adding google authentication to keepass
A lightweight and easy-to-use password manager
Brought to you by:
dreichl
Menu
▾
▴
Hello everyone,
I have some problems with adding 2fa to my keepass. This is the situation. I have installed keepas 2.38 on my computer. Set my masterpasword, changed the language and added the auto-type function. I've already maked a new entry just to practice.
So, I have read much on the internet how to do it, but because english is not my native tongue I am somewhat lost. I am also not an IT-person, just a noob that wants to secure his keepass. I have succeeded in adding the keeotp and optkeyprov plugin in the keepass database.
I have already a google account with 2fa and the authenticator app on my phone. But I don't know how to connect my authenticator app or google authentication with keepass. Normally I scan a qr code with my app and this is it.
Can someone please help me to get it work?
I really would appreciate it.
Willem
Time based or counter based second factor authentication technologies are better suited to protect cloud/web based services, e.g. Google.com, DropBox.com etc.., than to protect purely local assets such as a KeePass database. My recommendation is to use only a strong master password as database master key unless you can articulate a specific reason for using a second factor ("more" or "better" are not specific reasons).
If you wish to use second factor authentication you can include a key file as a component of your database master key. However, this increases complexity, and to be effective, you need to be able to keep the second factor (the key file) secure. Secure is different than hidden or obfuscated, and in practice it is usually inconvenient, but it is useful in some circumstances, e.g., the database is stored in the cloud while the key file is stored locally. A key file is considered an expert option.
It is also possible to protect a database with counter based, but not time based, second factor authentication. This type of authentication strategy is even more complex and may be more inconvenient than a key file. Plugins that can do this are found in the Cryptography and Key Providers section of the plugins page. The OtpKeyProv and KeyChallenge plugins are two notable approaches.
It is convenient to use KeePass as a Google Authenticator type application that can generate time based second factor authentication tokens to authenticate when accessing cloud/web accounts. The Tray TOTP and KeeOtp plugins are examples of this. I use Tray TOTP. One criticism of this strategy might be that if a single database stores both the account password the second factor seed (secret) the database becomes a single point to attack, albeit a well protected one if you use a strong master password and keep your computer free from malware.
Last edit: wellread1 2018-02-06
+1 for strong master password only.
Makes it easy to recover your passwords from a major crash as long as you have a backup of the database.
cheers, Paul
I work in cybersecurity and while I highly respect the project, I disagree a bit with the assessment that 2FA would just be security theater for local storage, especially for such an important database. One threat model to consider (and an incredibly common one) is malware with a bundled keylogger that can also pull back recently used files. With 2FA, even if they log your master password and exfil your db, they won't be able to open the db remotely. The otpKeyProv plugin is probably the solution here, but so far I can't find a lot of documentation for it. It'd be nice to see this integrated directly into KP.
Last edit: Thomas 2020-12-28
importance off data does not affect how threat actors work.
The problem is the situation bring up is an already lost one because you faield to protect your equipment.
if you have a malicoues software on your system adding 2fa does still nothing. as the malicoues softwarer simpyl instead of keylogging reads the dat /takeover the system when you have unlocked the database.
you solutions povides NO added security on a threat vector levels. you are just simply ignoring how things works to just focus on keyloggers.
That is easy to work around by using "Enter master key on secure desktop" in Tools > Options > Security, Advanced.
cheers, Paul
Yeah, that's admittedly a great feature, but still puts all the trust in the stack you're running instead of something out of band, so it doesn't provide exactly the same guarantees. We've seen a few supply chain attacks this year, low level 0days are always a risk, and malware can mimic screen dimming to harvest creds. Having an independent challenge / response system will always add a layer of defense that makes targeting your information orders of magnitude harder for any attacker.
Dev cycles are precious, though, so I'm totally sympathetic that this likely can't be prioritized or anything. I just don't want 2FA solutions like TOTP dismissed too hastily. It's good tech and provides a unique level of security guarantees and usability; that's why it's becoming so widely embraced.
if you argumet is softwart is advanced to bypass on computer security post infection that you can classy you 2fa as the same
for 2fa towork you need a third party involved that can deny access to the protected data.
you dont have that in your situation a you have already lost the ability to deny access once infected
If the malware is that advanced then you have lost any security...
cheers, Paul
Why do so many people start fighting only after they've already lost the war? The idea is to keep the malware off your machine; measures that try to cope with the malware that's already on the machine are worthless - unless they're actively trying to remove said malware.
This is one of those topics that can easily get a bit holy war-ish... so let me just say up front, although I have a different take here, security is full of hard problems and tough tradeoffs. So I have huge respect for anyone trying to navigate them. We can disagree and still be fighting the same fight. And these tradeoffs are tough, so I might be wrong here in my respect for 2FA.
There's one common argument I see in this field that worries me a bit though.
1) Ask for a threat that could possibly need that new security feature,
2) Dismiss that threat as too sophisticated to defend against anyway.
I understand the rationale. You don't want to waste resources on either non-threats, or unstoppable threats. You want to focus on the threats that you can impact.
I worry about the argument though, because it often dismisses too much too fast. It can be weaponized to dismiss almost anything.
So when I'm evaluating features, I know there's no perfect security. It's always about tradeoffs, and I think more about forcing attackers to expend more resources, or move to more obvious or less tested methods.
Per T. Bug, I agree it's important to fight at and outside the perimeter too. But if I was convinced my machine was bulletproof, I wouldn't need an encrypted db anyway. The reason I recommend tools like this is to add defense in depth, to hedge risks at multiple layers.
For Sven, I understand why you would prioritize 2FA for cloud-based systems, but I've seen it work in local situations as well, it really depends what your local environment is like. I think you're making assumptions about how I'm trying to deploy this that aren't what I'm aiming for. This would be easy to explain over a few beers with a whiteboard or demo in a lab, but probably impossible to convince anybody of in an adversarial forum, so we'll probably just have to disagree on this one.
Sorry for getting anybody riled up, but I still believe there are genuine use cases for 2FA, that it's not just security theater. I don't think I'm going to convince anyone, but if someone stumbles on this from a google search, hopefully they'll just catch on that there are reasonable disagreements about 2FA, and maybe won't dismiss it too hastily for their own project.
Thanks for your time.
2fa is not a solution to access on a compromised machine.
There are reasonable arguments for its use and there are multiple plug-ins to allow you to add varieties of 2fa to your database. Adding it natively would be a duplication of effort for no security advantage.
cheers, Paul
Yup, you've said that you believe that; and we just disagree, full stop.
C'est la vie! Hope you have a good one all the same.