N-factor authentication
KeePassDX uses several types of factors identifier to unlock a database file:
- master password
- keyfile
- hardware key
The integration of authentication by physical keys is under study.
These factors are all optional and can be combined with each other. The number of factors you use to open the database influences the global authentication that opens a database.
- If you are using a master password and a keyfile, you are therefore using 2-factor authentication.
- If you are using a master password, a keyfile and a hardware key, you are therefore using 3-factor authentication.
- If you are using a single master password, you are therefore using only one factor.
- It is possible not to use a factor, but in this case the database is not protected at all.
It is only possible to open a database with the credentials you have provided, there is no help for the lost password, so you must be careful and not lose your access.
Master password
The master password is the most used factor, it is recommended to always use it.
The choice of the master password is important because it is the first bulwark against unwanted decoding of your file. It must therefore be chosen with care in order to be difficult to decipher but relatively easy to remember.
Keyfile
The keyfile should not be overlooked as it increases the level of security if you already use a password.
A keyfile can be any file but it is recommended to provide a file without extension or with .bin extension because some files can be interpreted by the Android system and manipulated so will not work! (See issue #1188)
A hash of the file is made in order to have a unique identifier. It is therefore recommended to use a file that contains unpredictable data.
Caution: A keyfile must not be modified because its hash would become different.
The key file behaves like a normal file and follows the same rules for reading (by file provider) as a database file for KeePassDX. So you can use any file manager you want. For example, to put your key file in a secure place, you can use Anemo.
Mistakes
A keyfile is not a database file! If you are trying to put your database file as a keyfile, your database will be unusable. It’s like locking a safe with a key and sending the locking key to the same safe…
Hardware Key
It is possible to use a physical key to require an external user action to unlock the database. For more information on this unlocking factor, you can consult the dedicated page.
Advanced unlocking
Advanced unlocking is only a database opening aid and cannot be considered as a master unlocking system for KeePass files (in order to keep compatibility with all clients).
Internally, this unlocking method uses strong password encryption using the phone’s internal keystore and a cipher to link biometric recognition and device unlocking in a secure way. The encrypted content can then be managed temporarily in a volatile memory or not depending on the needs of the user.
Remember credentials
What will happen to the entries saved in the database if the credentials are forgotten or lost? This question should be answered during the database creation and it’s up to you to set up a suitable backup system for your credentials.
You can talk about it to your loved ones and make a cell letter with the master password written inside and / or a USB key with the keyfile, it’s up to you to set the level of reminder.
It is also important to have access to your database file by performing regular backup.