Add TOTP support

[ghost]

Hi,

it would be nice to add 2FA capability to keepasshttp. I recently changed most of my services to 2FA . E.g. my firewall is otp enabled, the credentials comes with keepasshttp, the totp token by another plugin, I need to create and copy this manually and then paste it into the password field (in this example before the password).

Maybe the handling of the fields under advanced tab would be a proper solution. Like fill in a password like {totp}{password} in my case. Somehow the totp creation needs to be triggered.

best

Dan

[chrestomanci]

+1 this is a good idea.

However, I don't think that it should be the default, and the docs for the feature should include some warning about it's use, because if the user stores both the password and the RFC4226 (TOTP) secret in the same keepass DB, they will loose some of the security benefits of 2FA.

We should advise users to think carefully before storing their 2FA key material in keepass, and consider the likely attack methods. For the highest value accounts, and those where theft of the keepass DB is a risk, it would be best to use a seperate app to provide the 2FA one time code.

[Riajyuu]

@chrestomanci Since KeePass uses AES256 and allows users to generate key file, it is REALLY UNLIKELY to have a DB cracked, tough, once cracked, both TOTP secrets & passwords are lost.

In that case, I think that, for general passwords strength allowed on Websites, it is more likely that users' passwords get hacked by third parties. This feature is reasonable in this case.

Correct me if I'm wrong.

[chrestomanci]

@Rictusempra The AES256 encryption on KeePass can easily be broken if the user is foolish. He might use a weak password that can be guessed, he might tell the password to his wife, or use the same password on another system. He might leave KeePass open and unlocked on his computer, and then leave it unattended. He is unlikely to use a key file.

In short, my concern is not that an adversary will mount a successful cryptoanalysis of AES256, or even guess the password (is it stretched?) but will instead gain access to an unencrypted database because the user is careless.

If you think about it, if users where never careless and always chose strong and unique passwords there would be little need for two factor authentication. Seeing as they often are careless, lets be careful about when we weaken that security measure.

[milux]

Any progress about this? Would be very useful to me for a particular application: I use a GitLab installation that enforces TOTP tokens to be appended to the given password. This is super-annoying, as I have a FIDO U2F key registered there, so I'm doing a 3-factor-authentication without any real benefits...

Currently, I bypass KeePassHTTP for this particular website, because I can only use the {TOTP} placeholder in the auto type sequence. Would be really nice if there was a more comfortable way...

[ghost]

I think this project is dead, I switched to KeePassXC, it has built-in browser integration plus an own plugin for firefox/chrome and is more secure. I didn't try things with OTP, because I'm using a yubikey for OTP right now.