware security
whatsoever and it's trivial to extract all your keys from the device if you
ever lose it. Whoops.

[0] [https://arxiv.org/pdf/1212.3777.pdf](https://arxiv.org/pdf/1212.3777.pdf)

~~~
marcan_42
It seems this is literally written in the horrible Arduino "everything in one
huge file" style:

[https://github.com/trustcrypto/OnlyKey-
Firmware/blob/master/...](https://github.com/trustcrypto/OnlyKey-
Firmware/blob/master/OnlyKey_Beta/OnlyKey_Beta.ino)

The funny thing is they have a "Source code reviewed by Codacy" badge on the
readme claiming the code is grade A... but if you actually click through, of
course Codacy didn't pick up the .ino file at all, so in fact nothing of
substance is being reviewed. That .ino file wouldn't pass any style review...
it's a mess.

Anyway, looks like that firmware is incomplete (e.g. "onlykey.h" is missing).
Just a quick scroll through the code gives me zero confidence in this thing,
code quality wise. Someone who can't consistently indent code almost certainly
isn't qualified to be writing security-critical software.

Edit: looks like the rest of the code is here, and yeah, it doesn't inspire
much confidence (7000+ lines of code in okcore.cpp, ouch):
[https://github.com/trustcrypto/libraries/tree/master/onlykey](https://github.com/trustcrypto/libraries/tree/master/onlykey)

~~~
cr7pt0
I understand the Arduino model is different than other projects but we proudly
use Arduino as it's open source and has lots of great features. As we use the
Arduino model you can find that our source consists of the .ino you mentioned
here [https://github.com/trustcrypto/OnlyKey-
Firmware](https://github.com/trustcrypto/OnlyKey-Firmware) as well as
libraries here
[https://github.com/trustcrypto/libraries](https://github.com/trustcrypto/libraries).
Our code is reviewed by Codacy and yes, it does receive a grade of A. For the
.ino grading you will need to look at the OnlyKey-Firmware Github repo and for
the libraries check out the libraries library. I think some of the confusion
in your comment here may be related to how Arduino works, all source can be
found on Github.

~~~
marcan_42
It seems you're confused as to what Codacy is reviewing. Look at their
dashboard for the OnlyKey-Firmware repo. They are not reviewing your .ino file
at all, because they do not consider that file extension as code. Only the
toplevel C files are covered.

~~~
cr7pt0
The .ino file is included in Codacy review and receives a grade of A. You can
find that here - [https://app.codacy.com/manual/onlykey/OnlyKey-
Firmware/dashb...](https://app.codacy.com/manual/onlykey/OnlyKey-
Firmware/dashboard)

All libraries are included and also receive a grade of A.

~~~
marcan_42
You just changed that. It was not included when I looked, and this fact is
obvious by the "OnlyKey-Firmware has decreased 1% in quality in the last 7
days." banner. You have made no commits to the repo since Oct 23, so the only
way the quality would decrease in the past week is if you changed the settings
to include the .ino file.

------
cr7pt0
Thanks for all of the interest in OnlyKey! Full disclosure, I work for
CryptoTrust and am on the team that makes OnlyKey. I wanted to try to address
the questions/concerns in this thread in one place and provide some useful
links for more information. OnlyKey started from a successful kickstarter
launch in 2016 and has grown to become a popular product for businesses and
individuals.

\- OPEN SOURCE - If you are looking for OnlyKey source you will find it here
[https://github.com/trustcrypto](https://github.com/trustcrypto) all of our
apps and firmware is open source. OnlyKey is not open hardware, however the
hardware design is very transparent, literally. The device has a clear
protective coating on the hardware which in addition to adding durability
allows visually verifying everything.

\- ABOUT SECURITY - Security documentation is here
[https://docs.crp.to/security.html](https://docs.crp.to/security.html) and
provides information on how OnlyKey random number generator works, supply
chain, side-channel attacks etc. One thing that you will notice about OnlyKey
that differentiates it from other security keys is the on key PIN entry. While
no device is immune to hacking, this feature mitigates many traditional threat
models. We are always open to discussing specific threat models openly on our
support forum.

\- WHERE TO GO FOR MORE INFO Get started -
[https://onlykey.io/start](https://onlykey.io/start) General documentation -
[https://docs.crp.to/](https://docs.crp.to/) FAQs -
[https://docs.crp.to/faq.html](https://docs.crp.to/faq.html) Compare to
Yubikey - [https://crp.to/p/](https://crp.to/p/) Setup and User's Guide -
[https://docs.crp.to/usersguide.html](https://docs.crp.to/usersguide.html)
Features -
[https://docs.crp.to/features.html](https://docs.crp.to/features.html) Support
- [https://forum.onlykey.io/](https://forum.onlykey.io/) List of supported
services - [https://onlykey.io/pages/works-with-
onlykey](https://onlykey.io/pages/works-with-onlykey)

~~~
bpfrh
Any chance that key can be used for windows login?

I'm searching for a key that also works as a smartcard for winows on prem
active directory authentication, as well as FIDO2 support.

Or a key that has software which allows this.

edit: changes should be chance

~~~
cr7pt0
One of the nice things about OnlyKey is you have options. \- You can use
OnlyKey to store a password up to 56 characters long for Windows login. You
don't remember this password OnlyKey types it for you. \- You can use OnlyKey
as a FIDO2 security key to login to Windows with Azure AD.

~~~
bpfrh
Thanks for the answer!

So it basically registers itself as a keyboard?

Even if the Windows PC is locked?

How does it know which password to type?

Unfortunately everything that is more complicated than "take that stick and
stick it in the usb port" is gonna be difficult.

I know about the FIDO2 with azure AD, but I need it for on prem AD, which
doesn't support fido2.

~~~
cr7pt0
Yes, OnlyKey appears to the computer/mobile device as a keyboard. That is why
it works on all computers and even iPhone/Android with an adapter available in
our store -
[https://onlykey.io/collections/accessories-1](https://onlykey.io/collections/accessories-1)

Yes, it would type the password to unlock your Windows PC.

You assign password/login info to a button, you press that button. I.e. Button
number 1 is my Windows login so I would press the 1 button to login. After the
OnlyKey is unlocked that is, a PIN is required to be entered on the same
buttons providing physical security.

------
ComodoHacker
Setting aside problems with this particular device, the whole "trust the open-
source hardware" model is inherently flawed. Every useful security hardware
will be commoditized, then faked and/or trojaned. We can't take the open-
source software approach and rely on many volunteer eyes catching
vulnerabilities and backdoors. First, there just aren't enough skilled
professionals capable of proper hardware review. And second, how can you be
sure the device in your hand strictly meets its specs? there's no such things
as digital signatures and reproducible builds for hardware. Vendor reputation
is all we have for now.

Can we do something about this?

~~~
scumbert
To do something about this requires supply chain security that you won't find
outside governments that are able to realize economies of scale.

~~~
xvector
Librem is working towards such a supply chain, right? The Librem 5 costs $2k
but is made entirely in the US

~~~
allset_
Assembled, not made.

------
funkaster
I really like the concept. I bought 4 of them a while ago (maybe a couple of
years?) mostly to support them. I used one onlykey as my daily driver, I tried
to integrate it with pass (my password manager at that time) without much
luck. The software itself was very rough, the key was not meant to be used in
your keychain: clear signs of usage after about a month, the usb port started
to "fade", it was hard to use the touch buttons, it factory resetted at some
point (out of nowhere). Overall: I'm going to keep an eye, try them again in
the future, but I fee the product needs one or two more iterations before I
can depend on them as my daily security driver. Oh, and LED lights stopped
working after a few weeks.

one huge disadvantage (which is the same for yubikey) is that I use
programmers dvorak as my keyboard layout: had to change it every time to
English to input the passwords/token.

~~~
young_blood
There's currently an issue (and an open PR) in to add dvorak support, though,
I'm not sure if/when it'll be merged.

[https://github.com/trustcrypto/OnlyKey-
Firmware/issues/85](https://github.com/trustcrypto/OnlyKey-Firmware/issues/85)

~~~
Tharkun
There are many, many keyboard layouts out there. Maybe it's time for an input
standard that acknowledges this fact, instead of endlessly putting the onus on
OS developers and users. Maybe keyboards should output UTF8 instead of messy
keycodes.

~~~
samatman
This would require new hardware.

If one is already going to be purchasing new hardware, one may as well get a
QMK keyboard. This way you can program it with any keyboard layout you would
like, and it will work on any computer without having to change the system
defaults.

Clearly this doesn't help with built-in keyboards such as found on laptops;
the clear workaround for this specific product is to allow it to import
keyboard layouts in the various OS-specific forms they exist in.

~~~
Tharkun
Sadly it doesn't seem to work that way. BE/AZERTY keyboards, for instance,
have a physical key that US/QWERTY keyboards do not (<>\\). The OS will ignore
that key unless it's set up to use a layout that includes the key. There is no
way to program a QMK keyboard to fix that (unless you change the OS to run the
BE layout), because QMK does not map keypresses to characters. It maps
keypresses to keycodes, which depend on OS keyboard layouts, specifically
US/QWERTY and sometes DVORAK. At least that's how I see it.

------
devinl
This seems to predate FIDO2. [https://solokeys.com/](https://solokeys.com/)
would be a better option if you prefer separate keys for each site (via FIDO2)
and open source hardware.

~~~
EthanHeilman
Given that only key appears to support FIDO2 it seems unlikely that it pre-
dates FIDO2.

>"Onlykey supports multiple methods of two-factor authentication including
FIDO2 / U2F, Yubikey OTP, TOTP, Challenge-response."

~~~
0x0359463
It predates FIDO2, the OnlyKey has been around since 2016 and before FIDO2 it
supported FIDO U2F.

------
jandeboevrie
The only true open hardware and open source key is the Nitrokey Start, running
Gnuk firmware. Other nitrokeys are open hardware but run a smartcard (hsm or
pgpcard) and those firmwares are not fully open. Yubikey is closed source and
this posts bugger is closed as well. Go for a Nitrokey if you value true
openness.

~~~
omgbear
I've had a great experience with my NitroKey Starts. I'm just bummed that
opensc doesn't yet support ed25519 since it seems gnuk does.

~~~
danieldk
I am not sure I follow? I have been using NitroKey Starts with ed25519 and
GnuPG for two years without problems?

The NitroKey Start is great! I have switched to YubiKeys, since they are more
durable and also support U2F/Fido2 and PIV on the same token. But NitroKey's
software being open source and upgradable are great features.

Note that gnuk also works on Blue Pills. So, if a NitroKey is too expensive
for you, you can pick up a couple of Blue Pills for a few dollars and flash
gnuk on them. [1]

[1] [https://blog.dan.drown.org/gnuk-open-source-gpg-ssh-
hardware...](https://blog.dan.drown.org/gnuk-open-source-gpg-ssh-hardware-key-
storage/)

------
young_blood
I've owned and used an OnlyKey for around a year and a half now and have had a
really positive experience using mine. There is one issue, unfortunately the
LED lights do not work when the key is plugged into a USB 3 port. The key
itself works, but you do not get any LED feedback which can make unlocking and
using it a little difficult. Be sure to keep this in mind if you're thinking
about purchasing one.

~~~
cr7pt0
Sorry to hear that you had issues with the LED. We did receive reports of some
user's having issue with LEDs on some computers years back. With the latest
OnlyKey hardware there have been no issues reported, you can check out the
reviews on Amazon as if there is any issue at all there will usually be
negative reviews on Amazon - [https://www.amazon.com/OnlyKey-Stealth-Black-
Case-Communicat...](https://www.amazon.com/OnlyKey-Stealth-Black-Case-
Communication/dp/B06Y1CSRZX)

------
abetusk
Are the schematic files and PCB/Gerber files available? I understand that they
only claim to be Open-Source and not Open Source Hardware but it would still
be nice to see and have the hardware schematics.

~~~
stuntkite
No. There isn't because it's not actually open source and this is bullshit.

------
randall
In concept I like it, but one of the biggest yubikey advantages is how
unobtrusive it is. I realize the tradeoff they're going for: Absolute security
in the event that it's stolen... but I think that's actually bad for me since
I'd rather have a tiny button to press as a second factor, than absolute
security with a big dongle.

It'd be great if they just released a direct yubikey style clone.

~~~
cr7pt0
This is the plan, an OnlyKey pro and a small form factor key similar to the
Yubikey nano is in development.

------
qertoip
Trezor T is vastly superior solution for U2F / WebAuthn and also fully open
source. The main advantage is super mature backup (Shamir's secret sharing)
and PIN-locking with exponential escape. Being a Bitcoin hardware wallet,
security is very well tested.

~~~
groby_b
> Being a Bitcoin hardware wallet, security is very well tested

Given the history of the cryptocurrency field, A is very far from implying B.
And there's at the very least the Ledger analysis[1], which reveals several
vulnerabilities. (The core issue for me is the order->backdoor->return issue -
it doesn't seem there's a way to verify integrity of device or supply chain)

[1] [https://www.ledger.com/our-shared-security-responsibly-
discl...](https://www.ledger.com/our-shared-security-responsibly-disclosing-
competitor-vulnerabilities/)

~~~
qertoip
Given the history of reputable Bitcoin hardware wallets, A actually _does_
imply B. Hardware wallets are the only viable way to store cryptocurrency
securely, with great track record since inception in 2014.

Regarding the supply chain, there is very little that can be done, and
yubikey-like solutions certainly do not excel here. Trezor T at least comes
with no firmware (to be installed by the user) and holographic sticker. Basic,
but better than Yubikey et al.

------
sedatk
Solo was the first open source alternative to YubiKey. I'm using one of their
products and have been happy with it so far:
[https://solokeys.com/](https://solokeys.com/)

~~~
0x0359463
FYI, this is fake news OnlyKey has been around since 2016 and has been open
source the whole time. Solo was launched in 2018 and claimed to be the first
FIDO2 open source security key, this was only true because at the time OnlyKey
wasn't FIDO2. OnlyKey was the first open source security key. Also Solo isn't
even a viable alternative to YubiKey as it doesn't support challenge-response,
static passwords, or OpenPGP. OnlyKey does support all of those things.

------
grogenaut
I couldn't find any open source links on the site (reading from phone), is it
open hardware or open config app/firmware?

~~~
g_p
There is a link to
[https://github.com/trustcrypto](https://github.com/trustcrypto) from within
what seems to be the footer of (at least) the FAQ page.

~~~
djsumdog
Huh. So they have the firmware up, and a forked project that gets FIDO2
working on an Audrino .. I don't see and CAD files or any repos that seem to
contain circuit diagrams. Is the hardware something standard they load
firmware on, or is only he firmware open and the hardware designs closed?

~~~
g_p
Looks it. Seems like it might be open firmware and user-space interfacing
software. Didn't see any CAD/EDA repos.

------
imtringued
I honestly don't understand how a YubiKey is supposed to help me secure my
accounts if I get locked out of my accounts when I lose it. I an trivially
copy a keepass database anywhere and have dozens of backups. If I want to do
the same with a YubiKey I first have to buy multiple YubiKeys and then I have
to register each one on each site. This means they cannot be used as a primary
authentication method because they always require a fallback option in case
you want to reset your credentials because you lost your YubiKey. If I can't
use the YubiKey to secure my E-Mail account then what's the point? I'll still
need to use password based login and store that E-Mail password in a
conventional password manager that I then backup a dozen times.

YubiKeys only seem to make sense in a corporate environment where you can
always request a new YubiKey and reregister it based on your ID.

~~~
fierarul
The way two factor auth works is that you register your hardware key and you
also get 10 one-time-usage recovery codes which you can use instead.

So, if you lose your YubiKey, you can still login 10 times using a recovery
code. Presumably during those 10 times you either disable 2FA or register a
new YubiKey.

~~~
91iejrj20310
I guess those recovery codes are the new security questions - yes
theoretically they are there to recover your account, but in practice, you
won't have them at hand unless you stored them in your password manager.

~~~
fierarul
The whole idea of having a hardware token is to separate what's at hand.
Having the recovery codes in the password manager seems like a bad idea.
Google recommends printing them.

~~~
LaGrange
...oh yes, having your passwords printed out is such a great improvement.
Considering how likely the "hacker" is to be a person sharing your household,
you might as well put them on a post-it note and stick them to the screen.

Recovery codes go straight into the password manager, right next to my
mother's maiden name, ASuTeil7quoongak2aeniVar.

~~~
fierarul
Nonsense, the household hacker can also find your YubiKey. Much easier than a
single piece of paper.

~~~
LaGrange
...there are other 2fa methods that don't disable at least one "personal"
factors, whether that's a password or using finger/face/whatever. Not that
great against cops, but stands a chance against many abusers, recent exes and
terrible flatmates. And the yubikey is, theoretically, worn on you. Are you
going to carry around all the printouts?

~~~
fierarul
I'm having a hard time figuring out what kind of scenarios you are securing
against.

The recovery code, just like the hardware 2fa, does not work unless you know
the password. So you want to secure against people that live with you, know
your password and from whom you cannot hide anything anywhere?

The printout is the size of a business card. You could put it in your Bible as
a booksign an nobody would find them. Or if you want you could rot13 them or
something basic so they can't be used as-is.

Actually, what are you suggesting instead? I'm genuinely curious what flawless
solution you found.

~~~
LaGrange
The 2fa has to provide something more than a password to be worthwhile. If
it's easily defeated by growing through my copy of Capital then it's not
worthwhile. Finally, I don't have a single set of recovery codes, I have at
least a dozen by now. By using recovery codes you've turned a somewhat harsh
but sometimes-useful security scheme (for situations where loss of access is
preferable to 3rd party access) into security theatre. Not that it matters,
most services will "restore access" if you answer questions not just your
flatmates but even an average doxxer will be able to find out.

Also no, you're not genuinely curious, you're trying to waste someone else's
time.

~~~
fierarul
But nobody is forcing you to print or use your security codes. If you ignore
then and your hardware key is broken/lost you are forever locked out. Which
you mention is preferable, sometimes.

So, you are against things. What are you _for_?

------
blintzing
If the device doesn't have a secure element, how can anyone take it seriously
as a strong root of trust? The page lists several recent attacks on secure
element, but that's not really enough to convince me that no secure element is
needed.

~~~
cr7pt0
This is an interesting question. I would like to see more discussion like this
in the security community. Of course this question should be proceeded by the
question of what actually qualifies as a secure element? Who decides it's
secure? If it's just an MCU with some basic security features you have to sign
an N DA to even test is that a secure element? Is it possible to create an
open source secure element without an NDA required?

------
aex
OnlyKey's ability to type passwords differentiates it for my use cases.

I can use OnlyKey to type long BIOS, disc, user and root passwords without
worrying about people around or security cameras.

~~~
contactlight11
YubiKey can also do this:

[https://www.engineerbetter.com/blog/yubikey-static-
secret/](https://www.engineerbetter.com/blog/yubikey-static-secret/)

~~~
cr7pt0
It can only store up to 2 passwords, OnlyKey stores 24. For full comparison
see [https://crp.to/p](https://crp.to/p)

------
dima_medvedev
Bought two of those last March. Mostly positive experience so far.

Previous firmware didn't restore U2F key from backup, but current one does. It
also didn't have any kind of lockdown, so I did it via UDEV rules, luckily
current firmware has a lock button, which even sends "Super-l".

I would also love onlykey-cli be ported to Python3.

Somebody mentioned here that onlykey isn't fit for keychain use, yet mine is
totally fine and USB port shows virtually no signs of wear.

------
lisper
Another open source security key: [https://sc4.us/hsm](https://sc4.us/hsm)

------
mikece
Can this device function as an SSD, holding, for example, a Keepass2Android
APK file and a KeePass database -- as well as being able to open said
datanbase via one of the stored profiles? It doesn't need to have a lot of
storage... 640 MB ought to be enough for anyone's KeePass databases.

~~~
cr7pt0
No it doesn't store files directly, but if you are looking for KeePass support
it is now supported directly by KeePassXC -
[https://keepassxc.org/blog/2019-10-26-2.5.0-released/](https://keepassxc.org/blog/2019-10-26-2.5.0-released/)

~~~
mikece
I use KeePassXC on macOS, Windows, and Linux and copying the database to the
machines in question is easy enough. I was specifically thinking for iOS and
Android _without_ going through iCloud.

------
xaduha
This thing seems fishy to me. If you want something that is mostly under your
control to which you can install open source stuff into then buy some smart
cards and card readers e.g. from
[https://www.javacardsdk.com](https://www.javacardsdk.com)

~~~
cr7pt0
Carrying your own smart cards and smart card reader may work for some use
cases but I'm sure you can see why a small key attached to your key chain is a
better solution in most cases.

~~~
xaduha
There are readers the size of a thumb drive, cards themselves are the standard
credit card size or even SIM card size if not contactless. It's not the real
issue here, there are a few more important ones such as lack of desktop
browser support for U2F NFC use case. U2F applet works fine for me on Android
though.

------
nine_k
Something way more solid apparently does exist: USB Armory.

[https://inversepath.com/usbarmory.html](https://inversepath.com/usbarmory.html)

The hardware is open, the software is mentioned without much detail; I suppose
it's not shipping yet.

~~~
cr7pt0
This product does not meet the same use cases as Onlykey, USB armory not being
portable, waterproof, and durable is not something that will fit most users
needs.

------
wfdctrl
Why does the code look like a copy-pasted mess? Kudos for making it open,
though...

~~~
cr7pt0
Thanks I guess... We always review PRs

------
Tomdarkness
One thing I immediately noticed is that apparently it supports exporting full
backups of the device? Surely this is a terrible idea? I'm far from a security
expert but I'd have thought you'd want to make it so that it is extremely
difficult to extract key material from a security key, not offer it as a
feature?

~~~
rodgolpe
The backups are automatically encrypted with a private key you save onto the
device (obviously the key is not part of the backup). To restore a backup onto
the same device or a new OnlyKey, you first have to load the same private key
that encrypted your backup.

------
guenthert
I was interested until I saw the price tag: $46. Seriously, WTH?

~~~
fierarul
Seems reasonable. The cheap YubiKey is $20 (over $30 with tax and shipping)
while the series 5 YubiKey is $50-$70.

And I assume Yubico is capable of making much bigger (aka cheaper per unit)
orders.

------
annolir
ykpass
([https://github.com/noliran/ykpass](https://github.com/noliran/ykpass)) takes
another approach at this. It generates unique strong passwords for every
website, which are fully restorable without needing constant backups, thus
providing a solution for non-U2F websites, which is - honestly - most of the
internet at the moment

------
foobarbazetc
Unless you have a provable chain of trust that the code compiled is the code
running on this thing then... Nah.

I trust Google’s Titan keys. _shrug_.

~~~
0x0359463
So Google Titan keys have a pretty bad track record when it comes to security:

[https://www.engadget.com/2019/05/15/google-recalls-some-
tita...](https://www.engadget.com/2019/05/15/google-recalls-some-titan-
bluetooth-security-keys/)

It's not possible to have a provable chain of trust on hardware as others have
mentioned in the thread, even in the device you mentioned there is no proof
that the code the manufacturer intended to run on device is the same code
running on the device. Also its closed source so you wouldn't even know what
code they intended to run.

In fact with Google Titan you have lots of other issues like that it's
actually just a rebranded Feitian key, a China based company with unknown
supply chain or possibly even China govt mandated backdoor. More on that here
[https://www.securitynewspaper.com/2018/09/06/experts-ask-
goo...](https://www.securitynewspaper.com/2018/09/06/experts-ask-google-for-
clarifications-about-backdoor-in-titan-security-key/)

You can check out the hardware of your key here, there is no tamperproofing at
all.

[http://hexview.com/~scl/titan/](http://hexview.com/~scl/titan/)

------
WhyNotHugo
The price seems ridiculous though. $2700?! Exactly what kind of audience is
this geared towards?

~~~
cryptobeard
Where did you get $2700, OnlyKey is $46 USD

~~~
cambalache
The prices are localized. So $2700...ARS

------
classics2
Where are the cad files, bom and other data needed to manufacture the device?

------
woliveirajr
> " promote us and earn"

this doesn't send a good message

------
cies
Open source is the only way to security in most cases.

~~~
imtringued
Most of the security benefits come from giving the vendor an incentive to
update their software quickly. I've often seen proprietary companies delay
security critical patches until the next release or sue well meaning people
who are reporting vulnerabilities (to the companies) as hackers to hide
evidence of vulnerabilities.

There is a reason why so many vulnerabilities are found and reported in Linux
compared to e.g. Windows. There is no censorship that tries to make the world
look prettier than it is.

~~~
cies
Everyone who cared to comment seems to agree that open source is a
prerequisite for proper security in software. Interestingly I got down voted
:)

Good point that the security of FLOSS stems from the culture surrounding
FLOSS...

