Macpass: Support YubiKey OTP

Created on 26 Sep 2013  路  51Comments  路  Source: MacPass/MacPass

Would it be possible to implement the YubiKey OTP functionality so YubiKeys kan be used in combination with MacPass? Maybe this can help? https://github.com/Yubico/yubico-c-client

Enhancement Plugin

Most helpful comment

KeePass is about to introduce a new format (KDBX 4) this has lead me to revisit KeePassKit and modularize it more. With this in mind I should be able to extend the plugin system further for this feature. That doesn't mean implementing it but it's a step 馃槈.

All 51 comments

I take a look into it. There seems to be a OTP plugin for KeePass so this feature might actually be relevant. For now not on the high-prio list.

YubiKey OTP Support would be great!

Thanks for your fantastic work on MacPass! I was looking for a long time for a usefull KeePass client on Mac and finally I've found MacPass :-)

I Discovered MacPass 2 weeks ago and I am relieved I did! Definitely the best way to use a keepass DB on a MAC! Thanks!
On topic: Using Yubikey OTP would be great, but I'd feel better with 2 Factor Authentication, like described in this article: http://www.kahusecurity.com/2014/securing-keepass-with-a-second-factor/
that uses OtpKeyProv and KeeChallenge... Anyway, that would be a great addition!

+1

I'd love to have this fonction too!

Your app is great by the way!! :)

+1 for OATH HOTP standard (RFC 4226)

This would be great functionality to have, though I understand the timing may be premature. The quality of your app is great, I forget it's pre-release.

+1 for OATH HOTP standard (RFC 4226)

another +1

+1 for OATH HOTP, without it I can't use KeePass (and thus MacPass) on OSX

+1

Hi, with the recent breach of LastPass support for a Yubikey OTP for Macpass is becoming even more important.

Can you please consider adding this?
The pluggin is Open Source, your work is Open Source. If anyone have any Mac Coding skills, please help us! :)

+1

+1

+1

+1

I've cloned the repo to incorporate @kylemanna HMAC-SHA1 Challenge & Response pull request for keepassx. Updating KeePassKit is probably doable but I don't know the first thing about Cocoa UI.

@mstarke Thanks for all your hard work!

@KFDCompiled nice of you to start on this. But just a warning: I've already moved on with KeePassKit (current master is ahead of the one used in MacPass, as you'll probably already have found out) to be able to create it as a Framework and to implement undo/redo with history support. I'm on a good path but it will take a bit more time as I've got limited free time atm. Another thing is, that I wanted to start adding a plugin interface to decouple the features from KeePassKit and MacPass. Should we try to use your approach to flesh out a plugin interface? As I understand it you need UI and KeePassKit extensions so there needs to be two sets of plugins - for KeePassKit and for MacPass.

@mstarke I agree that converting KeePassKit into a xcode framework is a robust solution. Based on Issue #350 and Apple's Guide, do you think the putative KeePassKit.framework should handle plug-in arch?

Should we try to use your approach to flesh out a plugin interface?

@mstarke yes, I think the existing codebase鈥攆rom KeeChallenge, @kylemanna's fork of keepassx, and yubico-c鈥攇ive enough to assemble a prototype plugin.

@KFDCompiled i think there should be plugins both for MacPass as well as for KeePassKit, as there needs to be support on the data side but also on the GUI front end. That arises the problem of dependencies on plugins. e.g if we need additional inputs on the password screen that's a MacPass plugin but the KeePassKit has to handle the data provided by the additional inputs. Maybe I should just scrap the separation of KeePassKit and integrate it into MacPass but that removes the possibility for others to use the framework just to be able to parse stuff.

@mstarke moved the conversation to Issue #350

Now that the plugin architecture is initiated can someone outline what it would take to make a yubikey plugin for macpass ?

It's not that easy as MacPass might need more support for UI extensions. The Plugin system currently is "just load code and show some settings" more support is needed but that requires more details on the requirement for specific plugins

+1

+1 for this feature.

+1 for OATH HOTP standard (RFC 4226) support. It's simply a must have feature today.
P. S.: I can't help with implementation but I can with localization.

Also looking forward to this. Eventhough there is MacPassHTTP, the yuibkey support of keypass is the reason i consider migrating away from 1password ( beside *pass also supports basic auth, application auth and much more, due to autotype )

@mstarke I am willing to offer a yubikey if it helps speed up implementation :)

It's generous of you to offer a key but the lack of hardware isn't an issue. It's lack of time. I'm more than happy to merge pull requests but for now I'm still struggling getting to implement all the basic features e.g. history or synchronization.

This conversation makes me wish that I had a OS X programmer in house, or even that I was one myself, as I'd be happy to donate some of our time to helping with this request. Unfortunately, all of our developers are .NET programmers or web devs, even though some are using Macs themselves. :( Once implemented, this certainly will make MacPass a viable option for our business, which requires MFA for secure databases like password managers.

Keep up the good work :+1:

KeePass is about to introduce a new format (KDBX 4) this has lead me to revisit KeePassKit and modularize it more. With this in mind I should be able to extend the plugin system further for this feature. That doesn't mean implementing it but it's a step 馃槈.

+1

@mstarke any progress on this already? Thank you!

Btw, on a related topic, the keepassx project has been forked and integration of Yubikey support is progressing @ https://github.com/keepassxreboot/keepassxc/pull/127 for those interested.

+1 for TOTP standard (RFC 6238) support. Lack of TOTP is the only obstacle preventing me from fully switching to MacPass.

TOTP authentication is far more secure than the alternative state controlled telephone 2fa method. It's supported by many online services, such as Google, Facebook, Microsoft, Apple, GitHub, Dropbox, etc. And it's widely used by high-profile people to fight against hackers.

With MacPassHTTP and TOTP, MacPass will be definitely the best password manager.

+1 for TOTP support

@mstarke, should we stop hoping?

Never give up hope! This issue seems to be misleading. The last comments are about (T/HMAC)OTP support fore entries, the actual issue is about using YubiKey as a means of locking the database. HMAC/TOTP support is nearly done but I haven't had any spare time over the holidays to finish this. Yubikey support is still far out since modularised key provider are possible but not really worked out in KeePassKit

And I stated this on other TOPT related topics as well. You should not store TOTP/HMACOTP keys as well as other credentials in the same database as this defeats the whole purpose of two factor authentication.

News? :)

+1 for TOTP support

+1 for TOTP support

+2 ;)

Any update? Need Yubikey support.

Any update??? I could really use this.

+1

+1

+1

Yubikey support in MacPass would be awesome!

+1 - I've tried all other variations of keypass on the Mac and this app is by far the best. Adding Yubikey support will just be awesome.

I am also using MacPass, and I would like to have this feature. I think that I would be able to add this feature, but I don't have hardware. Will wait for my Yubico (lost my last two), and when I get it, then I will start implementing it.

+1

Guys, lets fund this issue with Gitcoin

Was this page helpful?
0 / 5 - 0 ratings

Related issues

martinl picture martinl  路  6Comments

aliok picture aliok  路  7Comments

Lapin picture Lapin  路  5Comments

markushausammann picture markushausammann  路  3Comments

Winter84 picture Winter84  路  6Comments