Time to beef up security. Like everyone I have a large number of online accounts. They are generally secured with username and password. I use KeePass to generate unique passwords and keep track of them. There have been a lot of hacks lately. So I wanted to make my most important accounts more secure. More and more online services are adding two factor authentication, e.g. Google, Dropbox. Two factor authentication adds an additional layer of security.
You enter an one time password (OTP) in addition to your username and password.
I wanted a solution that would work on my desktop (Windows & Linux) and smartphone/tablet. This post details how I set this up both on Windows and my smartphone in conjunction with KeePass & Keepass2Android.
I choose KeePass & Keepass2Android as they are open source and have large ecosystem of plugins and a large user base.
These instructions are provided as is. I cannot be held responsible for any security breaches. Ensure that all measures are taken to keep your master password safe and secure.
- KeePass and/or KeePass2Android setup and working.
- The KeePass plugin KeyOpt supports the TOTP standard and should work with any service that is compliant with RFC 6238 and uses SHA1 with a step window of 30 seconds and either 6 or 8 digits.
- The key must be provided in base32. If the service doesn’t provide the shared secret key in base32 (most do) then it must be converted first.
- This plugin is known to work with Google 2 Step Verification and Amazon AWS.
KeeOpt plugin installation
This plugin supports generating one time passwords for Google 2 Step Verification or any standard TOTP (Timed One Time Password) implementation. It works by storing a shared secret key in your encrypted KeePass database and using that information together with the current time to generate rolling codes that can be entered into the verification system.
The installation of the KeeOpt plugin is straight forward.
- Download the latest version as a zip file from here.
- Unzip the zip file.
- Copy the KeeOtp.dll and the OtpSharp.dll into the root of the KeePass directory. On my Windows installation KeePass is located at C:\Program Files (x86)\KeePass Password Safe 2.
- Restart KeePass
Once the plugin is installed, every entry in KeePass will have a new option labeled “One Time Password” in the context menu of the entry.
KeyOpt plugin setup for Google
When enabling TOTP for a system you will be provided with a key. Often this comes in the form of a QR code. In most cases you can also get a base32 encoded key as well. This can be of varying lenghts.
As an example we will setup two factor authentication for Google services:
- Enable two factor authentication for Google services using this link.
- You will be asked to (re)enter your Google password even if you are all ready logged in.
- You will be asked to provide your mobile phone number that a verification code will be sent to.
- Enter the 6 digit verification code.
- Choose if you want to trust the computer you are setting two factor authentication on. Please note you should only do this if it is your own computer and if others have access to it you trust them!
Create an app specific password for KeyPass:
- Log into two factor authentication for Google services using this link.
- Click on the second tab App-specific passwords.
- At the bottom click on the button Manage application-specificc passwords.
- From the Select device drop down list select the option Other (custom name).
- Enter the name of the device, e.g. KeyPass, and click the Generate button.
- Copy the app-specific password and click Done.
Add the app-specific password to a KeyPass entry:
- Open KeyPass.
- Search for the Google entry.
- Right click the Google entry and select Timed One Time Password.
- Paste the app-specific password you copied earlier into the text box.
- Check the Use custom settings check box.
- Click the OK button.
- A dialog will be displayed with a one time password.
That’s it you have now setup two factor authentication for Google with KeePass. Next time you need a one time password password for Google, just navigate to the Google entry in KeyPass, right click and select Timed One Time Password.