A one-time password (OTP) field can be created in your entry, but this feature is only available with databases in version 2.
KeePassDX is compatible with the algorithms:
- HMAC-based one-time password (HOTP). Algorithm that generates a single token from a secret key and a counter. - standard RFC 4226
- Time-based one-time password (TOTP). Algorithm that generates a token every x secondes from a secret key depending on the current time. - Standard RFC 6238 and steam.
Thanks to the TOTP generation function, it is possible to use theKeePassDX app as a token generator for external services using two-factor authentication (2FA).
This example indicates a generated TOTP token (present in the TOTP field) that can be used to log into your Google account.
Please note: Authentication with several factors does not necessarily mean TOTP. Indeed, 2FA is a concept which is also used for unlocking a KeePass database. If a database is encrypted with a password and a keyfile, the database uses two authentication factors. Not to be confused with the generation of tokens by KeePassDX, used to open external accounts (Google, Amazon, etc.)
The secret key is an important element! This is sensitive data that allows you to unlock the associated service using a generated token. It is not recommended to store this secret key and the password of the same service in the same KeePass database. (It would be like having a door with 2 locks but putting the 2 keys on the same keychain.)
For example, if you have a two-factor Google authentication, it is recommended to have two KeePass databases. In the first, your Google password, and in the second, the secret key that generates the TOTP token.
Steam unfortunately does not use the standardized TOTP algorithms, but instead a custom one. This special algorithm has been implemented in KeePassDX and is configurable in the Pro version!
KeePassDX does not yet use the QR codes provided by TOTP services. You can however extract the parameters (secret key, algorithm, period, digits) with an external code reader and copy it into the fields provided. If some parameters are not indicated, simply leave those of the default form.