KeePassXC - Configuration TOTP - MFA

Configure TOTP for MFA

I. Presentation

The KeePassXC password manager is used to store identifiers consisting of a username and a password, and it is also able to generate the one-time use codes (TOTP) necessary within the framework of a multi-factor authentication. Thus, from KeePassXC it becomes possible to complete a multi-factor authentication process, especially in the browser thanks to the official extension which is able to complete the form automatically to indicate a valid code. This is what we will see in this tutorial: how to configure TOTP in KeePassXC?

II. KeePassXC: integration of a TOTP at an entrance

Let’s take the example of the entry “ – Administrator account“already saved in my safe with the following elements: username, password and URL. As a reminder, the URL is necessary so that the extension in the browser can match with the KeePass database at the time where I get to the authentication page.

To generate single-use codes for this account, the TOTP function must be configured. To do this, simply right-click and then under “TOTP” to choose “Configure TOTP“.

KeePassXC - Configure TOTP

Then, on the side of the application that supports MFA, you must display the usual QR code to perform the configuration. Indeed, we usually scan this QR code with our smartphone, except that this time, we need a key. In this example, the key is indicated directly on the screen: I just have to copy it. In some cases, you will find a button like “The QR code does not work” or “I cannot read the QR code” allowing access to the key.

KeePassXC - Exemple MFA WordPress

At this point, you must copy and paste the secret key into the “secret key” of the KeePassXC window, then click on “OK“, like this :

KeePassXC - TOTP - Added secret key

Following this operation, the menu “TOTP” of KeePassXC for this entry, gives access to new options: “Copy the TOTP” to copy the currently valid one-time code, or “Show TOTP” to see the code on the screen.

KeePassXC - Show TOTP

Clicking on “Show TOTP“, the code is displayed, with the time remaining before expiration and a button to copy it.

KeePassXC - Code TOTP

In order to finalize the configuration of the application, you must enter the current code and validate. In my case, it is a test site under WordPress, equipped with a plugin to manage MFA (Tutorial – MFA under WordPress).

KeePassXC - Confirmation MFA WordPress

During the next connection, and provided you have the KeePassXC database unlocked as well as the extension in the browser, KeePassXC will offer to fill in the form with the username and password, then the TOTP code! Thereby, we complete the double authentication process almost automatically!

KeePassXC - Automatic TOTP in Browser

III. Transfer the TOTP code to your mobile

In the menu “TOTP” from KeePassXC, there is an entry named “Show QR code” which displays a window like this:

KeePassXC - TOTP - Display QR code (example)

This allows you to transfer the generation of single-use codes to another application on your mobile. Whether it be Aegis, FreeOTP, Microsoft Authenticator, Google Authenticator, etc… This will add support for this account to the mobile app. As a result, the TOTP code can be generated from KeePassXC but also from the mobile application.

This method is interesting to remove TOTP management in KeePassXC in order to switch to a classic mobile application, without having to reconfigure the MFA at the application level. If this is your goal, you will have to go all the way: return to “Configure TOTP” on entering KeePassXC, delete the secret key and validate (to be done only if the management of the TOTP code is ensured elsewhere!).

IV. Conclusion

Very practical, this feature of KeePassXC avoids having to use your smartphone to generate single-use codes. Nevertheless, and as I said in my article presenting KeePass and KeePassXC, having all the authentication factors in the same vault can be a risk. If someone manages to steal and unlock your KeePass database, they have all the necessary elements to use your identifiers, despite the presence of the MFA.

What it is possible to do is to use two distinct KeePassXC databases: one with entries “user + password + URL” and the other with entries “user + TOTP + URL“. I tested, it works, but it’s not as practical: you have to maintain 2 bases, and you have to switch base during authentication so that the extension in the browser retrieves the TOTP code.


#Configure #TOTP #MFA

Leave a Comment

Your email address will not be published. Required fields are marked *