I need some help here
I need to use Keepass with 2FA which can work on all OS (Win10, iOS, MacOS, Linux). Did someone already has this setup.
My issues with something I am trying to work
I already lost access to my keepass DB so, kinda working on resetting my passwords.
In all honestly, keepass isn’t really valuable with OTP based 2fa; the OTP doesn’t actually go into decrypting the data since it can’t due to limitations of cryptography, and relies on the client software being honest in actually checking it after decryption (since it’s F/OSS it’s easy to strip it out).
If you really want 2fa that actually works with keepass for the decryption, you need to use Key Files. You would keep the key file on a thumb drive or another mechanism when generating the database. You would then provide both your master password and the key file.
There are also the modes for using things like smart cards but the support across platforms would be a nuisance, especially on iOS.
-Jim
So that means OtpKeyProv plugin doesn’t work as part of composite key? I thought it should because all it does is provide a keyfile tobe used which it can be accessed/opened using counter based OTP.
The solution I require is that I need masterkey + Keyfile to work but I need keyfile to be in some other cloud-drive (this is to be used in iOS) which is accessible only by 2FA
I believe this solution is user friendly and a bit stronger defense for password manager.
the problem is that to validate the OTP it needs the seed. Since the seed has to be outside the encrypted data set so the OTPKeyProv can read it to then decrypt the data set, it might as well be useless since it can be simply read and generate a new token.
Whilst that plugin exists, it assumes that the local keepass client is always honest when the database is being opened. In reality this is far from the case, as a stolen database and password can simply use a client that doesn’t validate it since it is not part of the cryptographic secret since the authenticator seed is with the db.
Use an HSM if you really need this level of security for a locally opened database as you have a threat model involving key loggers apparently. In the end, when it comes to password managers using offline databases like KeePass this is a limitation of how secrets can be handled.
Heck, even LastPass and other services with 2FA do not even use it for the database; they use it just to authenticate the user before sending the DB down for decryption using the user password.
You can use a YubiKey in smart card mode and x.509 certs with a plugin like this: https://github.com/BodnarSoft/KeePass-Smart-Certificate-Key-Provider
This actually would provide key material only with the HSM. The problem is running it across all platforms.
it is not any additional level of security for the typical local password manager, you are in fact just adding additional attack surface by using the plugin; the only use case I’ve ever found for that plugin is a situation where the KeePass install is on a computer where it is locked down sufficiently to prevent the encrypted database from being removed, in which the specific keepass installation is enforced.
This is not feasible synchronizing across devices.