Is your feature request related to a problem? Please describe.
YubiKey supports challenge-response operations in form of HMAC-SHA1. This implementation has already gained some support in other well-known KeePass forks:
Describe the solution you'd like
ykman, whichever is more feasibleDescribe alternatives you've considered
There are some alternatives described on this page:
Additional context
Previous issues in KeeWeb about YubiKey support:
This would be so neat, currently using keepass2android on Android with yubikey in challenge-response mode (which requires the app ykdroid for the nfc-driver) and keepassxc for desktops for secrets I'm paranoid about, but ofc KeeWeb with challenge-response mode would be ideal!
Just a note, it will work only on desktop without hacks; web/mobile version will be probably limited and not very convenient.
@jivarson what makes you paranoid?
@antelle that makes sense, there are at least one app for android with support for challenge-response :-) @ph00lt0 strong word, point being that for important passwords its good knowing that the second 2nd factor cant be copied after setup like a keyfile can
@jivarson good to know about Android, I'll add it to the manual that I'll write about YubiKey support. On iOS, most of KeePass-compatible apps already have support built-in.
the second 2nd factor cant be copied
Unfortunately it can, to some extent. YubiKey integration in KeePass-like apps is in Challenge-Response mode, which means that it's not a true 2FA, so if you have:
You will be able to generate and save the response for this file. A more advanced technique can be sniffing USB, and again, as ChResp is not a one-time code, you can save and use it to open old files. However good news is that new files saved again will have a different challenge.
Well it certainly is a second factor. But not a time based second factor if that is what you mean.
Indeed, my reply was to the copying part.
Thanks for putting me straight
Just a note, it will work only on desktop without hacks; web/mobile version will be probably limited and not very convenient.
Has using the WebUSB API been investigated to allow use in browser?
YubiKeys are not exposed via WebUSB because of security reasons:
https://www.yubico.com/blog/webusb-and-responsible-disclosure/
https://www.yubico.com/support/security-advisories/ysa-2018-02/
https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html
Hello @antelle!
How do you intend to implement this?
I was thinking of doing something similar using Safari App Extensions on macOS. It would break the 100% web design of the project but we would have the benefit of reusing what was already implemented in other native apps. The app extension could be dropped in the future once browsers offer better native support.
In my case, I am more interested in smartphone-base keys (using the secure enclave) over BLE, so I am considering tweaking Krypton to add challenge-response support.
@thefonseca for now I think the web version will not support this feature at all.
Installing an app extension doesn't make a lot of sense, since it will be easier to download a desktop app instead.
If there's a smartphone-based key supporting challenge-response, it would be awesome, but I'm not sure if they exist, I'll try to find something.
Both Keepass2android and keepassium(ios) are supporting the challenge response mode through NFC, so it would be cool if the implementation of Keeweb is compatible with them
It will be compatible, but only the desktop version.
@thefonseca for now I think the web version will not support this feature at all.
Installing an app extension doesn't make a lot of sense, since it will be easier to download a desktop app instead.
Thanks @antelle, this makes sense. "a desktop app" you mentioned includes the KeeWeb electron version too? (I'd like to stick to KeeWeb for now).
Yes, KeeWeb desktop of course.
My use-case is on Chromebook. Sadly I don't think there is any solution for challenge-response mode at the moment (Android apps and Crostini/Linux can't directly access USB devices, either).
The feature is ready to test on desktop, if anyone would like to give it a try, please let me know.
@antelle I have a yubikey and can do some testing.
@gynet which operating system are you using?
@antelle I have win10 & Macos
Good, here's a version for macOS and Windows x64. The macOS version will most likely work, I haven't tested it on Windows yet. Please don't forget to backup your file!
Three's also a wiki page about using YubiKey with KeeWeb: https://github.com/keeweb/keeweb/wiki/YubiKey
Cool, will try it later today @antelle
It also has config encryption, after which the previous version won't be able to read configs, so better to try it as a portable installation: https://github.com/keeweb/keeweb/wiki/Configuration#portable
Here are some results so far:
MacOS:
Windows 10
Some Feedback:
Thanks!
ykman is required only for one-time codes (OATH), OTP should work without ykman installed. When did you see the ykman prompt? The big YubiKey button on the start screen is OATH, the small one below the password field should work without it.I've added a warning about "Input Monitoring" to the app, now it will show the explanation when there's a yubikey but it can't be used.
@antelle Do you mean the Challenge-response does not require ykman?
I did not see any prompt, I just installed it anyway as I read wiki too fast :)
MacOS updates
Test Ran
Test case 2: [x] Passed | Create a DB by Keeweb with Yubikey + key file, decrypt it by KeepassXC.
Issues

I also tested with Keepass2droid. The database created by Keeweb failed on decryption by Keepass2droid + NFC. It shows "Invalid composite key". However, the database created by KeepassXC does not have this issue.
Do you mean the Challenge-response does not require ykman?
Exactly, my first intention was to implement everything with ykman, so it was said in the wiki, however I quickly realized that there are too many limitations. Updated the wiki, thanks!
After I adding the app into "Input Monitoring", all the Yubikey slots are showing up now.
馃憤
show the slot functionality as the KeepassXC
Makes sense, KeePassXC actually does a test challenge for that, I'll add it as well.
The database created by Keeweb failed on decryption by Keepass2droid + NFC.
Can it be opened with KeePassXC? Could you please upload your database if it's a test one?
Here is the testing db file created by KeeWeb. It can be decrypted by both Keeweb and KeepassXC using MacOS, but it can not be decrypted by Keepass2droid.
ybk_test_createdByKeeweb.kdbx.zip
The portable json with abs path does not work either
What I meant, is please tell me the absolute path to KeeWeb and the json config
{
"userDataDir": "/Users/gynet/Desktop/mydir"
}
And where's the json config located?
app path: /Users/gynet/Desktop/KeeWeb.app
json path:
/Users/gynet/Desktop/keeweb-portable.json
Cool, I'll check why it doesn't work.
Thanks for the file! I'll look into this file a bit later today. Could you please tell me:
ykman otp calculate 2 d8a30cffaae97a52134550a3c852ef2a6b19203b96fea4154de5ededd3861f3c2020202020202020202020202020202020202020202020202020202020202020
(replace "2" with "1" if you're using slot 1)
...and the password please
Another question, if you re-save the file, can it be opened with other apps?
@antelle password is 'test'. Re-saved the file with Keeweb, it was able to reopen by KeepassXC
Also, another UX feedback, I saw iTerm do send notification about requesting security permission, would it be better the Keeweb also initialize the same permission request
What about Keepass2droid where it could not be decrypted before?
I'll check how it's done, not sure how to request those.
Tried use Keepass2droid to open the db modified by Keeweb, it still shows "Invalid composite key"
what happens if you re-save the file in KeePassXC, can it be opened there?
just tried, re-save the file in KeePassXC, the Keepass2droid still could not open it. Keeweb works fine with the file modified by KeePassXC
About the portable config: I just tried running KeeWeb from Desktop with these paths:
~/Desktop/KeeWeb.app
~/Desktop/keeweb-portable.json
{ "userDataDir": "kw-data" }
It displayed a question about accessing files in the desktop folder and worked well.
I implemented testing YubiKey slots, however I discovered that:
So, if we compare having a stable API vs displaying "touch (non)required" and hiding non-working slots, I would say, let's show less information but with better quality.
Just checked, if KeeWeb is launched for the first time, it shows this question when trying to access YubiKeys:

I looked into keepass2android, looks like their implementation is compatible with KeePass/KeeChallenge, especially this part, as well as the docs explain. This means you won't be able to use files written by KeeWeb or KeePassXC, as it's also mentioned in the KeePassXC FAQ. I've added a compatibility table to the wiki page as well.
However Strongbox and KeePassium for iOS are compatible.
It seems like Keepass2android supports two mode: 'KeePass's Challenge reponse' and KeePassXC's challenge reponse".
I've tried the database created by KeepassXC, and it works fine on keepass2android.
I also saw Keepass2android Android UI do have two optios, "challenge reponse" and " challenge reponse for KeepassXC"
This was an closed issue on keepass2android's github
Here is also the issue regarding Keepass2android's implementation to be compatiable with KeepassXC .
Interesting, and still, both KeePassXC and KeeWeb write the db in a non-compatible format. I wonder what's the difference there. I guess, I need to somehow run keepass2android to understand what it is 馃
Status update: I didn't manage to install the necessary tooling on macOS, and looks like the project can't be built on mac, or at least there's no official guide how to do that, so tomorrow I'll try to read the code to understand why this can happen, however I won't be able to test it.
Meanwhile, what happens if you change the file format to KDBX4 in KeeWeb, does it become compatible?
@antelle
@antelle for the keepass2droid issue I think it's by design, just found their release note mentioned that kdbx4 is required, but it would be better to document on the "compatibility table" as well.
Keystroke receiving
Yes, YubiKey registers itself as a keyboard and this permission is required to interact with it. Not the best solution, I would say, but that's how it is now.
portable json
Could you please try this build? I've added more logs there, if you launch it from terminal, it should print what's going on around portable configs.
kdbx4
Awesome so it was KDBX3 compatibility, then it's solved, thank you! I've changed the default file format of files created by KeeWeb to KDBX4 and added a note to the wiki page.
@antelle
I tried this build, but I don't see anything related
Command I used:
open -a KeeWeb.app --args --devtools

The logs should be in Terminal, you need to start it not with open, but as an executable: KeeWeb.app/Contents/MacOS/KeeWeb
Hi @antelle ,
If I launch the build from a terminal, things look good now. It starts using the new profile I defined in the json file. However, when it requests permission using the popup window, it shows the app requesting is iTerm.app instead of the Keeweb, I had to manually add the path of the app. I am guessing the MacOS treat the requesting app as iTerm, so it became working, so I think that may be related to the issue we saw.
I guess for some reason, the MacOS will still treat the new version of Keeweb.app as the previous one installed? I wonder is there any identifier that needs to be updated to indicate the app version? Because I previously had an issue with Keeweb upgrading scenario, and the auto-type stopped work, and I had to manually clean up the existing "Security & Privacy" settings regarding KeeWeb in macOS, then it would work
Is portable: true
Portable config path: /Users/gynet/Desktop/keeweb-portable.json
Portable config path exists
Portable user data dir: /Users/gynet/Desktop/mydir
I did reset, and everything works now
tccutil reset All
I think it checks by bundle id, and I really hope that also certificate, but maybe not, I鈥檒l check. So you don鈥檛 need to update it for the new version.
It will show terminal in this case yes, otherwise it would be easy to bypass.
Ok cool that it works now!
Uploaded a new build here: https://github.com/keeweb/keeweb-ci-sandbox
This is probably what will be there in the release, at least for me everything seems to be working.
Most helpful comment
YubiKeys are not exposed via WebUSB because of security reasons:
https://www.yubico.com/blog/webusb-and-responsible-disclosure/
https://www.yubico.com/support/security-advisories/ysa-2018-02/
https://pwnaccelerator.github.io/2018/webusb-yubico-disclosure.html