-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggest TOTP for entries using a web service [$50] #4096
Comments
This is a very limited feature that would be rather complex to implement. I do not endorse this. We could simply add a link to the website for users to check themselves. |
In KeePassXC I have 969 entries and 697 have an URL entry. In KeePassXC you have 2FA (TOTP) already implemented, so you should increase the usability and add this feature, where users get a report of websites, that support TOTP but it is not yet set up. The password manager 1Password has such a feature to increase the security of the password entries. LastPass suggests to protect the LastPass Account with 2FA "get stronger security": They also suggest to protect the entries in the password database with 2FA: So this feature encourages users to activate 2FA for their password entries and helps them finding entries without 2FA. |
I would love such a feature, have also many entries where I have not yet added TOTP (simply because I did not know that the service offers it). |
I'll consider it, still a lot of work |
Would the source code of the HaveIBeenPwnd plugin for KeePass (https://github.com/andrew-schofield/keepass2-haveibeenpwned) help? |
I would donate 20 USD for this feature (if donating for a specific feature is possible) |
@droidmonkey I donated 30 USD for this feature, what do I have to do so this donation is shown here? |
It is showing on bounty source, not sure why the title wasn't changed: https://www.bountysource.com/issues/86453678-suggest-totp |
@droidmonkey The title must be changed and the "bounty" tag must be applied. |
Thank you @droidmonkey |
In the past I also had a look at the password manger Bitwarden. The fact that 1Password, Bitwarden and also other password managers have such a report shows, that this feature is important. |
I think this is quite a useful feature. KeePassXC would become more intelligent helping the user to get all accounts more secure where TOTP is available. |
@andkopp Would you like to donate for this feature (like I did)? |
This would be an excellent addition to the health check after it is merged. Or even as a third page to the new "Reports" view. |
Thank you @andkopp for increasing the bounty! @droidmonkey the title of this topic is not automatically updated, so could you please update the bounty value in the title? |
@droidmonkey I thought the subject is automatically updated when someone donates? |
Its supposed to |
@droidmonkey This feature is really important because it increases the security of my KeePassCX entries. And this is the reason why other password managers already offer this feature. So how is the plan implementing this feature? I really would love to see this feature in KeePassXC. |
It would be another tab on the reports view. I have no time for this feature it will have to wait or someone else can do it. |
Sounds interesting, and not too difficult once we have offline HIBP support (#551). Would use the v2 API, however (https://twofactorauth.org/api/v2/tfa.json). |
@wolframroesler, this sounds fantastic, I am very happy that this feature comes closer to be developed. |
Bitwearden fixed the bug that there are no entries shown in the Inactive 2FA report so now you see results (in the screen shot I just greyed out my usernames / my email address): The links "Instructions" open the website with the instructions (how to set up 2FA). |
I recognized that Bitwarden does not list all relevant entries form my demo vault (containing just 20 entries) in this report. Here some URLs of Amazon.de that could be stored in KeePassXC:
So you have to reduce the URL stored in KeePassXC to the domain + country information (amazon.de) and look up this value in the "Two Factor Auth List". For Amazon I found in the "Two Factor Auth List" only Amazon.com (not .de) so I don't know what to do in these cases. |
FYI https://twofactorauth.org/ needs to be replaced with https://2fa.directory/ when this is implemented. |
Fixes keepassxreboot#4096 Signed-off-by: Thomas Hobson <thomas@hexf.me>
I like it, I think this should be combined with the "change your password" links as well. |
Summary
KeePassXC should tell if there are entries, where 2FA is available but not yet set up.
Details
In KeePassXC I have set up 2FA for some entries, but I know that 2FA is available for many more entries.
The Two Factor Auth List (https://twofactorauth.org/) offers a list of websites, where TOTP is available.
In this list the column "Software Token" indicates that an entry uses a TOTP that can be managed by KeePassXC.
In the column "Docs" there is a link to the documentation how to enable TOTP for the website.
The data of the website is also available via JSON: https://twofactorauth.org/data.json
How should this work?
In this list there is also a column "Documentation" where you show the URL of the documentation.
So users just need to click the URL to open it.
As an optional feature the list may also contain entries, where TOTP is already set up in KeePassXC (these entries have a green checkmark).
The entries where TOTP should be activated have a red cross.
This feature would increase the security a lot.
Because 2FA is an excellent way to prevent hackers (that have stolen usernames and passwords) break into the account.
Some entries in the 2FA-list have a red exclamation mark (a so called exception).
At these entries there are some specialiies.
You see many at the category Gaming (https://twofactorauth.org/#gaming).
For example Steam or Blizzard, that have own authenticator apps.
You find this data also in the JSON:
"exceptions":{"text":"Software implementation requires use of the Steam Mobile app. Authentication on non-phone devices is not officially supported. SMS support is limited to receiving account recovery codes for password resets."}},
This must also be considered by the KeePassXC (just show the exception text in a separate column).
The text was updated successfully, but these errors were encountered: