View on GitHub

keepass2android

Password manager app for Android

TOTP in brief

TOTP stands for Time-based One-Time Password algorithm which is one of the most common way proposed by websites to do a two-factor authentication (2FA).

On these websites, this option will often be mentioned in the 2FA configuration menu as things like “use code generated by an application”, “use [Google] Authenticator app”.

You’re prompted to scan a QR code with the app, which essentially contains a code called “seed”, usually with a form like “AZER TYUI OPQS DFGH JKLM”, used to generate TOTPs. The seed can be also directly copied if there is no scanning option on the app.

Most common apps:

Google Authenticator
Authy
Microsoft Authenticator
FreeOTP
LastPass Authenticator

TOTP in KeePass and benefits

In KeePass (by Dominik Reichl) there is are several ways to enable this Authenticator app ability:

built-in TOTP support: https://keepass.info/help/base/placeholders.html#otp
KeePassOTP plugin
KeeOtp plugin
KeeTrayTOTP plugin (note the name “TrayTOTP” on this one for later)

KeePassXC also supports TOTP: https://keepassxc.org/docs/KeePassXC_UserGuide#_adding_totp_to_an_entry

The greatest benefits are:

the seed stays available contrary to the above apps (for which it’s more or less hard to backup/restore/switch with another app)
TOTPs are available wherever the KeePass database is available. But conceptually it’s not really 2FA anymore (all things are stored in the same place).

The different implementations use different ways of storing the TOTP seed (or secret, or key) and optional settings (e.g. the length of the TOTP to generate) within an entry inside the kdbx database. Keepass2Android attempts to be able to read the different formats, but can only write one:

TOTP in Keepass2Android

If you use any of the tools mentioned above, you can set up TOTP entries with them. Keepass2Android can read those entries and generate TOTPs if any of the following styles are used:

Keepass2 style: used when there are TimeOtp-Secret(-XXX) fields in the entry
KeeOtpPlugin style: used when there is an otp field containing a query string in the form of key=abc&step=X&size=Y (step and size are optional)
KeeWebOtp/Key Uri Format style: used when entry contains a URL starting with otpauth://totp/, e.g. otpauth://totp/?secret=abc (https://github.com/google/google-authenticator/wiki/Key-Uri-Format)
KeeTrayTotp style:
- requires a non-empty seed field (default key is “TOTP seed”, can be changed in KP2A settings), value is base32 encoded data
- requires a non-empty settings field (default key is “TOTP Settings”, can be changed as well), value is expected to be a csv-separated array with [Duration];Length(;TimeCorrectionURL). Length is either an integer value or “S” to indicate Steam encoding

In order to view the generated TOTP code in KP2A, open the corresponding entry. You can then

use a dynamically generated field called “TOTP” containing the TOTP or
use the “Copy TOTP” button on the system notification for the selected entry or
switch to the KP2A keyboard and use the TOTP button to insert the TOTP value into the target app or browser

If you want to configure an entry to contain the TOTP fields, it is suggested to enter edit mode for the entry. Then click the “Configure TOTP” button. You can either enter the data manually or scan a QR code with the information.

Spaces in otp field

Make sure that the URI doesn’t contain spaces, otherwise KeePass2Android will fail to generate TOTPs as a space is an invalid character. If your URIs have spaces, check this comment._