search

libkeepass / pykeepass

Python library to interact with keepass databases (supports KDBX3 and KDBX4)
https://pypi.org/project/pykeepass/
GNU General Public License v3.0
403 stars 96 forks source link

Implement framework for flexible 2FA #373

Closed BryanJacobs closed 4 months ago

BryanJacobs commented 6 months ago

This adds support for using the hmac-secret FIDO extension to contribute keying material for a KeePass 4 file.

It does this by storing an additional XML statekeeping blob in the outer ("public") header. This blob is designed to hold a variety of different authentication factors, such as passwords, key files, and Yubikey challenge-response devices.

The implementation here has support for passwords (primitively - no brute-force resistance), key files, and FIDO2 authenticators. It contains documentation about the changes to the KeePass file format, and tests covering the basic functionality.

It adds a dependency on python-fido2 to perform actual FIDO2 operations with connected PC/SC or USB-HID authenticators.

Evidlo commented 4 months ago

Closes #311

This looks good so far. I'll ask to move the contents of multifactor_auth.rst into a new section in the README as that's where our examples currently live.

I'll hold off on merging until the thread over at keepassxc is mostly resolved.

BryanJacobs commented 4 months ago

Sorry, accidentally auto-closed as I updated my branch. I will reopen this momentarily with your requested changes.