To integrate 2FA with keepass perform the following steps

  1. Enable 2FA in settings, save it . If 2FA installation link button is not visible, refresh page to see it.

  2. Copy the link and extract the secret key from it. Example: otpauth://totp/Lemmy.world:echo0618secret=XXXXXXXXXXXXXXXXXXXXXXX&algorithm=SHA256&issuer=Lemmy.world Here secret key = XXXXXXXXXXXXXXXXXXXXXXX

  3. Go to keepass and setup your TOTP with the secret key and use custom setting to generate the key, with Algorithm = SHA-256, keeping the other settings unchanged

https://lemmy.world/pictrs/image/ace6eb80-daf0-4dcb-9a45-919ae9e74e4e.png

  1. Save the TOTP changes. Go incognito mode and login.
  • narwhal
    link
    fedilink
    English
    arrow-up
    10
    ·
    1 year ago

    While it’s possible, I believe it’s still best to seperate your passwords and 2FA.

    Saving both in one place kinda defeats the purpose of 2FA.

    • marmarama@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Agreed, don’t do this. If your system is compromised, then the moment you unlock your Keepass database, even just once, the attacker now has both your passwords and your TOTP keys and can impersonate you anywhere.

      Where I work we are phasing out TOTP in favour of FIDO2 keys, and the ability for users to store TOTP keys in a password database alongside their passwords is one of the key reasons.

  • JakenVeina@lemm.ee
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Been using KeePass for over a decade now and didn’t realize it could do this. Thanks for the tip.

  • TurnItOff_OnAgain@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    1 year ago

    Just a note that 2fa wouldn’t have helped with the most recent vulnerability. The attackers were grabbing your already authenticated session and re-using that.