Keepassxc: Add Yubikey Challenge-Request as 2FA
All the details in this PR https://github.com/keepassx/keepassx/pull/52
Maybe @kylemanna can help
TheZ3ro
All 12 comments
Is YubiKey popular with KeePass users? I would much rather add something like Google Authenticator 2FA.
Perhaps this can be modularized such that multiple 2FA services can be incorporated into the interface.
droidmonkey
on 6 Oct 2016
Yubikey also works as OTP (TOTP as GoogleAuthenticator).
It Would be nice to select between 2FA method (OTP or Challenge-Response) to support both
TheZ3ro
on 6 Oct 2016
yubikey supports challenge/response, so 2fa would even work offline in opposite to Google Authenticator.
stmllr
on 6 Oct 2016
Google Authenticator works also offline because it's Time-based OTP (after the first sync online).
Here a guide to implement TOTP with GAuthenticator (maybe can help), but this will take some time to develop.
I'm a Challenge-Response fan
TheZ3ro
on 6 Oct 2016
re: @TheZ3ro @stmllr
The YubiKey challenge response works completely offline. Google Authenticator and all TOTP mechanisms don't make any sense as they don't enhance the crypto key. They are usually used by a remote "trusted" third party (i.e. Google, Lastpass, etc) to control access to actual encrypted payload.
My implementation of the YubiKey challenge-response optionally adds strength to standalone key files and static passwords by hashing all the combinations together to generate a stronger key. This process occurs completely offline with just the YubiKey, supporting host libraries and KeePassX with this pull request.
kylemanna
on 7 Oct 2016
To restate this:
TOTP controls access to the encrypted payload in the case of services like lastpass.
Challenge-Response makes the encrypted payload key stronger. If done right, challenge-reponse would force someone to attack the crypto cipher instead of brute forcing or guessing passwords that in standalone implementations are the basis for the key.
kylemanna
on 7 Oct 2016
Can you rebase your PR on the KeePassX Reboot code? (On the develop branch, or in a feature/* branch) Thanks :+1:
TheZ3ro
on 7 Oct 2016
Honestly, I don't have the time in the near term. The most time consuming part is verifying that all the edge cases (that I can remember) work so that people don't lose their databases due to something silly like corruption since it does manipulate the way the crypto key is derived. Let's revisit it sometime down the road.
kylemanna
on 7 Oct 2016
I will try to rebase your changes, If I need help I will ask you 馃槄
TheZ3ro
on 7 Oct 2016
@kylemanna great explanation and that makes perfect sense, thank you!
droidmonkey
on 8 Oct 2016
@TheZ3ro Have you been able to rebase? Can I help?
Thynix
on 1 Jan 2017
My bad, I now see that #127 is that rebased version.
Thynix
on 1 Jan 2017
Related issues
haroldm
路
3Comments
MountainX
路
3Comments
rugk
路
3Comments
JosephHatfield
路
3Comments
clementlesne
路
3Comments
Most helpful comment
re: @TheZ3ro @stmllr
The YubiKey challenge response works completely offline. Google Authenticator and all TOTP mechanisms don't make any sense as they don't enhance the crypto key. They are usually used by a remote "trusted" third party (i.e. Google, Lastpass, etc) to control access to actual encrypted payload.
My implementation of the YubiKey challenge-response optionally adds strength to standalone key files and static passwords by hashing all the combinations together to generate a stronger key. This process occurs completely offline with just the YubiKey, supporting host libraries and KeePassX with this pull request.