Add function to copy/fill in (T)OTP passwords to browser addon

[ushuc]

KeePass supports OTP/TOTP (One Time Password / Timebased One Time Password) functionality for two factor authentication. When a website I want to log in to requests this TOTP, I have to go to the KeePass program to copy the (T)OTP. It would be great if the Kee browser plugin could show, copy and fill in this (T)OTP, like it does with regular passwords.

[CennoxX]

@ushuc It may not be as easy as for password and username, but it is already possible to copy and fill TOTPs: You've to go the Kee-tab of the entry, then to Form fields, where you can add any value you want, including fields like {TIMEOTP}. There you can add the html id and/or name attribute of the TOTP field (in GitHubs case it is app_otp and app_totp).

All fields you add above are shown in the addon:

The text field name or ID must be also filled in the addon settings (1) > (2) > Finding forms > Include List > Text field name/ID so they can be filled automatically.

[ushuc]

Cool, thanks! I followed your tutorial, but the AddOn always fills in the name of the variable "{TIMEOTP}" as text instead of the code that is behind this variable. Where your code "399968" is shown, the addon shows "{TIMEOTP}" in my case. What did I do wrong?

[CennoxX]

@ushuc It seems you don't have placeholders for the browser addon enabled. For this, you'll have to open KeePass > File > Database Settings… > Kee > KeePass placeholders > click on Enable or enable KeePass placeholders for the individual form fields, see: https://forum.kee.pm/t/placeholder-handling/1100 Note that version 2 of keepassrpc might have a bug (https://github.com/kee-org/keepassrpc/issues/147), that placeholders only work if enabled from the individual form fields.

[luckyrat]

Yeah you should only enable Placeholders on the specific fields you require rather than the entire database, but if you already have hundreds from much older databases, the "Database Settings" option can be a good temporary measure. I'll fix the bug in v2 but won't promise to keep that database-wide feature around forever.

[ushuc]

Thanks again for the explanation. I will go for the specific fields rather than the entire database for security reasons.

In the mentioned blog post https://forum.kee.pm/t/placeholder-handling/1100 it is stated that

For example, the KeeOTP 129 plugin allows you to store the information required to use your KeePass database as a 2nd factor authentication token.

This essentially guarantees account compromise if your password database is compromised, negating one of the protections of multiple factor authentication.

KeePass has this TOTP function built in now since I don't know when. But when this function is built into password managers by default, it encourages users to store their second factor inside the password databases where their "first" factors (user name and password) are stored, too. Funny to see how an entire category of software (password managers) weakens this second factor concept by storing it together with the first factors.

[CennoxX]

Using KeePass with stored TOTP does not inherently compromise the principle of two-factor authentication, It just redefines the factors involved. The knowledge factor is now represented by the KeePass password, while the possession factor is no longer the authenticated phone but access to the KeePass database file and access to the KeePass key file.