#1756 OptKeyProv plugin: Request ability to use 1 OTP with fixed password

OtpKeyProv (3)

Ideally, two factor authentication would use a fixed password with a single HOTP. Currently this is not possible with the OtpKeyProv plugin. However, an option in the OtpKeyProv interface to encrypt the Secret Key with a Password and a single HOTP would allow this authentication model to be implemented, presumably without compromising the security of Secret Key.


  • Nik Silver

    Nik Silver - 2017-01-25

    I'd also like to support the request to allow the "Number of OTPs required to open the database" to be as low as 1. Currently the minimum is 3. This makes it very inconvenient to use.

    For example, with a Yubikey using slot 2 you have to hold down the button for three seconds to generate one OTP. So that's a minimum of 9 extra seconds to open Keepass. Also, given that it's good for Keepass to auto-close after a few seconds of inactivity this inconvenience is multiplied.

    Allowing just one OTP would be great.

  • Paul

    Paul - 2017-01-26

    This request is for a password and OTP, not a single OTP, which is not secure.

    You could just keep a key file on the USB and use a simple password as well.

    cheers, Paul

  • Nik Silver

    Nik Silver - 2017-01-26

    Paul, thanks for the reply.

    My request is indeed for password plus a single OTP.

    Yes, password plus a key file on a USB stick would be more secure than a password alone. However, I was seeking to use a password plus OTP, which is more secure again. OtpKeyProv gives this last one, but three OTPs is cumbersome, and I was seeking to have the increased security of an OTP with greater ease of use that comes with just one OTP.

    I gather from the thread you linked to that just using one or two OTPs is not secure because they are currently HOTP (event-based) and the state is stored externally. However, I understand that a time-based OTP (TOTP) would allow a single OTP to be secure.

    Based on that, should this feature request be closed (because the request is too insecure)? And I should I add my support to the other feature request for a TOTP?


Log in to post a comment.