OnlyKey Duo does not enforce button press for HMAC challenge-response #179
Description
I am testing the 6-button OnlyKey and the Duo with KeePassXC — with the ultimate goal of supporting OnlyKey in KeePassium.
Both work fine, but the Duo never asks for the button press, regardless of the "HMAC User Input Mode" setting.
Steps to reproduce:
- Launch OnlyKey app
- Hold button 1 for 10+ seconds to switch the Duo to config mode
- Set the HMAC-SHA1 key in the Advanced tab
- Type: HMACSHA1
- Slot: HMAC 1 (130)
- Key: 40 hex characters, additionally padded with zeros to 64-character length.
- In the Preferences tab, press "Yes" to "Require a button press for HMAC challenge-response operations"
- Observe the app confirmed both actions were successful (see screenshot below)
- Plug the key into a macOS machine, open KeePassXC, select OnlyKey, click "Unlock"
- Observe the database opens immediately, without requiring a button press
Expected behavior: the OnlyKey should refuse responding until its button is pressed.
In turn, the 6-button OnlyKey works as expected, requiring the button press. A possible caveat is that the 6-button key has its PIN set (there was no way around it :) and the Duo does not have a PIN.
- OnlyKey DUO v3.0.4-prodn
- OnlyKey app: v5.3.6 (portable) on Windows 11
- KeePassXC v2.7.9 on macOS 15
