A one-time password (OTP) field can be created in your entry,
but this feature is only available with databases in version 2.
KeePassDX is compatible with the algorithms:
- HMAC-based one-time password (HOTP). Algorithm that generates a single token from a secret key and a counter. – standard RFC 4226
- Time-based one-time password (TOTP). Algorithm that generates a token every x secondes from a secret key depending on the current time. – Standard RFC 6238 and steam.
2FA Token Generator
Thanks to the TOTP generation function, it is possible to use the KeePassDX app as a token generator for external services using two-factor authentication (2FA).
Please note: Authentication with several factors does not necessarily mean TOTP.
Indeed, 2FA is a concept which is also used for unlocking a KeePass database. If a database is encrypted with a password and a keyfile, the database uses two authentication factors.
Not to be confused with the generation of tokens by KeePassDX, used to open external accounts (Google, Amazon, etc.)
Configuration
The secret key is an important element! This is sensitive data that allows you to unlock the associated service using a generated token.
It is not recommended to store this secret key and the password of the same service in the same KeePass database. (It would be like having a door with 2 locks but putting the 2 keys on the same keychain.)
For example, if you have a two-factor Google authentication, it is recommended to have two KeePass databases. In the first, your Google password, and in the second, the secret key that generates the TOTP token.
QR Code
KeePassDX can use the links generated by QR codes to register new OTP keys. But KeePassDX does not contain a QR code reader, other apps are dedicated to that and do the job very well.
So you just have to use your favorite code reader app (ie: QR & Barcode Scanner) and share the link to KeePassDX:
- Scan your QR code with a compatible app
- Share the link to KeePassDX (ie: “share as text”)
- KeePassDX switches to “Save” mode, open your database if necessary
- Select or create an entry (the otp field of the entry is automatically filled)
- Save the entry
- Voilà! The OTP token is automatically generated
- Check that your QR code reader app does not have a history, if so, delete the data.
Manually
You can also extract the parameters (secret key, algorithm, period, digits) manually from the otpauth link and copy it into the fields provided. If some parameters are not indicated, simply leave those of the default form.
HOTP
TOTP
TOTP Steam
Steam unfortunately does not use the standardized TOTP algorithms, but instead a custom one.
This special algorithm has been implemented in KeePassDX and is configurable in the Pro version!
Autofill
The autofill of OTP tokens is very complicated and cannot be generalized because most forms do not use a standardized format and different metadata, so it is not possible to identify the fields to be filled in.
To overcome this problem, the most efficient solution is to copy the OTP token directly from the list of entries in KeePassDX (make sure the Settings - Appearance - Show OTP Token
is activated)