About us
The product has been added to the shopping cart Show shopping cart

How KeePass works as a backup for a TOTP authenticator

A TOTP authenticator that scans QR codes makes the switch to secure 2FA logins and time-limited one-time passwords much easier. But what happens if the authenticator is lost? Then only a backup of all keys and passwords will help. A password manager such as KeePass manages this sensitive data for two-factor authentication.

To protect themselves from losing the TOTP authenticator, many users use PIN protection on the respective device. If this important security function of the authenticator is activated, time-based one-time passwords (TOTP for short) can only be generated after the PIN has been entered. However, this effective protection against misuse is only half the battle; users must also ensure that they still have access to their accounts. It is therefore advisable to save all keys and passwords required for two-factor authentication when creating a 2FA login.

Which 2FA login data users should back up

For secure two-factor authentication, users need a secret key to generate the time-limited one-time passwords as a second factor in addition to the classic access data such as user name and password. A backup of all required data should therefore include the following keys and passwords:

The simplest variant of backing up all required 2FA access data is therefore the encrypted management of all user names and passwords as well as the secure storage of all backup and QR codes in the form of text and graphic files.

How KeePass supports the backup of 2FA login data

The most convenient and secure way to manage 2FA access data is via a password manager such as KeePass. Version 2.x of this software is available to download free of charge for Windows. The website of the open source project also offers corresponding ports for other platforms such as Linux, Android, Mac OS X or iPhone and iPad. The use of a portable Kee Pass version is recommended for backing up 2FA access data. In this way, it is possible to save the program installation together with the backup of the 2FA data on one and the same storage medium, for example on a USB stick, regardless of the device.

The KeePass installation is quick and easy: Simply create a new folder and unzip the ZIP file of the portable KeePass version into it. For a German user interface, the additional installation of the corresponding translation is recommended. The contents of this ZIP archive are copied to the “Languages” subfolder. To start the program for the first time, simply double-click on the program file “KeePass.exe”. The question “Enable automatic update check?” is confirmed with “Enable (recommend)” to activate the automatic check for KeePass updates. The switch to the German user interface is finally made via “View, Change Language …” by clicking on the option “German (Deutsch)”. After restarting the program, KeePass is ready for use.

To create a new password database, simply click on “File, New …” after the restart. After confirming the following message with “OK”, the user selects the file name and storage location of the encrypted database and then the main password for opening and decrypting. The database settings can be accepted in the subsequent dialog by clicking “OK”. Everything is now ready for you to enter your 2FA access data. The first account is created via “Entry, add entry …”. The “title”, such as “Google account (username@gmail.com)”, is only used to identify the account. Then enter your user name and password. Anyone who has already used KeePass to manage classic 1FA accounts will be familiar with all the information up to this point.

How to add QR codes and TOTP keys to KeePass

Additional recovery codes for two-factor authentication can also be entered in the “Comments” field via the clipboard. However, it is safer to store them – just like secret TOTP keys in plain text – in the “Advanced” tab as a “string field”. After clicking on “Add”, for example, select “Back-up codes (2FA)” as the name of the field, enter the codes in “Value” and activate the option “Protect value in process memory”. TOTP keys are saved in plain text in the same way.

However, it is recommended to use “TOTP Seed” as the name of the field so that the data can also be read out later using the optional KeePass plug-in KeeTrayTOTP. TOTP keys in the form of a QR code, which are saved from the browser with a right-click and the option “Save graphic as …” or via a screenshot locally as a graphic file, can be saved in the “File attachments” area via the “Attach” button in KeePass. Once you have entered all the required account details, simply click on “OK” to apply all the changes. Before making any further changes, you should first save the updated KeePass database with “File, Save”.

Tip

Most online services not only provide their users with a QR code when activating two-factor authentication, but also offer the option of accepting the secret TOTP key in plain text. There is usually a link next to the QR code such as "You can't scan it?". How KeePass uses QR codes and TOTP one-time passwords

How KeePass creates QR codes and TOTP one-time passwords

With the optional KeeTrayTOTP plug-in, KeePass also generates one-time passwords for secure 2FA login and QR codes for configuring an authenticator from the secret TOTP key in plain text. All you have to do is copy the plug-in file “KeeTrayTOTP.plgx” into the KeePass subfolder “Plug-ins”.

After installing the plug-in, its options are available from KeePass by right-clicking on the respective account entry via the menu item “Tray TOTP Plug-in”. A freshly generated one-time password can then be copied to the clipboard with “Copy TOTP”. The “Show QR” option is particularly interesting for back-ups. This can be used to generate a QR code for the secret TOTP key. Users of the REINER SCT Authenticator also have the option of changing the “Issuer (Title)”. This is particularly useful if the account name is not displayed in full in the REINER SCT Authenticator. The name can then be shortened via the “Issuer (Title)” to make it easier to distinguish it from similar accounts.

If you don’t need this option, you can also use the much more modern KeePassXC program instead of KeePass. This software is also available in a portable Windows version and supports the management of TOTP keys and the generation of TOTP one-time passwords out of the box.