Time-based OTP

1 2 > >> (Page 1 of 2)
  • Anonymous

    Anonymous - 2011-11-02

    Might it be possible to update the OtpKeyProv plugin to add the option for time-based OTP (TOTP) rather than just counter based? (as per RFC 6238). Most of the soft-token solutions available support both (such as Google Authenticator)

    Time-based tokens would avoid problems associated with resyncing.

    Also, the 3x key requirement seems excessive if the OTP is to be used in conjunction with the master password, right? Can this forced requirement be removed?

    Thanks and great work on this project!

  • Dominik Reichl

    Dominik Reichl - 2011-11-02

    Support for time-based OTPs would of course be great. I've added it to my to-do list, thanks for the suggestion.

    Everything less than 3 OTPs would be completely insecure (when an attacker retrieves two OTP auxiliary info files he could derive the actual secret key easily), thus the OtpKeyProv plugin enforces the usage of at least 3 OTPs.

    Best regards

  • Anonymous

    Anonymous - 2011-11-03

    Cool, thanks!

    A couple of other quick comments about OTPs:
    - It would be great if you could add support for base32 keys, since this is the key format used by Google Authenticator OTP tool (adding a key generate option would be useful too to save a few steps!)
    - For HOTP, it seems that the current implementation can loose sync very easily. It might be worth adding a "look-ahead" check on decrypt, as per RFC 4226 section 7.4, in order to correct any drift between the counter on keypass and the counter on the OTP generator

    I'm not sure I fully understand the security risk from having less than 3 OTPs. Most multi-factor authentication schemes just use a single OTP combined with a master password, and based on my (limited) understanding of the algorithm, this should be sufficient. Is this due to how keepass handles different key providers to unlock the database? Perhaps you could add a separate password entry directly to the OTP plugin to provide the extra necessary bits.

    Unfortunately, having to enter multiple keys seems like a big usability barrier to implementing OTPs, especially if you add support for TOTP (3 keys x 30 second window = 60-90 second wait before being able to generate the necessary unlock keys).

    Thanks again, love the program!

  • Dominik Reichl

    Dominik Reichl - 2011-11-12

    I've now released OtpKeyProv version 1.2, which adds support for Base32-encoded keys and counters.

    Best regards

  • karl lohnauer

    karl lohnauer - 2011-11-26

    Dear Dominik,

    is there now a way to get the yubikey work together with the OtpKeyProv  plugin?

    Best Regards

  • Dominik Reichl

    Dominik Reichl - 2011-11-26

    According to , YubiKeys can generate OATH HOTPs. So, they already should work fine with OtpKeyProv.

    Best regards


  • Thomas Haller

    Thomas Haller - 2011-12-06

    Support for TOTP would be great - so that one can generate a key from within Keypass. Keep up the good work; Keepass is my most used tool! Thank you.

  • Nurple

    Nurple - 2011-12-11

    Heya, maybe I'm missing something, but seeing as you can enter the secret key to recover/resync the database, isn't the end result just a static password if you only used OtpKeyProv, or if used with a master password it's a 2nd static password, and the otp bit is moot.

    I guess the main point is to stop people from capturing and reusing the otp, and the only time the attacker wound get lucky is if he/she caught the secret key at setup/resync time.

    I'll still be using it, if only to get a 2nd password.

    Sorry if I'm making no sense, I pretty much suck at explaining my thoughts.

    Dominik, could you tell me the SHA-1 of the plugin, please. I did have another post about plugin sigs, and not sure if it got missed, but I don't like bumping posts more than once.

  • tachycore

    tachycore - 2012-03-02

    Dear Dominik,

    Any chance you can also add a time-based option for generating OTP's?

    It's both annoying and risky to open the XML file to verify the current count each time.

    It would expand its use with tools like Google Authenticator, too.


  • Aroldo de Mattos Bossoni

    I need to use KeePass Portable in several customers at various workstations unreliable.
    As the KeePass is vulnerable keyloger is essential to use OtpKeyProv. However for me import a Token is expensive.
    I look forward compatibility OtpKeyProv with Google Authenticator is only solution for my case.

    Preciso do KeePass Portatil para usar em vários clientes e em varias estações de trabalho não confiáveis.
    Como o KeePass é vulnerável keyloger é imprescindível usar o OtpKeyProv. Porem para mim importar um Token é caro.
    Aguardo ansiosamente a compatibilidade do OtpKeyProv com o Google Authenticator é única solução para o meu caso.

  • Paul

    Paul - 2012-10-05

    You could use a key file and password. Keep the key file on a USB stick

    cheers, Paul

  • Aroldo de Mattos Bossoni

    With a simple program that copies the files from the USB stick compromise the security of the database.

    Com um simples programa que copia os arquivos do USB stick comprometeria a segurança do banco de dados.

  • Paul

    Paul - 2012-10-06

    That requires a KeePass specific "key logger". There is no defence against that.

    cheers, Paul

  • Aroldo de Mattos Bossoni

    OTP is protection against that.

  • Paul

    Paul - 2012-10-07

    No it isn't. A KeePass specific logger will wait for you to open the database and then extract all the data.

    cheers, Paul

  • Dominik Reichl

    Dominik Reichl - 2012-10-07

    If I would be an attacker and would have full access to the user's PC, I'd firstly copy the database and all auxiliary files and secondly install a keylogger. Having both the database + auxiliary files and the keylogged OTPs, I can open the database. Of course here the order is important: it's essential to first copy the files and afterwards log the required OTPs. In the other order, the OTPs are not the required ones. This attack doesn't require KeePass-specific tools; basic spyware capabilities are sufficient.

    In summary, if you have spyware on your PC, even OTPs won't help. In client-server systems, OTPs might help, but not for local applications like KeePass.

    Best regards

    • CYPER

      CYPER - 2014-01-10

      How can an attacker open the DB with used OTPs?
      Do you mean that the attacker will somehow manage to create a fake database where these OTPs would not be accepted, but then again they will be generated, so they will still be considered used.

      • Paul

        Paul - 2014-01-11

        How can an attacker open the DB with used OTPs?

        Easily if they have recorded the state of the OTP counter before the database was opened and recreate those conditions.
        If you have malware nothing is secure.

        cheers, Paul

  • Janzomaster

    Janzomaster - 2013-06-29

    I see this thread is quite old, and I don't understand all of it - is using the Google Authenticator to open a Keepass2 password safe possible?

  • Paul

    Paul - 2013-06-29

    Possibly. Does the GA support OATH HOTP standard (RFC 4226)?
    See the KeePass page: http://keepass.info/plugins.html#otpkeyprov

    cheers, Paul

  • superskid

    superskid - 2013-11-06

    Is there a walk through on how to setup 2FA with Optkeyprov, I don't want to type something in, then choose the wrong options and have google authenticator not work and never be able to get into my database.

  • wellread1

    wellread1 - 2013-11-06

    Create a test database to use with the OtpKeyProv plugin and take a look at these two threads for some additional background information and a test configuration.

  • João Ciocca

    João Ciocca - 2017-11-07

    Wow 6 years. Hey Dominik, is there anything anyone can do to help implementing time-based OTP?

1 2 > >> (Page 1 of 2)

Log in to post a comment.