Adding two factor authentication to KeePass & KeePass2Android

Time to beef up security. Like everyone I have a large number of online accounts. They are generally secured with username and password. I use KeePass to generate unique passwords and keep track of them. There have been a lot of hacks lately. So I wanted to make my most important accounts more secure. More and more online services are adding two factor authentication, e.g. Google, Dropbox. Two factor authentication adds an additional layer of security.

You enter an one time password (OTP) in addition to your username and password.

I wanted a solution that would work on my desktop (Windows & Linux) and smartphone/tablet. This post details how I set this up both on Windows and my smartphone in conjunction with KeePass & Keepass2Android.

I choose KeePass & Keepass2Android as they are open source and have large ecosystem of plugins and a large user base.


These instructions are provided as is. I cannot be held responsible for any security breaches. Ensure that all measures are taken to keep your master password safe and secure.


  • KeePass and/or KeePass2Android setup and working.
  • The KeePass plugin KeyOpt supports the TOTP standard and should work with any service that is compliant with RFC 6238 and uses SHA1 with a step window of 30 seconds and either 6 or 8 digits.
  • The key must be provided in base32. If the service doesn’t provide the shared secret key in base32 (most do) then it must be converted first.
  • This plugin is known to work with Google 2 Step Verification and Amazon AWS.

KeeOpt plugin installation

This plugin supports generating one time passwords for Google 2 Step Verification or any standard TOTP (Timed One Time Password) implementation. It works by storing a shared secret key in your encrypted KeePass database and using that information together with the current time to generate rolling codes that can be entered into the verification system.

The installation of the KeeOpt plugin is straight forward.

  • Download the latest version as a zip file from here.
  • Unzip the zip file.
  • Copy the KeeOtp.dll and the OtpSharp.dll into the root of the KeePass directory. On my Windows installation KeePass is located at C:\Program Files (x86)\KeePass Password Safe 2.
  • Restart KeePass

Once the plugin is installed, every entry in KeePass will have a new option labeled “One Time Password” in the context menu of the entry.

KeyOpt plugin setup for Google

When enabling TOTP for a system you will be provided with a key. Often this comes in the form of a QR code. In most cases you can also get a base32 encoded key as well. This can be of varying lenghts.

As an example we will setup two factor authentication for Google services:

  • Enable two factor authentication for Google services using this link.
  • You will be asked to (re)enter your Google password even if you are all ready logged in.
  • You will be asked to provide your mobile phone number that a verification code will be sent to.
  • Enter the 6 digit verification code.
  • Choose if you want to trust the computer you are setting two factor authentication on. Please note you should only do this if it is your own computer and if others have access to it you trust them!

Create an app specific password for KeyPass:

  • Log into two factor authentication for Google services using this link.
  • Click on the second tab App-specific passwords.
  • At the bottom click on the button Manage application-specificc passwords.
  • From the Select device drop down list select the option Other (custom name).
  • Enter the name of the device, e.g. KeyPass, and click the Generate button.
  • Copy the app-specific password and click Done.

Add the app-specific password to a KeyPass entry:

  • Open KeyPass.
  • Search for the Google entry.
  • Right click the Google entry and select Timed One Time Password.
  • Paste the app-specific password you copied earlier into the text box.
  • Check the Use custom settings check box.
  • Click the OK button.
  • A dialog will be displayed with a one time password.

That’s it you have now setup two factor authentication for Google with KeePass. Next time you need a one time password password for Google, just navigate to the Google entry in KeyPass, right click and select Timed One Time Password.


7 thoughts on “Adding two factor authentication to KeePass & KeePass2Android

  1. What’s the backup plan if something goes wrong? I don’t like having the keys to the kingdom relying on my single KeePass password. If it’s easy enough for me to remember, it ain’t secure, I’m sure.

  2. What happens if something fails in this process? What’s the backup?

    My single password to all of my KeePass passwords needs this, but I know that the more complicated, the more likely it is that something may fail when you really need it. For instance, bitcoins wallets with 2FA are decent, but paper wallets are only really vulnerable to physical damage or theft rather than online hackers.

  3. Hi Ivor. My plan is keep a copy of the master key somewhere safe. This is the normal mode of operation that I have seen in place in within large corporations were they for example have a separate keystore. You probably also could setup a certificate to unlock the Keepass. Never tried it myself though. You would still need to store is some place safe. Any thoughts on this idea?

  4. Does not work for me!
    I followed your details step by step and also checked the online help of the plugin author. By using the app pasword from Google, a code is generated, but not the right one.
    Were there some changes to the format? Any issues using this on Windows 10?

  5. Hi Jan, sorry it has been a while since I set this up. Not sure if anything has changed. If I have time I will check it out for you and get back to you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s