Is it really a multi-factor security device ?

[synthgab]

Hello,

I just happened to see the OnlyKey DUO project on KickStarter, and it's advertised as both a FIDO2/U2F security key but also a hardware password manager - which is indeed ultimate security for the master password of any password manager. However, the OnlyKey DUO can hold up to 24 passwords, which - as I understand it - is intended to be used with a few important services (e.g. Microsoft, Github, Google, ...).

And this is where I started to wonder: if I'm not mistaken, multi-factor security is a concept where we have to choose at least two different kinds of components for authentication: usually, there is « something we know » (a password or a PIN code), « something we own » (a key or a card) and/or « something we are » (fingerprint, face recognition, iris scan). However, if one hardware device becomes both the «own» part and the «know» one, and is accepted as is by a service (one single OnlyKey can type the password, then can be used as U2F or even to generate a TOTP code), might this still be considered MFA (conceptually speaking) ?

Any comment might help, I know it's more like a metaphysical question rather than a purely technical one ....

Thank you.

[Edit: typo]

[onlykey]

Sure, so OnlyKey gives users the ability to choose what they would like to store on a hardware device. If you just want to use OnlyKey for your master password for a password manager that is fine. If you would like to use OnlyKey for your username, password, and 2FA code it will do that. OnlyKey DUO supports PIN code in order to unlock so in this case your mutli-factor is that you enter PIN code onto OnlyKey (Something you know) and that you press button on OnlyKey to enter 2FA code (Something you have). PIN + Physical device = MFA.

[synthgab]

Ah, yes, I didn't account for the PIN code, indeed.

Thanks !