How KeePass works as a backup for a TOTP authenticator
A TOTP authenticator that scans QR codes makes the switch to secure 2FA logins and time-limited one-time passwords much easier. But what happens if the authenticator is lost? Then only a backup of all keys and passwords will help. A password manager such as KeePass manages this sensitive data for two-factor authentication.
To protect themselves from losing the TOTP authenticator, many users use PIN protection on the respective device. If this important security function of the authenticator is activated, time-based one-time passwords (TOTP for short) can only be generated after the PIN has been entered. However, this effective protection against misuse is only half the battle; users must also ensure that they still have access to their accounts. It is therefore advisable to save all keys and passwords required for two-factor authentication when creating a 2FA login.
Which 2FA login data users should back up
For secure two-factor authentication, users need a secret key to generate the time-limited one-time passwords as a second factor in addition to the classic access data such as user name and password. A backup of all required data should therefore include the following keys and passwords:
- User name and password: These classic access data are the prerequisite for accessing online accounts. Password managers or corresponding online services are suitable for the encrypted management of user names and passwords.
- TOTP key: When setting up a 2FA login, the server of the online service generates a secret TOTP key (Shared Secret). The user’s authenticator requires this key in plain text or as a QR code to generate the TOTP one-time passwords
- Recovery codes: Many online services provide their users with a certain number of one-time passwords as backup codes. These codes can also be used to temporarily deactivate two-factor authentication if the authenticator is lost.
The simplest variant for backing up all required 2FA access data is therefore the
encrypted management of all user names and passwords and the secure storage
of all backup and QR codes in the form of text and graphic files.
REINER SCT Authenticator
Hardware for two-factor authentication
The ultimate protection for your online accounts. Secure platforms such as Microsoft (Office 365), Google, Amazon, PayPal, Etsy, GMX, 1&1, X, Facebook and many more.
How KeePass supports the backup of 2FA login data
The most convenient and secure way to manage 2FA access data is via a password manager such as KeePass. Version 2.x of this software is available to download free of charge for Windows. The website of the open source project also offers corresponding ports for other platforms such as Linux, Android, Mac OS X or iPhone and iPad. The use of a portable Kee Pass version is recommended for backing up 2FA access data. In this way, it is possible to save the program installation together with the backup of the 2FA data on one and the same storage medium, for example on a USB stick, regardless of the device.
The KeePass installation is quick and easy: Simply create a new folder and unzip the ZIP file of the portable KeePass version into it. For a German user interface, the additional installation of the corresponding translation is recommended. The contents of this ZIP archive are copied to the “Languages” subfolder. To start the program for the first time, simply double-click on the program file “KeePass.exe”. The question “Enable automatic update check?” is confirmed with “Enable (recommend)” to activate the automatic check for KeePass updates. The switch to the German user interface is finally made via “View, Change Language …” by clicking on the option “German (Deutsch)”. After restarting the program, KeePass is ready for use.
To create a new password database, simply click on “File, New …” after the restart. After confirming the following message with “OK”, the user selects the file name and storage location of the encrypted database and then the main password for opening and decrypting. The database settings can be accepted in the subsequent dialog by clicking “OK”. Everything is now ready for you to enter your 2FA access data. The first account is created via “Entry, add entry …”. The “title”, such as “Google account (username@gmail.com)”, is only used to identify the account. Then enter your user name and password. Anyone who has already used KeePass to manage classic 1FA accounts will be familiar with all the information up to this point.
How to add QR codes and TOTP keys to KeePass
Additional recovery codes for two-factor authentication can also be entered in the “Comments” field via the clipboard. However, it is safer to store them – just like secret TOTP keys in plain text – in the “Advanced” tab as a “string field”. After clicking on “Add”, for example, select “Back-up codes (2FA)” as the name of the field, enter the codes in “Value” and activate the option “Protect value in process memory”. TOTP keys are saved in plain text in the same way.
However, it is recommended to use “TOTP Seed” as the name of the field so that the data can also be read out later using the optional KeePass plug-in KeeTrayTOTP. TOTP keys in the form of a QR code, which are saved from the browser with a right-click and the option “Save graphic as …” or via a screenshot locally as a graphic file, can be saved in the “File attachments” area via the “Attach” button in KeePass. Once you have entered all the required account details, simply click on “OK” to apply all the changes. Before making any further changes, you should first save the updated KeePass database with “File, Save”.
Tip
Most online services not only provide their users with a QR code when activating two-factor authentication, but also offer the option of accepting the secret TOTP key in plain text. There is usually a link next to the QR code such as “You can’t scan it?”. How KeePass uses QR codes and TOTP one-time passwords
How KeePass creates QR codes and TOTP one-time passwords
With the optional KeeTrayTOTP plug-in, KeePass also generates one-time passwords for secure 2FA login and QR codes for configuring an authenticator from the secret TOTP key in plain text. All you have to do is copy the plug-in file “KeeTrayTOTP.plgx” into the KeePass subfolder “Plug-ins”.
After installing the plug-in, its options are available from KeePass by right-clicking on the respective account entry via the menu item “Tray TOTP Plug-in”. A freshly generated one-time password can then be copied to the clipboard with “Copy TOTP”. The “Show QR” option is particularly interesting for back-ups. This can be used to generate a QR code for the secret TOTP key. Users of the REINER SCT Authenticator also have the option of changing the “Issuer (Title)”. This is particularly useful if the account name is not displayed in full in the REINER SCT Authenticator. The name can then be shortened via the “Issuer (Title)” to make it easier to distinguish it from similar accounts.
If you don’t need this option, you can also use the much more modern KeePassXC program instead of KeePass. This software is also available in a portable Windows version and supports the management of TOTP keys and the generation of TOTP one-time passwords out of the box.
Tip
For increased security requirements, it makes sense to secure the first and second factor of the 2FA access data in separate backups. The easiest way to do this in KeePass is with
two databases. The user names and passwords of the
accounts can then be stored in one database and the QR codes and TOTP keys in the other. The user should of course protect both KeePass databases with different and sufficiently secure master passwords.
User name and password can be entered in KeePass (keepass instructions) in the “General” tab.
Back-up codes and TOTP keys in plain text are entered in KeePass as a string field.
File attachments allow you to save graphics with QR codes in KeePass.
The KeePass plug-in “KeeTrayTOTP” generates TOTP one-time passwords and QR codes.
The account name in the QR code can be adjusted via the “Issuer (Title)” with “KeeTrayTOTP”.
The modern-looking program KeePassXC already supports TOTP keys out of the box.