OTP/Password Pin Feature Request


I would like to have a seperate “OTP/Password store Pin” for OTP and password store on Nitrokey Pro and Nitrokey Storage.
Oh and if Possible I would like to store Passphrases. (32-64 Characters)

I don’t think that asking the Smartcard for a simple user authentication a brilliant idea at all.

I also find it strange that I have to reveal my smartcard Password to access keys and Storage and the other way round.

A second pin for microcontroller operations would solve that.


Update: Typo “OTR” corrected.

OTR - Do you mean OTP?

We have limited amount of storage space available which is why the password lengths is limited currently. We are considering a much more flexible improvement for the next major version.

Yes, of course. OTP and Password Store, sorry my Typo, I was explaining the other thing in a chat, a few hours earlier.

I think having a separate pin for the Passwords and OTPs is more important than Password length, I can still use 2 or three passwords, to get anough entrophy.

Right now (please correct me if I am wrong and it is fixed already) some evil Nitrokey thief can more or less replace the openpgp card and has access to all the stored passwords, or that some attacker could intercept the smartcard password.

Thats why I don’t like that single password Idea.



Hello, admin. Could you please explain a little bit what’s in store for ‘the next major version’ of Nitrokey? Is this going to be a software (firmware) or a hardware update?
Also how are the sales going currently? I’m not seeing much publicity for such a nice open hardware/software project, and I think it could use a bit more exposure.


No. All passwords of the Password Safe are encrypted with the smart card. If you replace or reset the smart card you won’t be able to access the passwords anymore.

The next major version will be a new hardware based on JavaCard. We don’t have a schedule and release date yet.

You are right that we don’t have much publicity and zero marketing but therefor the sales are pretty good. This is because word-of-mouth recommendation by our supportive community. Nevertheless we may start marketing activities in the future. Any specific ideas?

I’m not really a marketing guy, but I’ve personally recommended your products to a number of people on different forums. However most of the time when I see people talk about U2F/OTP authentication they will mention YubiKey instead. So perhaps if you can somehow prove or show that your products are just as stable and reliable then maybe more people will show interest. Maybe make a Youtube tutorial/commercial how to use Nitrokey to securely login to popular websites that support these protocols so that people get some visual presentation how this technology works.


To be honest I don’t believe OTP is a good idea for Nitrokey. They are the only ones who do OpenPGP cards that are completely open-source and because of that, they have no competition. Even better, their version of OpenPGP supports RSA4096!

There is a lot to be said of not having any competition…you don’t lose any sales to other businesses and you don’t waste staff resources on marketing about why customers should pick your product over another…all the while if you went that route then you would be eroding trust by entering the “we have more features” game, which perceptive and considerate people like me say to themselves “more features means more attack vectors which equals less trust”.

If they implement more features then they would need to pay for different hardware and develop software components, then pay a lot of money to auditors to test everything to gain trust.

What they currently have is a trustworthy and highly assured hardware device that is open source and has been audited by an independent third party. Best of all the issues brought up by the auditors were fixed and verified to have been fixed by the auditors. It just doesn’t get any better than this now-a-days and Nitrokey really isn’t getting the credit it deserves.

In short, Nitrokey please ignore the age-old adage of “the customer is always right”. They are not always right and very often they don’t know what is good for them.

Yubikey played the more features is better" game and when they got enough sales and corporate alliances, they went closed-source with Yubikey v4 at some point in 2014…it is now essentially an untrustworthy facade, also known as “security theater”.

All just an opinion, not trying to be adversarial to anyone…and I don’t mind anyone having any different views than mine…just my opinion to Nitrokey is all…