Context:
Hey guys, apologies if this isn't the place to suggest this, but I had two related feature suggestions that would do well to improve the security of OnlyKey, as simple as it may be. I customized some variables in the firmware to do it, myself, but ran into far too many issues thus far and still haven't been able to compile it due to weird bugs.
Suggestions:
1) Allow the user to customize the number of failures prior to data and/or firmware wipe.
2) Add a toggle to disable the 3-failure session timeout so that someone could pin out 10 (or N number of) times and wipe the device in one session.
Reasoning:
While 10 failures to wipe is pretty standard, even found in iPhones and Androids, there are many situations where a lower fail-to-wipe count might be preferred.
Additionally, the 3-failure session timeout is nice for end-users, but it's also a tell that the device has countermeasures against failed pin-in attempts.
For my use case, I would have a no-timeout 3-fail full-wipe on the device, but unfortunately that isn't possible with the current signed production firmware.
Could this please be considered as a future feature?
I would love to see this added as it would give us, especially those of us in IT, far mroe control with the security of our credentials and devices.
Thanks for reading and any assistance with this!
Context: Hey guys, apologies if this isn't the place to suggest this, but I had two related feature suggestions that would do well to improve the security of OnlyKey, as simple as it may be. I customized some variables in the firmware to do it, myself, but ran into far too many issues thus far and still haven't been able to compile it due to weird bugs.
Suggestions: 1) Allow the user to customize the number of failures prior to data and/or firmware wipe. 2) Add a toggle to disable the 3-failure session timeout so that someone could pin out 10 (or N number of) times and wipe the device in one session.
Reasoning: While 10 failures to wipe is pretty standard, even found in iPhones and Androids, there are many situations where a lower fail-to-wipe count might be preferred. Additionally, the 3-failure session timeout is nice for end-users, but it's also a tell that the device has countermeasures against failed pin-in attempts. For my use case, I would have a no-timeout 3-fail full-wipe on the device, but unfortunately that isn't possible with the current signed production firmware.
Could this please be considered as a future feature? I would love to see this added as it would give us, especially those of us in IT, far mroe control with the security of our credentials and devices. Thanks for reading and any assistance with this!