Topic: [TUTORIAL] Generate 2FA with Keepass (instead of Authenticator App) (Read 631 times)

Than use a PC or laptop without internet connection which I have mentioned in my Tutorial

The other important things has already mentioned by bob123.

The idea behind 2FA is that you actually use a second device.

If you are using your desktop to access the exchange etc., storing the 2FA on the desktop system absolutely defeats the purpose. -> Use your mobile instead.
If you however are using your mobile (for whatever reason) to always access the exchange etc, storing the 2FA on your mobile also completely defeats the purpose -> Store the 2FA on your desktop system.


A generic answer like "i'm better off with ... on my smartphone" is wrong. It always depends on the context.

With news surrounding hacks and theft on PC the last thing I would want to use is an add-on or software for all my exchanges 2FA pass or codes, nope never going to happen, I'm better off with Authy or Google Auth app on playstore

I can recommend some too. But since this thread is not about authenticators, it doesn't matter what other systems there are. 
The point here is not to use an Authenticator app for the smartphone.

If Password Safe also offers the possibility to generate 2FA, then you are free to create a tutorial about that too. I would be happy about that.

Keepass is good but you can also use Aegis Authenticator, a decent alternative to Google Authenticator and Authy.
Keepass is so strong to generate and manage passwords: https://bitcointalksearch.org/topic/guide-how-to-create-a-strongsecure-password-5132378.
Password Safe is another one, and it has apps for Android & iOS devices.

I didn't know that there is a keepass plugin for 2FA. Nice guide. I'll will try this one and see if it works perfectly fine. Thanks for sharing this womderful guide. This will be useful when I don't have my phone near with me when you need a OTP for your account on a site when you log in.

Tutorial are made for Keepass 2.40, the pictures are from this version too. I am confident this should work with other versions as well, but I cannot guarantee that.

To generate a Time-based One-time Password (TOTP) many uses an Authenticator App. Those Apps are great but you can do that with Keepass as well. So you can use Keepass with an autarkic dedicated PC without Internet connection. Therefore you need KeePass 2.x for Windows, macOS or Linux and the Plugin KeeTrayTOTP.
That plugin is a fork from TrayTOTP, which are not further developed. Github-Download: https://github.com/victor-rds/KeeTrayTOTP/releases. Note: Please beware that you use the right release date which is compatible to keepass. (Example: Keepass V.2.4 was released at September, 10th 2018, so you can use TrayTOTP Version 0.95-Beta)

Save KeetrayTOTP.plgx in Folder plugins from your Keepass-Folder. If you start Keepass it should activate the plugin automatically (if not, Version is incompatible, please refer to my Note.). Activate the plugin (Tools -> Plugins), close Keepass and start it again. You see the help file. You can read it now or later (Tools -> Tray TOTP Plugin)


If you don’t like help files continue reading.

Start to link TOTP to an entry. Make a right click on the entry, choose "Selected Entries" and "Setup TOTP" (Nice gimmick from the plugin is, that QR-Codes can be shown from the entries)


The following window appears. There you can write the Seed, time interval, format and an URL from a Timeserver if you use Keepass with an internet connection.


Click Finish and TOTP is already set up. If you use Keepass with an Internet connection, a right click on the entry and "Copy TOTP" copied the current TOTP in the Clipboard.


A double-click at the entry shows in Advanced the new Field names


These Field names can be shown directly in the entries. To do so, go to "View ", "Configure columns" and check "TOTP Seed", "TOTP Setting" and "TOTP". The entries now have these three new columns.


You can test it with a TOTP Generator. https://totp.danhersam.com/ for example.

You are done. Have fun.