Might it be possible to update the OtpKeyProv plugin to add the option for time-based OTP (TOTP) rather than just counter based? (as per RFC 6238). Most of the soft-token solutions available support both (such as Google Authenticator)
Time-based tokens would avoid problems associated with resyncing.
Also, the 3x key requirement seems excessive if the OTP is to be used in conjunction with the master password, right? Can this forced requirement be removed?
Thanks and great work on this project!
Support for time-based OTPs would of course be great. I've added it to my to-do list, thanks for the suggestion.
Everything less than 3 OTPs would be completely insecure (when an attacker retrieves two OTP auxiliary info files he could derive the actual secret key easily), thus the OtpKeyProv plugin enforces the usage of at least 3 OTPs.
A couple of other quick comments about OTPs:
- It would be great if you could add support for base32 keys, since this is the key format used by Google Authenticator OTP tool (adding a key generate option would be useful too to save a few steps!)
- For HOTP, it seems that the current implementation can loose sync very easily. It might be worth adding a "look-ahead" check on decrypt, as per RFC 4226 section 7.4, in order to correct any drift between the counter on keypass and the counter on the OTP generator
I'm not sure I fully understand the security risk from having less than 3 OTPs. Most multi-factor authentication schemes just use a single OTP combined with a master password, and based on my (limited) understanding of the algorithm, this should be sufficient. Is this due to how keepass handles different key providers to unlock the database? Perhaps you could add a separate password entry directly to the OTP plugin to provide the extra necessary bits.
Unfortunately, having to enter multiple keys seems like a big usability barrier to implementing OTPs, especially if you add support for TOTP (3 keys x 30 second window = 60-90 second wait before being able to generate the necessary unlock keys).
Thanks again, love the program!
I've now released OtpKeyProv version 1.2, which adds support for Base32-encoded keys and counters.
is there now a way to get the yubikey work together with the OtpKeyProv plugin?
According to , YubiKeys can generate OATH HOTPs. So, they already should work fine with OtpKeyProv.
Support for TOTP would be great - so that one can generate a key from within Keypass. Keep up the good work; Keepass is my most used tool! Thank you.
Heya, maybe I'm missing something, but seeing as you can enter the secret key to recover/resync the database, isn't the end result just a static password if you only used OtpKeyProv, or if used with a master password it's a 2nd static password, and the otp bit is moot.
I guess the main point is to stop people from capturing and reusing the otp, and the only time the attacker wound get lucky is if he/she caught the secret key at setup/resync time.
I'll still be using it, if only to get a 2nd password.
Sorry if I'm making no sense, I pretty much suck at explaining my thoughts.
Dominik, could you tell me the SHA-1 of the plugin, please. I did have another post about plugin sigs, and not sure if it got missed, but I don't like bumping posts more than once.
Any chance you can also add a time-based option for generating OTP's?
It's both annoying and risky to open the XML file to verify the current count each time.
It would expand its use with tools like Google Authenticator, too.
Aroldo de Mattos Bossoni
I need to use KeePass Portable in several customers at various workstations unreliable.
As the KeePass is vulnerable keyloger is essential to use OtpKeyProv. However for me import a Token is expensive.
I look forward compatibility OtpKeyProv with Google Authenticator is only solution for my case.
Preciso do KeePass Portatil para usar em vários clientes e em varias estações de trabalho não confiáveis.
Como o KeePass é vulnerável keyloger é imprescindível usar o OtpKeyProv. Porem para mim importar um Token é caro.
Aguardo ansiosamente a compatibilidade do OtpKeyProv com o Google Authenticator é única solução para o meu caso.
You could use a key file and password. Keep the key file on a USB stick
Aroldo de Mattos Bossoni
With a simple program that copies the files from the USB stick compromise the security of the database.
Com um simples programa que copia os arquivos do USB stick comprometeria a segurança do banco de dados.
That requires a KeePass specific "key logger". There is no defence against that.
OTP is protection against that.
No it isn't. A KeePass specific logger will wait for you to open the database and then extract all the data.
If I would be an attacker and would have full access to the user's PC, I'd firstly copy the database and all auxiliary files and secondly install a keylogger. Having both the database + auxiliary files and the keylogged OTPs, I can open the database. Of course here the order is important: it's essential to first copy the files and afterwards log the required OTPs. In the other order, the OTPs are not the required ones. This attack doesn't require KeePass-specific tools; basic spyware capabilities are sufficient.
In summary, if you have spyware on your PC, even OTPs won't help. In client-server systems, OTPs might help, but not for local applications like KeePass.
If the computer is 2000, Vista or Windows 7 you can enter the master password on the secure desktop.