Support for TOTP

[Generator]

Expected Behavior

Able to copy TOTP tokens

Current Behavior

No support for TOTP, if try to login to an account with TOPT need to use an external app or unable to login.

Version

KeePass DX: 2.5.0.0beta7-libre Android: 8.1.0

[J-Jamet]

I know this is a requested feature, but I have to prioritize and do things in order to avoid regressions and keep stability, I need to implement the attached file management which is also much requested. If developers want to participate in the development of the TOTP feature, do not hesitate! ;)

[mrdev023]

185 TOTP Support

[seanlynch]

For folks looking to back up/sync their TOTP secrets across devices until this is implemented, there's AndOTP, which is also open source. It's really nice not to need to manage backup codes for each site separately. I'd much rather have it integrated into KeePass DX, though.

I'd post a bounty, but BountySource doesn't expose a UI for requesting refunds on expired bounties, and they charged me a fee to get my own money back after hanging onto my money and earning interest on it for a year.

[trymeouteh]

This is the only feature I would like besides file attachments. Once this is added I think KeePassDX will be perfect in my opinion.

[ghost]

pretty much the last thing I need from DX, excited! Thanks for your work @J-Jamet!

[J-Jamet]

I integrated the pull request code with the current version of the application in the branch "feature/TOTP" #185

I noticed that the OTP was not implemented in the same way on the different KeePass clients. KeePass 2 ->

• HOTP with "hmacotp" placeholders : https://keepass.info/help/base/placeholders.html#hmacotp
• TOTP with plugins, the best is to reference each method for each plugin

KeePass XC ->

• TOTP with a "totp" custom field and otpauth link (same as here https://github.com/google/google-authenticator/wiki/Key-Uri-Format)
• No HOTP by placeholders

I agree to directly integrate the TOTP format with a generator in the app but it is necessary to put a message which indicates that it is dangerous to put the passphrase of the OTP in the same base as the entry's password.

Can you tell what plugins you use when working with KeePass2 and how are the parameters stored?

[Offerel]

Personally I'm using https://github.com/victor-rds/KeeTrayTOTP, but that's only a fork which supports steam variant.

[J-Jamet]

@Offerel Yes I think integrate the steam format, but what is needed is to harmonize the formats stored in the database. If there are different methods for each plugin, it will be complicated.

I think, it's best to first integrate the HOTP format and make it compatible with the TOTP. If a "totp" custom field is present in an entry, it takes precedence over the HMAC fields. One of the main problem will be to hide the fields used as OTP parameters in the Magikeyboard/Autofill and refresh an auto generated OTP field. For the HOTP I was thinking about a manual increment system but it can come later.

[grimpy]

I'm using this in combination with keepassxc in the newest version it simply stores an attributed otp and stores the full url with settings in there

this is the configuration dialog

Example how a standard totp is stored

Example how steam token is stored:

[J-Jamet]

Thank you @grimpy for screenshots. I integrated your work, it's a great start. I'm trying to see why I can not parse url otpauth. Maybe the Uri class built in older devices do not recognize it so I change a little your code. If the plugins work the same way I will focus on this method.

[rhamzeh]

@J-Jamet KeepassXC[1] and Keepass2Android[2] implementations may be a helpful reference.

One thing to note, some providers, like Twitter pad the secrets with spaces when being copied, as as most people copy and paste it in, they might not notice the extra spaces at the end. It would be a good idea to trim before saving the totp secret to the database.

Also as these two implementations are compatible with each other, it is better if the KeePassDX is compatible with both.

On the Keyboard side, you may not need to refresh the TOTP, it can be calculated and inserted it when the user presses that button, it does not need to be visible.

1 2

[J-Jamet]

I just finished the feature. It was not easy but I managed several cases.

[J-Jamet]

Available in 2.5.0.0beta24 version. If some OTP generation elements do not work. Thanks for opening a new issue. ;)