We recently worked with KeePassXC to add OnlyKey support for challenge-response, so now you have two options, YubiKey or OnlyKey for challenge response with KeePassXC.
While these issues mention support of challenge-response through other 3rd party apps:
https://github.com/Kunzisoft/KeePassDX/issues/137
https://github.com/Kunzisoft/KeePassDX/issues/8
I wanted to suggest a different approach that would allow users to use all Yubikey models, not just the NEO, and OnlyKey. The idea is to keep using the device of your choice on desktop OS with KeePassXC but on Android don't use the device, instead use the Android keystore. This would be a lot more user friendly and avoid lots of potential technical issues like NFC issues, USB issues, etc. Here is how it would work:
So now you can open your KBDX on desktop OS with your device, or on Android with a fingerprint. The Android keystore according to this supports HMAC SHA1 so you would be able to generate the challenge-response in the app, with the key never leaving the Android keystore - https://source.android.com/security/keystore/features
I think from a user experience perspective this would be a game changer. All that is required is a fingerprint on mobile and its backwards compatible with KeePassXC.
Saving the HMAC-SHA1 key to the mobile device itself defeats the whole purpose of having a removable(!) second factor.
Don鈥檛 get me wrong, for some users this way of doing it might be okay, but in my opinion the other proposal, i.e. using the challenge-response method via NFC / USB seems to be the safer solution.
Most helpful comment
Saving the HMAC-SHA1 key to the mobile device itself defeats the whole purpose of having a removable(!) second factor.
Don鈥檛 get me wrong, for some users this way of doing it might be okay, but in my opinion the other proposal, i.e. using the challenge-response method via NFC / USB seems to be the safer solution.