Keepassxc: Provide global AutoType shortcut specifically for TOTP

You can set multiple Autotype sequence and trigger Global Autotype 2 times, selecting for the first one the Username/Password one and the second the TOTP code. Like #736

You can use a small delay to wait for the second page to load and type the TOTP too:

Thank you for the suggestion, @weslly, but I'm constantly on very unreliable WiFi connections, so I'd rather not rely on a fixed amount of time!

I have just tried this, and it only works if the pages have different titles. The first 3 websites I tried have the same title for the login and TOTP pages, so KeePassXC just typed the first sequence for both of them! The solution proposed by @TheZ3ro is very suboptimal, unfortunately!

I still think that implementing a different keyboard shortcut for TOTP passwords would give a simpler solution, and would not require the user to setup complex sequences! I'm insisting a bit because I use TOTP a lot throughout the day (I have keys for more than 30 websites).

Or a more general solution - allowing multiple autotype sequences in same
entry per window pattern, and presenting all matching ones in the dialog. I
would prefer this to having a dedicated TOTP hotkey
>
>

I would like to remind you that having your TOTP secret in the same database as your password kind of defeats the whole purpose of 2FA.

OK, I won't insist on this anymore, but then why was TOTP implemented in KeePassXC in the first place?

Because you can have a second database with your TOTP keys.

Ideally, you should keep your TOTP keys stored in a different database and open it at a second tab so you can still use autotype with separate sequences for your TOTP codes:

It really doesn't defeat TOTP. TOTP basically wants to see that you own a device and have access to that device. Presumably your keepassx database is on a device you own, so it effectively proves that you are accessing a website from one of YOUR devices. I'm perfectly happy using TOTP in the same DB as the one my passwords are in.

@djhaskin987 With password managers the 2FA field changes a little.
You often have the following 2 factor:

• A password you remember
• A device you own

With a password manager you store both of the above factors in a single database, locked with a single masterkey.

If someone gain access to your database file and successfully decrypts it, he will have both your password and your TOTP token. Effectively it's a "1 factor" system (as 1 point of failure)

Spreading the TOTP key and the password over 2 different databases with different masterkeys brings back the 2 factor property you started with.

I would consider it more secure than not having a second factor, since it protects you against external password leaks, which are not under your control. But you are effectively reducing the second factor to something more like 1.5 factor auth.

I ended putting them in a different database, but the initial idea of having a different shortcut for TOTP is still valid for me, because it is just not posible to match windows based on whether the input is a common password or TOTP password. My hacky solution was to run two instances of KeePassXC: one from APT and the other from Snap. Each has a different keyboard shortcut.

And then there is the option of choosing an entry from the AutoType dialog, but I find that to be more time consuming and a bit annoying.

I think a version of this feature has merit, reopening.

it is just not posible to match windows based on whether the input is a common password or TOTP password.

Why do you say that?
With 2.3 we even merged multiple autotype sequence. You can call global autotype, select to autotype either TOTP or login information.
The down side? It only works on entries in the first database. Hopefully in 2.4 we will extend it to every opened database

BTW KeePassXC-Browser supports TOTP explicitly.

With 2.3 we even merged multiple autotype sequence. You can call global autotype, select to autotype either TOTP or login information.
The down side? It only works on entries in the first database. Hopefully in 2.4 we will extend it to every opened database.

Not only it doesn't work in the second database, but this is what I mentioned above as annoying to me, compared to just using a different keyboard shortcut. It may not be for people who use TOTP just occasionally, but I use it a lot.

I don't have a strong opinion about this, though. I can keep using my hack for as long as it works.

@teresaejunior I still don't get why it's annoying.

The problem with this approach is what I have mentioned above, that most websites give you separate pages for the login and TOTP.

You select the password in the first page, the page changes and you select the TOTP in the second page.
Personally, I copy-paste my TOTP code from a secondary db almost everyday for logging in github and amazon.

Providing a specific shortcut for TOTP is just an hacky solution for and edge-case, surely not a top priority.
Extending autotype to multiple database instead is a must.