2-step authentication for unlocking db?

Yoav Mor
  • Yoav Mor

    Yoav Mor - 2013-07-11

    More of a feature request than a question really...;
    Using an Authenticator app, like the one used by Google, Dropbox, 50BTC,
    etc., it would be great if we had a way to unlock the DB with a code
    generated by a smartphone app. 2-Step authentication is much better than a

  • iminj

    iminj - 2013-07-12

    I can't find any documentation to set this up.

    You have to configure BOTH OtpKeyProv on the PC AND Google Authenticator on the smartphone to achieve a connection that will open the KeePass DB. If anyone has a setup that works, can you please share the details?


  • wellread1

    wellread1 - 2013-07-12

    There is a OtpKeyProv_ReadMe.html in the zip file that includes configuration information on the KeePass side.

  • iminj

    iminj - 2013-07-13

    Thanks wellread1.

    I read the included readme before I posted my plea for assistance. Unfortunately, detailed settings required by the plugin and also Google Auth. are not explained; specifically:

    OtpKeyProv plugin :

    (1) Length of OTP - I am assuming 6, format "Dec" (decimal). RIGHT or WRONG?
    (2) Number of OTP's - I need 1 (I think), plugin offers no less than 3
    (3) Look Ahead Count - not sure what to choose if I need EXACTLY 1 OTP
    (4) Token Generator - not sure to ENABLE or to DISABLE
    (5) Secret Key - assume I create my own password and use it in the plugin + Google Auth.
    - are there any needed properties, - length of key, and HEX or DEC, etc?

    Google Authenticator:

    (6) To add a new account the options are Scan Barcode or Enter Provided Key. I assume to enter the password created in Step 5 in the OtpKeyProv set-up. RIGHT or WRONG?
    (7) Type of Key - 2 choices: Time based or Counter based; which one is correct?

    Thanks in advance to anyone who has successfully configured this, and will share the config. details here.

  • iminj

    iminj - 2013-07-13

    Thanks Paul. OK, here is what I did:

    (1) Logged into my google account, 2 Step Verification setup, and created an application specific password for KeePass.

    (2) Google generated a password that looks like this: "abcd efgh ijkl mnop qrst". 20 lower case letters, and google claims the spaces are irrelevant.

    (3) In the OtKeyProv side, I set the OPT length to 6 DEC, and entered the 20 letter key (without spaces). Everything other setting is default.

    (4) On the Google Auth. app I created a new KeePass account, and entered the same 20 letter key (no spaces), timed-based.

    (5) When I attempt to open the KeePass DB, I entered the 4 requested OTP's, and I receive an error: "Failed to create OTP Key".

    (6) Using the Recovery Tab, I was able to suucessfully open the DB by entering the 16 letter password.


    Last edit: iminj 2013-07-13
  • wellread1

    wellread1 - 2013-07-13

    (4) On the Google Auth. app I created a new KeePass account, and entered the same 20 letter key (no spaces), timed-based.

    The KeePass OTPKeyProv does not support time based OTPs (TOTPs).

    (5) When I attempt to open the KeePass DB, I entered the 4 requested OTP's, and I receive an error: "Failed to create OTP Key".

    Not sure what you are doing here since you said you were using TOTPs. But you need to generate four consecutive six character OTPs in Google authenticator, then enter these into KeePass in order. (The google authenticator counter must match the KeePass counter).

    (6) Using the Recovery Tab, I was able to successfully open the DB by entering the 16 letter password.

    Recovery works because KeePass can generate the correct four OTPs based on the correct Secret Key that you provided and the counter stored by KeePass.

    Last edit: wellread1 2013-07-13
  • iminj

    iminj - 2013-07-13

    Thanks wellread1

    After reading your comments, I wiped everything out and started fresh.

    This time I selected "Counter based" on the Google Authenticator app instead of time-based. I still get the "Failed to create OTP Key" error when attempting to open the KeePass DB.

    You commented in your post: "(The google authenticator counter must match the KeePass counter)." Maybe this is a helpful clue.

    When setting up OptKeyProv, the user is prompted for a "Counter". I have been using the default setting which is 0. Now I wonder if this might be incorrect. How do I determine the correct "Counter" setting, and ensure that both OtpKeyProv and Google Auth. are matched? I am not prompted for a "counter" setting when I set up the KeePass account in Google Auth.

    Thank you.

  • wellread1

    wellread1 - 2013-07-13

    The difficulty arises with Google authenticator user documentation. It is expecting a base32 (secret) key. You must set the Secret Key to base32 in KeePass and restrict your Secret Key to the base 32 character set: a-z, 2-7. KeePass allows "=" but Google authenticator does not. Also base32 secret keys length are in multiples of 8 characters.

    A test configuration that works:

    Set the Configure OTP Lock:
    Length: 6
    Secret key: abcdefghxz234567 (base32)
    Counter: 0 (Dec)
    Number of OTPs: 3
    Look ahead: 9 (allows 3 failed KeePass unlock attempts using newly generated OTPs before a recovery becomes necessary because the counters have become too far out of sync.)

    Set Google authenticator
    Secret Key: abcdefghxz234567
    counter: counter based

    The first 6 OTPs will be:

    Make sure you never lose the Secret key or you will be permanently locked out of KeePass if the counters get out of sync. Also recognize that the true secret is the Secret Key not the OTPs.

    Last edit: wellread1 2013-07-13
  • iminj

    iminj - 2013-07-13

    Thank you, wellread1! I can confirm that your test configuration works.

    My problem wasn't the Counter being out of sync. I was not complying with the base32 format requirements (a-z and 2-7, no "=") and key length (multiples of 8) on both the Plugin and the Google Auth. sides of the configuration. Although I don't fully understand the significance of Look Ahead set at 9 yet, it works.

    When I attempted to open the KeePass DB, the plugin popped up a screen requesting 3 OTPs. I entered the first 3 generated by the Google Auth app on my phone, and VOILA!! ... I was in the DB. To be sure, I tested it several times, and it worked - which means the "Counter" is remaining in sync.

    Thanks again !!

    Paul: Looks like wellread1 has developed a proven setup that can be described in the documentation.

    Last edit: iminj 2013-07-13
  • wellread1

    wellread1 - 2013-07-13

    I don't have a good feel about what the appropriate Look Ahead should be. You will need to set this as low as possible, but high enough so that you are not constantly recovering.

    Consider what happens if you use Google Authenticator but the KeePass database unlock fails, e.g. because you made a typo. The Google Authenticator counter will have advanced by 3 but the KeePass counter will not have advanced at all. KeePass will still be expecting the original 3 OTPs but Google authenticator will be generating the next OTPs in the sequence. If you fail to unlock KeePass 3 times in a row and you generated new OTPs each time, the Google authenticator counter will be 9 ahead of the Keepass counter.

    The KeePass counter gets set to the correct value after a successful database unlock, i.e. it is set to match Google authenticator, so a look ahead of 9 is probably overly permissive. The problem with a large look ahead is that the "effective" password is weaker.

  • Alexander Politov

    Let me explain some tests I've done. For Lookahead = 0, one should specify Count = 1 (Dec). I believe Count = 1 corresponds to the first OTP generated by Google Authenticator.

    So a test configuration that works:

    A test configuration that works:

    Set the Configure OTP Lock:
    Length: 6
    Secret key: qwertyuiqwertyui (base32)
    Counter: 1 (Dec)
    Number of OTPs: 3
    Look ahead: 0

    Set Google authenticator
    Secret Key: qwertyuiqwertyui
    counter: counter based

    The first 6 OTPs will be:



    I've correctly opened the DB three times.

  • wellread1

    wellread1 - 2013-07-19

    Lookahead specifies how far ahead of the KeePass counter the Google authenticator counter is allowed to be and still open the database. The KeePass and Google authenticator counters can become out-of-sync if you accidentally trigger the Google authenticator, or as a result of a failed KeePass unlock attempt where you neglected to record one or more of the required OTPs (so that you cannot try to unlock the database using the same OTPs).

    In your example where the Lookahead = 0, and for the case where the KeePass counter is at 0, then the Google authenticator counter must also be at 0, and only the OTP sequence "904202, 483894, 669161" would unlock the KeePass database. Once the KeePass database is successfully unlocked with this sequence, KeePass would increment its counter by 3 (in your example where: Number of OTPs =3) and it would require the next sequence "361511, 865733, 933365" at the next unlock.

    However if the KeePass Lookahead = 3 then "904202, 483894, 669161" or "483894, 669161, 361511" or "669161, 361511, 865733" would unlock the KeePass database if the KeePass counter is at 0. The advantage of using a Lookahead > 0 is that if the counters get out of sync you can still open the database without resorting to Recovery Mode. The disadvantage of a large Lookahead is that it weakens the protection on the database.

    I believe the effective decrease in entropy as a function of Lookahead is: Entropy decrease = log2(Lookahead)

    So a Lookahead of 8 would decrease the strength of the protection on the database by 3 bits (8x).

    Last edit: wellread1 2013-07-20
    • sp0_0ky

      sp0_0ky - 2015-12-27

      So what is the procedure to re-sync the counters between Google Authenticator and KeePass (e.g. in cases of extreme fat-fingering)?


      • Paul

        Paul - 2015-12-27

        You need to set it up from scratch.

        cheers, Paul

        p.s. please don't reply in the middle of old threads, it's hard to find and difficult to keep up. the end of threads is preferable, new thread with a reference is best.

  • ericchaffey

    ericchaffey - 2013-10-29

    This is a fantastic plugin and I can confirm it working with Google Authenticator as described by wellread1 and Alexander.

    I wanted to mention another Android app I found today that seems to work just as well, but allows for the OTP Length to be 6, 7 or 8. It also allows for a Hex, Base 32 or Base 64 key or as the app calls it, seed. It also has the ability to set a PIN to open the app. So far everything seems to work well, but I havent performed days or weeks of inputting OTP's to see how well it keeps the sync.

    Using the example that has been provided, here is how I set it up:

    Set the Configure OTP Lock:
    Length: 8
    Secret key: qwertyuiqwertyui (base64)
    Counter: 0 (Dec)
    Number of OTPs: 3
    Look ahead: 0

    Set Android Token
    Token Type: Event Token
    Name: test - Serial No: 1234
    OTP Length: 8
    Token Seed Method: Direct Seed Entry
    Token Seed Value: qwertyuiqwertyui (base64)

    So far this seems to work out. I have even tested with the number of OTP's set at 6 and had no issues opening the DB several times.

    Thanks for all your help and hopefully this can be a good alternative to using Google Authenticator.

  • iminj

    iminj - 2013-11-01

    Thanks ericchaffey. Would you mind sharing the name of the alternative Android App you were working with?

    I never found a 2FA app (other than Google Authenticator) that was able to handle counter based OTP configurations. Thanks.

  • superskid

    superskid - 2013-11-06

    I got this working with the comments above, but a time based system would be much better so that you don't have to worry about this goofy look ahead setting.

  • wellread1

    wellread1 - 2013-11-06

    Time based OTPs aren't feasible because the secret key has to be encrypted with the pre-computed OTPs.

  • ericchaffey

    ericchaffey - 2013-11-14

    Geez, Im an idiot, I thought it was in my post, sorry. The app is Android Token, open source. Found it on F-Droid first but its also on the play store. I've gotten it to work with this as well as KeeOTP for Google Two Factor Auth.

    It also works well with the Two Factor Auth I have on my computer, using google two factor for linux.

    I have both apps, Google Auth and Android Token setup for some of my accounts to see if the latter looses sync. After a couple weeks, everything is still on track.

    @superskid, I have 0 lookahead and everything works fine. The only problem is putting in one wrong code, submitting, then everything is effed. Remember your generator token.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks