Manage 2FA with TOTP keys in KeePass

How KeePass works as a back-up for a TOTP authenticator

A TOTP authenticator that scans QR codes makes the switch to secure 2FA log-ins and one-time passwords much easier. But what happens if the authenticator is lost? Then the only thing that helps is a backup of all keys and passwords. A password manager like KeePass manages this sensitive data for two-factor authentication.

To protect themselves from losing the TOTP authenticator, many users use PIN protection on the respective device. If this important security function of the authenticator is activated, time-based one-time passwords (TOTP) can only be generated after the PIN has been entered. However, this effective protection against misuse is only half the battle. Users must also ensure that they still have access to their accounts. For this reason, it is recommended that all keys and passwords required for two-factor authentication be backed up when a 2FA log-in is created.

REINER SCT Authenticator

Unhackbar.

Hardware for two-factor authentication

The ultimate protection for your online accounts. Secure platforms like Microsoft (Office 365), Google, Amazon, PayPal, Etsy, GMX, 1&1, X, Facebook and many more.

What 2FA log-in data users should back up

For secure two-factor authentication, users need not only the classic access data such as user name and password, but also a secret key for generating the time-limited one-time passwords as a second factor. A backup of all required data should therefore include the following keys and passwords:

User name and password: These classic access data are the prerequisite for accessing online accounts. Password managers or corresponding online services are suitable for the encrypted management of user names and passwords.
TOTP key: When setting up a 2FA log-in, the server of the online service generates a secret TOTP key (shared secret). This key is needed by the user's authenticator in plain text or as a QR code to generate the TOTP one-time passwords
Recovery codes: Many online services provide their users with a certain number of one-time passwords as back-up codes. These codes can also be used to temporarily disable two-factor authentication if the authenticator is lost.

The simplest variant of a back-up of all required 2FA credentials is therefore the encrypted management of all user names and passwords and the secure storage of all all back-up and QR codes in the form of text and graphic files.

How KeePass supports 2FA log-in data backup

The most convenient and secure way to manage 2FA credentials is via a password manager like KeePass. Version 2.x of this software is available for download free of charge for Windows. Corresponding ports for other platforms such as Linux, Android, Mac OS X or iPhone and iPad are also available on the website of the open source project. A portable version of Kee Pass is recommended for backing up 2FA credentials. In this way, the program installation can be saved on one and the same storage medium, such as a USB stick, together with the back-up of the 2FA data, regardless of the device.

The KeePass installation is quick and easy: Simply create a new folder and unpack the ZIP file of the portable KeePass version. For a German user interface, the additional installation of the corresponding translation is recommended. The content of this ZIP archive is copied into the subfolder “Languages”. For the first start of the program, double-click on the program file “KeePass.exe”. The question “Enable automatic update check?” is confirmed with “Enable (recommend)” to activate the automatic check for KeePass updates. Finally, the change to the German user interface is done via “View, Change Language …” with a click on the option “German (Deutsch)”. After restarting the program, KeePass is ready for use.

To create a new password database, simply click on “File, New …” after the restart. After confirming the following message with “OK”, the user selects the file name and location of the encrypted database and then the main password for opening and decrypting. The defaults of the database settings can be accepted in the following dialog with “OK”. Now everything is ready for entering the 2FA credentials. The first account is created via “Entry, Add entry …”. The “Title”, such as “Google account (username@gmail.com)”, is only used to identify the account. Afterwards, the user name and password are entered. If you have already used KeePass to manage classic 1FA accounts, you will be familiar with all the information up to this point.

How to add QR codes and TOTP keys to KeePass

Additional recovery codes for two-factor authentication can also be entered in the “Comments” field via the clipboard. However, it is safer to store them – as well as secret TOTP keys in plain text – in the “Advanced” tab as a “String field”. After clicking on “Add”, select “Back-up codes (2FA)” as the name of the field, enter the codes under “Value” and activate the option “Protect value in process memory”. TOTP keys are saved in plain text in the same way.

Here, however, it is recommended to use “TOTP Seed” as the name of the field so that the data can also be read later with the optional KeePass plug-in KeeTrayTOTP. TOTP keys in the form of a QR code, which are saved locally as a graphic file from the browser with a right click and the option “Save graphic as …” or via a screenshot, can be saved in KeePass in the “File attachments” area via the “Attach” button. After entering all the required account data, one click on “OK” is enough to apply all the changes. Before making any further changes, you should save the updated KeePass database by clicking “File, Save”.

Tipp

Most online services not only provide their users with a QR code when they activate two-factor authentication, but also offer the option of accepting the secret TOTP key in plain text. Usually, a link like "You can't scan it?" can be found next to the QR code for this purpose. How KeePass uses QR codes and TOTP one-time passwords

How KeePass creates QR codes and TOTP one-time passwords

With the optional plug-in KeeTrayTOTP, KeePass also generates one-time passwords for secure 2FA log-in and QR codes for the configuration of an authenticator from the secret TOTP key in plain text. All that is required is to copy the plug-in file “KeeTrayTOTP.plgx” into the KeePass subfolder “Plug-ins”.

After installing the plug-in, its options are available from KeePass with a right-click on the respective account entry via the menu item “Tray TOTP Plug-in”. Copy TOTP” can then be used to copy a freshly generated one-time password to the clipboard. The “Show QR” option is particularly interesting for backups. This can be used to generate a QR code of the secret TOTP key. Users of the REINER SCT Authenticator also have the option of changing the “Issuer (Title)”. This is particularly useful if the account name is not completely displayed in the REINER SCT Authenticator. The name can then be shortened via the “Issuer (Title)” in order to better distinguish it from similar accounts.

If you don’t need this option, you can also use the much more modern program KeePassXC instead of KeePass. This software is also available in a portable Windows version and supports the management of TOTP keys as well as the generation of TOTP one-time passwords out of the box.