I am surprised this did not pop up among the issues yet, but having Steam OTP support would be great. KeePassXC, Winauth and KeeTrayTOTP are supporting this, so grabbing some snippets for inspiration on how to implement it should be possible

Overview

The domain twofactorauth.org was sold, so the 2FA check doesn't work any longer. See 2factorauth/twofactorauth#5238 for details.

Steps to Reproduce

1. Visit https://twofactorauth.org

Expected Behavior

Result of check

Actual Behavior

"Checking 2FA" all the time in KeePass

Context

Would be great if you could support the new domain https://2fa.directory/ - or even better - support https://www.dongleauth.info/, too.

Hello,

during KeePassOTP setup when user is asked for masterkey secret there is a typo "secrects" instead of "secrets".

Good job on migrating from SourceForge to Github!

Now I actually might consider contributing! 😄

When I open 'Keepass 2.48.1 Portable' on my PC without Internet, I have 'KeePassOTP v0.29' error:

Error reading OTP sites: Unable to resolve remote name '2fa.directory'
https://2fa.directory/api/v2/tfa.json

What is this site? Do you collect personal information from users 'KeePassOTP'?

Hello,
I experiencing incorrect code for some website (according to them). It's rare but for a while (maybe last year).
Recently it's been Atlassian/Trello and Salesforce.
Always set with defaults (TOTP, BASE32, 6, SHA1, 30sec)
I noticed the codes generated on KeePass2Android are different and always accepted by websites
Although in some case (eg GitHub) it works (KeePass OTP code and KeePass2Android one are still different).
Hope you will be able to figure out with these little clues...
Thanks

Overview

All versions newer than 16.1 (when Google Authenticator support was added) don't work on my Ubuntu machine any more. There is an error displayed, that a newer version of the framework is required. I am using Mono JIT compiler version 6.8.0.105 (Debian 6.8.0.105+dfsg-3. There is an overview of supported .NET features in mono here.

Context

OS: Ubuntu 20.10
KeePass Version: 2.45
Plugin Version: everything > 16.1

Hi,
In my KPOTP auto-type list (right click on the KeePass icon in tray) I see items for which I didn't configure 2FA. When I open the items in my database, nothing like 2FA/OTP/KPOTP settings can be found. Can I clean up this list?
I think the "Indicate if 2FA usage is possible" option found items in my database that have the possibility to have 2FA, but I don't use 2FA on those sites. I turned this option off, but that didn't help.
Thanks in advance for your reply.

Using version 1.0.
This is on Win 10 Pro, 64 bit.
I have the column visible which says "Setup 2FA".
Some sites have that indicator.
I double click and go to the site "ssltrust.com.au" for many of them.
The entry URL's don't contain that domain.
I checked https://2fa.directory/api/v2/tfa.json for one entry, it's URL / domain does not appear, ssltrust is in the json file, I get the hint.
I am in Australia.
I uninstalled KeePassOTP by removing the plgx, switched on, then re-installed. This did not fix it.

Summary

Right now, to use this plugin, I need to go through all of my database and configure the OTP seeds for each account. However, for recovery, I store my TOTP strings consistently in a field called OTP. It would be great if there was a configuration option where you could specify such a field name, and then this plugin would automatically detect this field and use it for a seed unless a different seed had been explicitly configured for that entry.

To be clear, I routinely store my OTP seeds like this in a field called OTP (THIS IS NOT A REAL SEED):

otpauth://totp/Example%3Abob%40example.com?secret=Z721ZADEZY7XAC81&issuer=Example

If this feature were to be implemented, I would be able to go to the plugin configuration page, specify my default OTP filed as OTP, and from then on, the plugin would automatically be available on all seeds that were saved to the OTP field on existing and new entries.

hello,
can we use bases containing OTP codes (generated with KeePassOTP) with keepass versions for phone, like KeePassDroid, keepass2android... ?
is it compatible?
thanks

Overview

I remember dragging and dropping QR code seeds onto the KeePassOTP window used to add the seed, but lately this hasn't been working with any site I've tried. I can't remember all the site names that have draggable QR codes that don't work, but I'll list the ones I do remember:

• https://windscribe.com

Expected Behavior

Drag QR code from 2FA setup page onto the KeePassOTP window and it's added as a 2FA seed.

Actual Behavior

Dragging the QR code onto the window does nothing. KeePassOTP window remains blank

Context

OS: Win10 v1709
KeePass Version: 2.46 (latest as of writing)
Plugin Version: 0.18.2 (latest as of writing)

NOTE: Plugin is set to save my OTP stuff to the same database as the passwords, as entering my password twice for OTP access was a pain (and bypassed the point of my using Windows Hello plugin to unlock my database), and saving the OTP stuff to a database within the database feels really weird.

I couldn't get the GUI option to enable debug mode to work (box wouldn't stay ticked, didn't do anything); had to use command-line launch:
Debug_KeePassOTP_20201101T120635Z.txt

KeePass OTP doesnlt seem to work as a replacement for Yandex.Key - I tried to enable 2FA for my Yandex account in it, but it didn't work.

Summary

Hide only the OTP Value in Column "KPOTP" - Keep "Setup 2FA" visible and empty rows empty
Still keep ability to copy/paste with doubleclick

Added value

More security for the Column view due to:

• A simple overview where "Setup 2FA" is still possible, AND
• no one can visually see all your current otps in a table
• Additionally you still know where you do not have OTP enabled or documented

Example

Currently it looks like this in my main window "entry view"
Title.................................Username..............................................Password......................KPOTP
[email protected].............................xxxxxxxxxx.....................Setup 2FA
[email protected]............................xxxxxxxxxx.....................123 456 (5)
qnap...............................admin.....................................................xxxxxxxxxx.....................
Router............................admin.....................................................xxxxxxxxxx.....................

What i can do with KeePass Options (No Setup 2FA) is not an option cause then i would have to document it manually in the title if there is a OTP configured/possible.
Title.................................Username..............................................Password......................KPOTP
[email protected].............................xxxxxxxxxx.....................xxxxxxxxxx
[email protected]............................xxxxxxxxxx.....................xxxxxxxxxx
qnap...............................admin.....................................................xxxxxxxxxx.....................xxxxxxxxxx
Router............................admin.....................................................xxxxxxxxxx.....................xxxxxxxxxx

What i would like to have
Title.................................Username..............................................Password......................KPOTP
[email protected].............................xxxxxxxxxx.....................Setup 2FA
[email protected]............................xxxxxxxxxx.....................yyyyyyyyyy
qnap...............................admin.....................................................xxxxxxxxxx.....................
Router............................admin.....................................................xxxxxxxxxx.....................

I wouldn't mind if "yyyyyyyyyy" would be "Copy OTP"

Summary

Add an option in the settings to use the bare minimum form of otpauth, aka with no label and only mandatory parameters.

Added value

Simplify the construction of otpauth link, minimize the possibility of generating invalid url, which will cause problem in some other clients.

Example

otpauth://totp/?secret=testseed
instead of
otpauth://totp/title:username?secret=testseed&issuer=something

Summary

Added value

thanks for keepassotp.
it no longer works with latest keepass 2.47

Example

Overview

First time installing this plugin, this error popup upon the first launch. (see picture below)

Steps to Reproduce

Seems like just some internet issue, not very clear how to reproduce. But, what is this query for? Is it a good idea to query the internet every time at KeePass launch by default?

Context

OS: Windows 10 20H2
KeePass Version: 2.47
Plugin Version: 0.24

Unable to add OTP for AWS SSO Credentials

Overview

I already have several accounts added to Google Authenticator on Android. Now I'm looking for a way to copy those to my Windows PC. I'm using KeePass on Windows and KeePassDX on Android for all other account data. So I installed this plugin into KeePass and tried to copy an account from Google Authenticator.

Steps to Reproduce

1. Export account from Google Authenticator (this is highly complicated, actually)
2. Read the QR code from another phone, save its contents to a file and transfer it to the PC
3. Paste the file contents in the OTP Setup seed input field

That string looks like: otpauth-migration://offline?data=…

Expected Behavior

Not sure, it's not clearly documented. But maybe it should show me the current OTP code?

Actual Behavior

"ERROR"

Context

OS: Windows 10.2004
KeePass Version: 2.46
Plugin Version: 0.16

[KeePass 2.48.1 and KeePassOTP 0.30]

Hi,
Does Kee[PassOTP work offline?
I recently had an internet problem and got the error message (see attached file) at startup...
as soon as I got my connection everything went back to normal...

is this normal?
and could not switch to the computer clock in the absence of connection?

Thank you

Summary

Most of sites that provides 2FA authentication, provides also additional offline codes.
It will be helpful to have another space in KeePassOTP where storing them.

Added value

I'm using KeePassOTP saving in a separate DB, so it doesn't make sense to save backup codes into main DB (IE notes field) because otherwise the separate DB it's useless. It would be helpful to save them somewhere within the separate DB.

Example

Summary

Delay requests data from https://2fa.directory/api/v2/tfa.json.
Due to the network reasons, I can't access the address when my VPN software is not started.
Restart your computer, KeePass, it always takes precedence over my VPN application, completes the automatic start, causing an error message each time.
If you can, I want to have a delay request.

Added value

Avoid the error pop-up window.

Example

No

Summary

I had a hard time figuring out how to actually create a new TOTP entry in my database. The readme only discusses the options page that I could not even find:

Added value

A step-by-step guide would ease using this plugin for newcomers.

Example

1. Create a new entry with a title and username of your choice, but the password set as {TOTP}
2. Right-click that entry and select Copy TOTP. Confirm the then appearing request to first setup TOTP for that entry.
3. Paste your code...

Overview

When the entry title or username is set to a reference string (for example, username: {REF:U@I:326}), the literal reference string is being used in the label part of otpauth link (otpauth://totp/title:{REF:U@I:326}?secret=testseed&issuer=title).
This will cause some compatibility problems in other clients.

Steps to Reproduce

1. create an entry with its title or username set as a reference
2. setup totp for this entry
3. check the result otp field of this entry

Expected Behavior

resolve the reference or avoid using it directly

Context

OS: Windows 10 20H2
KeePass Version: 2.47
Plugin Version: 0.24

I've written documentation explaining how to use KeePassOTP with Steam (for OTP/2FA):

https://github.com/koitsu/KeePassOTP/wiki/Using-KeePassOTP-with-Steam

Sadly GitHub does not provide a way to do PRs for Wiki pages, but you have my permission to take the raw Markdown document from https://github.com/koitsu/KeePassOTP.wiki.git and use it, including modifying it however you wish.

Hope this helps, and thank you for KeePassOTP!

Hello. KeePass OTP and Yandex.Key don`t work together. But maybe there is a solution.

Somebody already created 2FA plugin for Yandex.Key:
https://github.com/norblik/KeeYaOtp

I don't know if it's safe to trust this plugin.
Can you check?

If the code is safe, can you use code from KeeYaOtp plugin and add this code to KeePassOTP?

I am synchronizing my database file with another file in my onedrive folder using the trigger system, this way I get to have it also on my phone.
As I understand in wiki, if the OTP database is locked this causes data loss. I tested it and realized, even when controlling when syncing happens, I managed to lose data easily. So the warning was very apt.

However, it is of utmost importance that OTP database gets unlocked only as needed (therefore, we have real 2FA). I am torn between syncing to cloud and having OTP database locked, i.e. having convenience of database access on other devices vs having OTA+password available simultaneously in case of a compromise of my database pw.

If a feature is not feasible, any entry to wiki to solve this issue graciously would be welcome.
Thank you very much.

Hi,

I figured out you are using 2fa.dirctory api for checking if 2fa is available.
Unfortunately they are listed as malicious and also they load content from to tdsjsext1.life which also is malicious.
Can you remove or change this API? Or give User an option do disable this API?

Best Regards,
Tim

Not a bug. Feature is working as intended.

Issue

This issue regards the feature which retrieves a JSON list of sites supporting OTP and links to their 2FA setup pages.

When KeePass is configured to autorun, users without full-time Internet connections get a pop-up error warning that KPOTP cannot access the 2FA site list. This is expected, but should KeePassOTP behave in this way?

If a machine later obtains an Internet connection, the plugin does not seem to recheck after the initial startup error. The KPOTP column continuously reports "Checking 2FA" during use and restarting KeePass appears to be the only method for retrying the JSON retrieval.

Ideas

Does the plugin create a local file cache of this list? If so, could the plugin be more sophisticated when throwing this error? Perhaps it could show an error only if it failed to retrieve this file and the local cache was more than 7 days old or whatever period seems appropriate.

Perhaps instead of the startup error, the plugin could show something like "Unknown 2FA" in non-configured KPOTP column fields and alter the control behavior such that double-clicking the fields would manually trigger a recheck for the JSON list. If successful, the fields could be repopulated with "Setup 2FA" or emptied and the double-click behavior restored to normal. If a failure occurs with a manual trigger, the error box should be shown regardless of cache age.

Conclusion

This feature can be disabled in the plugin settings to avoid the error, but it seems unfortunate that it cannot cache the list and/or attempt to contact the server again some period of time after a failure. I don't think that a cache would impose a security implication as it shouldn't expose which database entries have OTP configured. The non-specific use of 2FA is already implied by the existence of the KeePassOTP PLGX.

Regardless, I thank you for the excellent plugin and for your valuable time in reading this. Have a great day.

I can update the readme to better explain how to add OTP to an entry.

I'm also interested in your issue of not seeing KeePassOTP's config screen and I need your support to analyze that.

1. Please replace your version of KeePassOTP.plgx with the one linked here: [Link to debug build](https://github.com/Rookiestyle/KeePassOTP/releases/tag/v0.13.0.1)

2. Try to access KeePassOTP's options and close KeePass.

3. A debug file will be created and I need it for further analysis. Please attach it to this issue

I am also having a hard time, but maybe it's because I misinterpreted the plugin. Is this only for new OTPs? I already have several in Authy and when reading over the docs a few times, I was under the impression I'd be able to essentially transfer my authy seeds over to KeePass and generate from OTPs from there. Do I have to reset my OTPs one-by-one and import each individual QR to this plugin?

Originally posted by @snowbie in #12 (comment)

Overview

Even tho I have enabled on Keepass' "Security" tab "Enter master key on secure desktop" the password for KOTP-DB isn't asked on secure desktop.

Expected Behavior

If "Enter master key on secure desktop" is enabled in Keepass' "Security" tab, the password should be asked for the KOTP-DB on secure desktop, too.

I could imagine, that the plugins can't check the setting or can't use secure desktop.

The "old" plugins like KeeOTP were compatible with keepass2android app and I could generate OTP codes from the app.
This seems to be broken now.
Therefore I opened up 2 issues for KeePassDX App and keepass2android:

Kunzisoft/KeePassDX#689 --> looks like this already works
PhilippC/keepass2android#1401

Hope they integrate your format soon

Overview

incorrectly scans the QR code.
the encoding algorithm is wrong (need sha256, but the program puts sha1), the time is wrong (need 35 sec, but the program puts 30)

Steps to Reproduce

OTP setup > scan QR

Expected Behavior

setting fields in sha256 and time 35 sec

Actual Behavior

fields in sha1 and time 30 sec (because of this, the wrong code is generated)

Context

OS: Winsows 7 x64
KeePass Version: 2.44
Plugin Version: 0.28

Overview

Imgur screenshot

Steps to Reproduce

1. Use 1366x766 resolution display
2. Create an entry
3. Open the OTP menu of the entry

Expected Behavior

The OTP setup menu is expected to properly show controls.

Actual Behavior

OTP setup menu size is smaller than the space its controls occupy inside it, hence making it overflow and cut the excessive controls

Context

OS: Win 10 Home Version 2004, Build 19041.1165
KeePass Version: 2.48.1
Plugin Version: 0.29(also 0.28, since the display QR code scan features was added)

Overview

Keyboard shortcut is registered globally not only when KeePass Window is active

Steps to Reproduce

1. Open KeePass
2. Setup Ctrl+T shortcut for KeepPassOtp plugin
3. Try to open new tab in browser via Ctrl+T

Expected Behavior

Ctrl+T shortcut should work in browsers after KeePass is started

Actual Behavior

Ctrl+T shortcut no longer works on browsers

Context

OS: Windows 10 20H2
KeePass Version: 2.47
Plugin Version: 0.24

Summary

Version spamming. There are too many versions coming out!
Keepass urges the user to update the outdated plugin.
This has to be done manually.
Tedious.

Added value

Collect minor improvements and convenience features into a bigger update.
Users that need it earlier could use a RC or something.

Example

E.g. current change is: "You can now migrate these settings between KeePass and KeePassOTp in both directions"
How often do you do that? How many users need that now?
They can do that manually if they need to.
(i dont want to imply that you shouldnt add new functions-thats great work!)

I suggest an update as often as other plugins do it, so they can be updated all at once.
I hope i dont sound rude or something, i really appreciate your plugin.
Thank you.

After I upgraded to version 0.25 of the plugin, the translation started to present the following problem:

So the translation doesn't work, I emphasize that the problem started to occur before the pull requests I made today.

I'm on windows 10 x64, Keepass 2.47.

hi,
I saw that you can display the code with 'KeePassOTP and OTP setup' by right-clicking on the entry (and that it turns red towards the end)...
But by doing this, the seed is pre-selected; if you only want to see the code (and not touch the setup) it's much too easy to make a mistake and modify the seed !...

I think it would be much better to add another entry to display a small window giving the code and the remaining time (without taking the risk to modify the config).
Thanks

Summary

I am an end user for this plugin.
As far as I realized, even if you use "separate database" once, the database file creates a OTP database for OTP seeds, burried in the "master" database file. Even if I switch to not using a separate database, then back to using separate database, there's always some garbage coming back from this OTP database, I thought were gone.
How do I clean up my database from this?

I just installed the plugin (by copying it into the Plugins folder). On start of KeePass I get this error message:

OS: Windows 7
KeePass Version: 2.47 (64-bit)
Plugin Version: v0.23

So forgive me for maybe asking a stupid question, but is this plugin an alternative for Google authenticator or Authy? If yes: how would I go about using this on my phone?

I opted for the hotkey
ctrl+t

I was used to it from an older plugin. It should only work if the keepass window is in focus.
Actually I am not able to press ctrl + t in my browser.
Looks like that this hotkey is registered system wide.
Is this intended?

Summary

the feature Indicate if 2FA usage is possible is a cool thing but a password manager which connects to the internet ist an absolute no-go for me.

please separate the download function of tfa.json (which produces the error popup) from the Indicate if 2FA usage is possible and provide the location where this file has to be.

this would allow to use this feature but keep up high security standards by manually downloading the tfa.json file via browser, cronjob, curl, wget, ...

Hello
thanks for great plugin!
I use it with latest Keepass, Firefox and Kee plugin for autofill
However last releases borked Kee a bit ...
Last working version was 0.23 (so I stick to it for now)

From 0.24 what used to work with Kee, now just fills {KPOTP} instead of time OTP

if I replace it with {TimeOTP} it gets filled, but with wrong entry (last time I tried with 0.25, didn't test 0.25.1 with this approach, I saw you did some changes in counting, but not sure related to which fields)

From my POV this is a regression, however if KPOTP shouldn't be used anymore as field for fill in with Kee, I'll gladly fix my entries

Can you let me know what is supposed to work and what doesn't now?

tia
L

Overview

This plugin does not work with KeePass on Windows Vista. I think tihs should be mentioned in the Requirements section of the README.md. It just does not "compile". I don't have an actual error message, sorry.

Steps to Reproduce

1. Get a PC with Windows Vista.
2. Install KeePass 2.46
3. Install KeePassOTP 0.16.1
4. Try to launch KeePass

Expected Behavior

I'd expect KeePass to prompt for the normal master password, then to prompt for the one for the OTP database.

Actual Behavior

KeePass spits out an error message saying it cannot compile KeePassOTP, then prompts for the password for the regular DB, and never attempts to prompt for the OTP DB password. Like this second DB does not exist.

Make this keepass otp to work on yandex otp. Yandex otp token doesnot work on keepass otp. Do something to resolve it.

Summary

Add a screenshot feature to the setup if the new QRCode is not draggable or not compatible.

Added value

• Allows any displayed qrcode image to be imported (unknown/wrong file extension; generated svg qrcodes)
• Allows not draggable images to be imported

Example

In my case i had a 150x150px 24Bit PNG file wich did nothing after drag and drop. So i had to make a screenshot save it and then make drag and drop. After some more research i found the issue that the *.png named file originally is a jpeg file, so downloading, renaming and then drag&drop works.

Microsoft generated me the "PNG" (in fact jpg) file in a testing environment - Drag&Drop won't work:

Summary

NOTE: Add the TOTP 2FA authenticator to the master database .kdbx file itself (i.e opening your own actual master database also requires TOTP). The secret for the key will be created as an entry "Master Database TOTP secret" and stored in the same manner as all other TOTP, either as entries or separately as a DB.

Added value

Example

Hello,

There is a problem with generating TOTP in SHA256. If I select SHA1 or SHA256, it gives me the same code.

Regards,