#2971 Add native 2FA support: YubiKey HMAC-SHA1 Challenge-Response (compatible with KeePassXC, KeePassium, KeePass2Android)

[Jan Menzel]

I would like to request native support for YubiKey two-factor authentication in KeePass. Currently, the only way to use a YubiKey with KeePass is through the KeeChallenge plugin. However, this approach has two major drawbacks:

1. The KeeChallenge plugin is no longer actively maintained
   The last updates were years ago, which poses a potential security risk. Users shouldn't rely on unmaintained plugins for critical authentication functionality.

2. The KeeChallenge implementation is incompatible with other KeePass-compatible apps
   Many users need to access their password database across multiple platforms. The following apps all support YubiKey HMAC-SHA1 Challenge-Response natively, but they are incompatible with KeePass databases secured via KeeChallenge:

KeePassXC (Windows, macOS, Linux)
KeePassium (iOS)
KeePass2Android (Android)
Strongbox (iOS/macOS)

This means users who want to use YubiKey 2FA across both desktop and mobile devices are forced to switch from KeePass to KeePassXC, despite preferring KeePass.

Requested functionality:
Native integration of YubiKey HMAC-SHA1 Challenge-Response mode (no plugin required)
Full compatibility with the existing ecosystem (KeePassXC, KeePassium, KeePass2Android, etc.)
Support for multiple YubiKeys (backup keys) using the same shared secret
Support for "Require Touch" (user presence confirmation)
Variable length challenge support (as implemented in the ecosystem)

Technical background:
The standard used by KeePassXC, KeePassium, and other compatible apps is the YubiKey HMAC-SHA1 Challenge-Response mode as specified in Yubico's official documentation. In this mode:

The YubiKey receives a 64-byte challenge from the application
It responds with an HMAC-SHA1 signature using a secret stored on the YubiKey
This response serves as the second factor alongside the master password
This is the officially documented method by Yubico for two-factor authentication and is widely adopted across the KeePass ecosystem.

Why this matters:
The current fragmentation in the KeePass ecosystem forces users to make an unnecessary choice:
Use KeePass (Windows-focused) but lose mobile YubiKey support
Switch to KeePassXC for cross-platform YubiKey compatibility

A native YubiKey implementation in KeePass would:
Eliminate security risks from unmaintained plugins
Restore compatibility across all platforms
Make KeePass future-proof for users who need both desktop and mobile access
Keep users within the original KeePass ecosystem instead of losing them to forks

Additional resources:
Yubico official documentation: https://developers.yubico.com/Developer_Program/
KeePassXC YubiKey implementation: https://keepassxc.org/docs/#faq-yubikey
KeePassium YubiKey support: https://support.keepassium.com/kb/yubikey/

Note on KeeChallenge incompatibility:
The KeeChallenge plugin uses a different implementation that stores an additional file in the database, making it incompatible with all other KeePass-compatible apps. The native implementation used by KeePassXC and mobile apps does not have this limitation and is the de facto standard in the ecosystem.

Thank you for considering this feature request. Native YubiKey support would be a significant improvement for all KeePass users who value both security and cross-platform accessibility.