OnlyKey on Android: Complete guide to use and security

  • OnlyKey combines FIDO2 key, password manager and encryption functions, integrating with Android as a keyboard and security key.
  • On Android, it can be used in conjunction with the mobile's built-in authenticator, leveraging OnlyKey for the first login and biometrics for daily use.
  • In addition to FIDO2/U2F logins, OnlyKey allows you to manage TOTP, OTP and file encryption/decryption directly from your mobile browser.
  • Its multi-protocol approach makes it a unique security hub for online accounts, SSH, and sensitive data across various devices.
Joaquin Romero

19 minutes

How to use OnlyKey on Android

If you use Android and are concerned about security, you've probably heard of hardware keys, and specifically, OnlyKey. These small devices look like a simple USB drive, but they're actually a true Swiss Army knife of security: they serve as a password manager, FIDO2/U2F key, OTP token, file encryption tool, and much more. Understanding how to use OnlyKey on Android makes the difference between "having a key" and getting the most out of it..

Furthermore, the strong authentication ecosystem is changing at breakneck speed: FIDO2, WebAuthn, passkeys, TOTP, SSH with FIDO keys… It may sound overwhelming, but with a good explanation and clear examples it becomes very manageable. Let's see step by step how to use OnlyKey on Android devices and how it fits into the world of modern security keyswithout leaving out any important details.

What is OnlyKey and why does it make sense to use it on Android?

OnlyKey is a hardware security key developed by CryptoTrust that combines security features into a single device. multi-factor authentication, password management, and encryption. Unlike other FIDO keys “Simple”, OnlyKey incorporates a touch keypad and PIN protection, allowing you to securely store sensitive data and use it as if it were a keyboard.

On Android, OnlyKey primarily behaves like a usb keyboardWhen you connect it, the system detects it as if you had plugged in an external keyboard, so you can type passwords, usernames, TOTP or OTP codes directly into the text fields of your apps or browser. This makes it compatible with almost any service that accepts keyboard input., even though it does not have explicit “OnlyKey support”.

There are two relevant variants for mobile phones: the "classic" OnlyKey with a USB-A connector and the OnlyKey DUO with USB-CThe DUO is especially convenient for Android because most current phones use USB-C, so you can plug it in directly without an adapter. If you have the USB-A version, you'll need a OTG adapter to connect the key to the USB-C port of the mobile phone.

Built-in vs external key: how OnlyKey fits into your Android phone

Modern mobile phones, both Android and iPhone, already incorporate their own integrated FIDO2 authenticatorThis is what features like fingerprint login or facial recognition (Fingerprint, Face Unlock, etc.) use on compatible websites and apps. Technically, your phone already acts as a "security key" thanks to WebAuthn and FIDO2.

So why use OnlyKey on Android if the phone already has robust security? The most practical strategy is to combine both: Use OnlyKey for the first login or to set very strong passwordsand then activate the phone's biometric unlock for subsequent access. Like this:

  • OnlyKey generates and enters strong passwords and/or 2FA codes the first time you log in.
  • Once inside, you enable the Login with fingerprint or face in the app, taking advantage of the phone's internal FIDO2 authenticator.
  • That way you don't have to turn the key on every time, but you still have long, unique passwords and real 2FA.

This approach is especially useful on Android with banking apps, corporate email, project management tools, etc., where you want Maximum security without sacrificing everyday comfort.

Prerequisites for using OnlyKey on Android

Before you start plugging things into your mobile phone, it's a good idea to make sure everything is properly set up. OnlyKey requires minimal configuration and updated firmware to work properly with Android..

  • Firmware up to date: It is important to have the latest OnlyKey firmware version installed to ensure compatibility with FIDO2, security improvements, and bug fixes. The update is performed from a computer (Windows, macOS, or Linux) following the manufacturer's official instructions.
  • Physical connection to the mobile device:
    • With OnlyKey DUO (USB-C): simply connect it directly to the USB-C port of the Android device.
    • With OnlyKey USB-A Classic: you will need a USB-A to USB-C OTG adapter or USB-A to microUSB, depending on your mobile phone's port.
  • Upload keys/certificates if you are going to encrypt: To use PGP encryption functions (such as on encrypt/decrypt pages), it is necessary that a PGP encryption key has been previously loaded into the OnlyKey. encryption key associated with your identity (for example, your Keybase account).
  • Correct time for TOTP: If you want to use OnlyKey to generate TOTP codes (the typical 6-digit codes that change every 30 seconds), the key must have the internal time correctly setThis can be done by visiting https://apps.crp.to from Chrome or Firefox on Android, with the OnlyKey connected and unlocked.

If you meet these requirements, your OnlyKey will be ready for Android to recognize it as a keyboard and, furthermore, to act as a FIDO2/U2F security key and encryption device on compatible websites.

Using the built-in security authenticator in Android

As we mentioned, Android already includes its own FIDO2 security "keychain," which you can use even if you don't have OnlyKey. Understanding this is useful because OnlyKey and mobile biometrics work great together.

Practical example: using the security key built into Android

To check if your Android supports FIDO2/WebAuthorization with fingerprint or PIN, you can follow a small practical exercise which doesn't require installing anything unusual:

  • Open the browser Chrome on your Android.
  • Visit the MFA testing page at https://www.passwordless.dev/mfa#heroFoot.
  • Create a trial account by following the instructions on the website.
  • When asked about the authentication method, choose the option of type “Use this device with a fingerprint or PIN”.
  • Follow the system wizard: it will ask for your fingerprint, pattern, PIN or facial recognition depending on how your mobile phone is configured.

From that moment on, your mobile will be registered as FIDO2 authenticator for that test accountOn subsequent logins to that website, you can directly use your fingerprint or PIN on Android without entering a username/password. This same mechanism can then be combined with OnlyKey. OnlyKey for first login, mobile biometrics for everyday use.

Using OnlyKey as a keyboard on Android: passwords, TOTP and OTP

Guide to using OnlyKey on Android

One of the great advantages of OnlyKey is that Android sees it as if it were a standard USB keyboardThis means that everything OnlyKey “types” (usernames, passwords, OTP codes, complete login sequences) will appear in the mobile's text fields.

In practiceThis implies that:

  • You can store in OnlyKey static usernames and passwords for websites and apps.
  • The key can generate and write TOTP codes (the typical 123456 of 30 seconds), just like an app such as Aegis or Google Authenticator would do.
  • It is possible to use OTP type Yubikey (Yubikey OTP) in services that support it, since from the mobile perspective it is only text that enters via keyboard.

For the TOTP part to function correctly, as we have already indicated, It's fundamental Ensure that OnlyKey's internal time is properly synchronized. Simply:

  • Connect OnlyKey to the Android device using the appropriate adapter.
  • Unlock it by entering the PIN on the key's touch keypad.
  • Open Chrome or Firefox on Android and visit https://apps.crp.to.
  • Follow the instructions on the website to set the time on the device.

Once this is done, any TOTP profile you have configured on your OnlyKey will generate valid codes, and when you press the assigned button, the key will activate them. It will automatically write into the active text field of your mobile device.This way of working is especially convenient if you want to stop relying on 2FA apps on your phone and prefer to have the codes on a device. separate physical key.

Using OnlyKey as a FIDO2/U2F security key on Android

In addition to functioning as a keyboard, OnlyKey can also act as a FIDO2/U2F “pure” security keyJust like a YubiKey or a Titan. On Android, this is mainly taken advantage of through the browser (Chrome or Firefox), since many websites natively support WebAuthn/FIDO2.

Registering and using OnlyKey as a security key on Android

The process for using OnlyKey as a FIDO key on Android is very similar to what you would do on a desktop PC, with the difference that you will have to accept some terms. system pop-ups to give the app or browser permission to talk to the key.

The typical steps would be:

  • Connect OnlyKey to your mobile phone using the adapter (if necessary) and unlock it by entering your PIN on the key itself.
  • Open Chrome or Firefox on Android.
  • Visit the website where you want to use FIDO2/U2F (for example, your Google account, GitHub, or another compatible service).
  • In your account security settings, go to the section on security keys (Security keys, FIDO2, WebAuthn, etc.).
  • Choose the option add or register a new security key.
  • Android will display several pop-up dialogs asking for permission to use the connected key. Accept them all.
  • When the OnlyKey lights up (usually blue), tap the indicated button to confirm registration.

Once registered, that website will associate your account with the FIDO credential stored in OnlyKeyOn subsequent logins from your mobile device, when the website asks you to use the security key:

  • Connect the OnlyKey and unlock it with your PIN.
  • In your browser, select the option to authenticate with a security key.
  • Tap the OnlyKey key when the blue light comes on to authorize the operation.

Keep in mind one important detail: even if you have already registered OnlyKey as a FIDO key on a computer, Some services require repeating the registration process when using a new device. (for example, your Android phone). In those cases, you have to go through the key registration wizard again from the phone's browser.

Mobile security considerations: USB vs NFC vs integrated key

When choosing how to use security keys on Android (USB, NFC, or the phone itself as a key), it's worth keeping in mind some nuances:

  • Integrated key in the mobile (internal FIDO2):
    • Physical security level: medium (if your mobile phone is stolen and they know your PIN/pattern, they could use it).
    • Convenience: high, because you don't have to carry anything extra and fingerprint login is immediate.
  • USB keychain like OnlyKey:
    • Physical security level: high, because the attacker would need have the key and also know the PIN that unlocks it.
    • Convenience: lower, since you have to physically connect it and remember the PIN.
  • NFC key fob:
    • Physical security level: lower than USB or integrated, because theoretically it is possible to activate the key by proximity if someone gets close enough (scenarios like "I get bumped into on the subway and they read my key").
    • Convenience: medium, by bringing the key close to the mobile phone wirelessly.

In general, the most balanced combination for Android is to use mobile biometrics as a daily method and OnlyKey as a strong factor for new sign-ups, critical changes, or sensitive logins.thus reducing the impact if your mobile phone is stolen or if the system is compromised.

Using OnlyKey to encrypt and decrypt files on Android

Another powerful feature of OnlyKey is the ability to Encrypt and decrypt files directly from the browser using its PGP capabilities. This also works on Android with compatible browsers (Chrome or Firefox) and the CryptoTrust Tools website.

Encrypt files with OnlyKey on Android

To encrypt documents from your Android device using OnlyKey, the usual flow is

  • Connect OnlyKey to your mobile phone, using an OTG adapter if necessary.
  • Unlock it by entering the PIN on the key itself until light up solid green.
  • Open Chrome or Firefox and visit https://apps.crp.to/encrypt-file.
  • The browser will display a pop-up asking for permission to communicate with the USB device (OnlyKey); accept.
  • Check that a message appears like this: “OnlyKey Secure Connection Established” indicating that secure communication with the key is active.
  • Enter your Keybase username and the recipient's username (this can be your own if you want to encrypt files for yourself).
  • Select the files you want to encrypt from your Android storage.
  • Click on the Encrypt & Sign button and accept the various pop-ups that appear to maintain the channel with the key.
  • When the OnlyKey displays a challenge code On your keyboard, insert it into the key itself to confirm the operation.

That challenge code is a additional measure against unauthorized accessThis requires someone to physically have the key in front of them and be able to read the code to confirm it. If you prioritize convenience over this extra control, you can disable the PGP challenge from the OnlyKey app and have it any press confirm the operation, but that implies a slight reduction in security.

Decrypt files with OnlyKey on Android

The decryption process on Android is very similar to encryption, changing the tool's URL:

  • Connect and unlock the OnlyKey (PIN, steady green light).
  • Open the browser and enter https://apps.crp.to/decrypt-file.
  • Accept the permission pop-up so that the browser can communicate with the device.
  • Verify that the message appears indicating that the secure connection with the OnlyKey has been established.
  • Enter your Keybase username to identify the key you want to use for decryption.
  • Select the encrypted file (it will usually have the .gpg extension) from the Android's memory.
  • Press the Decrypt button and accept the subsequent permissions.
  • Insert the key challenge code that shows you OnlyKey to authorize the decryption.
  • At the end, a .zip file with the decrypted content will be downloaded.
  • Use a decompression app (for example, WinZip for Android or a similar one) to open the zip file and access your files.

This flow ensures that the private key never leaves the key; Encryption and decryption are done "anchored" to OnlyKeySo even if you use a mobile phone, tablet, or even a public or unreliable device, your secrets remain under control.

Advanced OnlyKey configuration for FIDO2/SSH use (overview)

Although the question focuses on Android, many people use the same OnlyKey for Authenticate via SSH on servers, GitHub, and other services from Linux or other systems. It's worth understanding in general terms what's being done, because everything is based on FIDO2, just like the authentication used on mobile devices.

In Linux systems, for example, you can generate resident FIDO2 SSH keys directly within the OnlyKey using a command like this:

ssh-keygen -t ed25519-sk -O resident -O application=ssh:nombre -f ~/.ssh/id_fido -P ""

This command creates a FIDO2 SSH key linked to the hardware key and stored as a resident credential. It can only be used if the OnlyKey is present and you touch it when it lights up. Later, you can extract references to those keys to your folder ~/.ssh on any computer with:

cd ~/.ssh && ssh-keygen -K

This generates "partial" key pairs that internally point to the private key residing in the OnlyKey. Even if you copy those public/private keys to other computers, they won't work without the physical key connected.This allows you to work even from computers of limited trust without risking your real keys.

This entire model, based on FIDO2/WebAuthn and resident or non-resident credentials, is the same one used by browsers on Android when You register OnlyKey as a security key or when you use the mobile's internal authenticatorThe idea is always the same: the private key never leaves the secure device.

What are FIDO2 security keys and how does OnlyKey fit in?

To truly understand what you're doing when using OnlyKey on Android, it's helpful to have an overview of the FIDO2 security keys and the standards that support them.

A hardware security key is a small device (about the size of a USB drive or card) that serves as second authentication factor or even as the primary factorInstead of relying on passwords that can be leaked or reused, they use public key cryptographyDuring registration, the server stores a public key and the private key remains trapped inside the device, inaccessible.

When you log in, the server sends a challenge (a piece of random data) that the key internally signs with the private key. If the signature matches the registered public key, It is confirmed that the key is present and authorized., without the need to share reusable secrets.

Compared to SMS codes or authentication apps, FIDO2 keys have several clear advantages:

  • Phishing resistance: Authentication is tied to the specific domain (it won't work on a fake website with a different domain), so even if you're tricked with a similar URL, the key won't complete the process.
  • Without passwords or as an add-on: They can replace or strengthen traditional passwords, greatly reducing the risk of brute-force attacks or reuse.
  • Very usable: Once configured, usage is reduced to plugging in the key and touching it, or bringing it close via NFC, or using the fingerprint on the mobile; no writing codes.
  • Physical robustness: They are usually resistant to water, shocks, dust and handling, especially in mid-range/high-end models.

OnlyKey fits into the category of multiprotocol tokensIn addition to FIDO2/U2F, it supports TOTP, Yubico-style OTP, PGP encryption, password management, and other features. This makes it a very powerful option for those who want to centralize Android/PC login, file encryption, and SSH access on a single device.

Key technical aspects: WebAuthn, CTAP, resident credentials and passkeys

Behind the “magic” of pressing a key and entering without a password, there are several standards that work together. Understanding them in a basic way helps you know what you can expect from OnlyKey on Android and other devices.

WebAuthn: the authentication standard in browsers

WebAuthn (Web Authentication) is a W3C specification, driven by the FIDO Alliance, that defines how browsers (Chrome, Firefox, Safari, Edge, etc.) They speak with the authenticators (mobiles, USB keys, etc.) to perform secure logins.

When you register a FIDO2 key on a compatible website, the browser calls the WebAuthn API, which in turn asks your authenticator (OnlyKey or your mobile device) to generate a key pair for that service. The public key is sent to the server; the private key is stored within the authenticator. On Android, the "authenticator" can be either the mobile phone itself (fingerprint, PIN) or an external USB key connected via OTG..

In subsequent logins, the server issues a challenge, and WebAuthn coordinates the process: the authenticator signs the challenge with its internal private key, and the server validates it with its stored public key. This results in a phishing-resistant login, tied to the correct domain, and without exposing reusable secrets.

CTAP: the protocol that connects the authenticator to the client

CTAP (Client To Authenticator Protocol) is the protocol that describes how the client device (your mobile, your PC) and the authenticator (OnlyKey, YubiKey, mobile acting as a key)In other words, WebAuthn handles the "web" part between the browser and the server, while CTAP defines the "language" between the browser/operating system and the key.

On Android, when you connect OnlyKey via USB-C or OTG adapter, CTAP is being used in the background so that Chrome or Firefox can send it FIDO2 challenges and receive signed responses. Thanks to CTAP, keys like OnlyKey can work relatively transparently across different systemsprovided that the browser and operating system support it.

Resident vs. non-resident credentials and their relationship with passkeys

In the FIDO2 world, there is a lot of talk about "discoverable/resident credentials" and "non-resident credentials". This affects how and where the keys associated with your accounts are stored.:

  • Resident credentials: The private key and the information needed to identify the service are stored directly within the key or authenticator. The key itself can "discover" which accounts it is associated with without the browser having to pass it a complex identifier. This is the model used by... modern passkeysThat's why keys with greater storage capacity can store more passkeys.
  • Non-resident credentials: The key stores only a master key, and the credential ID carries the information necessary to derive the key at login time. Simply put, No permanent slots are occupied in the keyHowever, the client (browser) needs to retain more data in order to use them.

OnlyKey and other modern keys can store dozens or hundreds of detectable credentials (passkeys)Depending on the model. If your plan is to register OnlyKey as the primary key for many services from Android and your desktop browser, this detail will be of interest to you, because ultimately, there is a limit to the number of keys you can use.

As more websites support passkeys, security keys are increasing their memory capacity to be able to store many more resident credentialsThis is a clear trend that will directly benefit users who use OnlyKey or similar keys as a central pillar of their digital security.

Practical comparison: OnlyKey and other security keys

In the current market, there are several well-known brands of security keys: Yubico (YubiKey), Google Titan, Nitrokey, SoloKey, Token2, Authenton, etc. Each has its own combination of protocols, physical formats, and extras. OnlyKey is placed in the group of multiprotocol and “all-in-one” devices, halfway between a simple FIDO key and an advanced password/certificate manager.

Some typical differences that you can find:

  • “Simple” tokens (FIDO only): Such as certain keys from Yubico Security Key or Titan, focused on FIDO2/U2F without extras like PGP or TOTP. They are ideal if you only want to easily strengthen logins to websites and services.
  • Multiprotocol tokens: YubiKey 5, OnlyKey DUO, advanced Token2, Authenton, etc. Incorporate support for FIDO2, U2F, OTP, TOTP, smart cards (PIV), OpenPGP, etc. They are more versatile, but also somewhat more complex to configure.
  • With biometrics: Models such as YubiKey Bio, some smart cards with fingerprint readers, etc., add a biometric factor (fingerprint) to the key itself, meaning that simple possession is not enough; You have to demonstrate "something that you are".

As for the physical connectivityYou have models with USB-A, USB-C, NFC, or combinations of several. For Android, USB-C or NFC keys are the most convenient; the OnlyKey DUO, for example, uses USB-C to fit well with modern phones and laptops, while its classic USB-A model is designed more for desktop computers or laptops with that port.

In terms of price, OnlyKey is usually positioned in the mid-to-high range within the security key market, especially if we take into account everything it includes (password manager, PGP, FIDO2, TOTP, etc.)Compared to simple and inexpensive FIDO keys, it offers more features but also requires a bit more involvement in the initial setup.

With all this context, it becomes clearer why it makes sense to invest time in learning how to use OnlyKey with Android: It allows you to unify your strong logins for websites and mobile apps, your 2FA codes, your file encryption, and even your SSH keys on a single device.reducing dispersion and improving your control over security.

After seeing how to take advantage of Android's built-in authenticator, how to connect and configure OnlyKey, how to use it as a keyboard for passwords and TOTP, how to use it as a FIDO2 key, and even how to encrypt/decrypt files from your mobile device, it's clear that A properly configured OnlyKey makes your Android device much more robust against phishing, credential theft, and data breaches.without sacrificing the convenience of fingerprint or facial recognition in everyday use. Share this information so that more people can learn about this tool.