KeePassium icon indicating copy to clipboard operation
KeePassium copied to clipboard

Published 20 hours ago verified publisher icon keepassium

Supporting HOTP

Open ickc opened this issue 4 years ago • 5 comments
trafficstars

In addition to the current TOTP support, consider adding HOTP support as well. A count is needed in HOTP so may be each time a passcode is generated, the database needed to be written. This may be an unwanted side-effect comparing to TOTP. But some services does use HOTP so it is unavoidable (to some of us.)

c.f.

  • https://github.com/keepassium/KeePassium/issues/29
  • https://github.com/keepassium/KeePassium/blob/d2a4d6536453fd514c1011ae5e284b036296832c/KeePassiumLib/KeePassiumLib/db/totp/TOTPGeneratorFactory.swift#L211-L217

ickc avatar Jul 27 '21 02:07 ickc

Thank you for the suggestion!

Do you know any implementations besides KeePass' own {HMACOTP} placeholder? It seems KeePassXC does not support HOTP yet. I'd rather adopt something existing than invent a new format :)

keepassium avatar Jul 27 '21 18:07 keepassium

I don't know. KeePassXC has an issue on this too: https://github.com/keepassxreboot/keepassxc/issues/4371

Unfortunately HOTP is rarely used so demand is not a lot (hence the lack of implementations in the wild.) But for the few services that it is used, it becomes a huge pain to deal with.

And an additional side-effect here is that probably the database has to be written every time a new HOTP passcode is generated to keep the counter, and that seems a bit intrusive (e.g. the end user may think they didn't change anything in the database, so on quit they discard any changes, which results in a wrong passcode next time.) It could also resulted in an unwanted save where they are editing something else and was getting a HOTP meanwhile.

ickc avatar Jul 27 '21 19:07 ickc

Updating the counter and saving the DB might be slightly inconvenient in terms of usability, but not a major risk. On a mobile device, there is always a risk the user would be distracted or the app would be terminated. So KeePassium writes the database as soon as the user confirms modification — be it a "Done" button in the entry editor, or a "Yes, delete" in a delete confirmation.

I imagine generation of the HOTP would look like a button "Generate HOTP and increase the counter" (or something more concise :) that would first save the updated DB and then show the HOTP. Perhaps with a couple of codes for previous counter values, just in case.

But yes, HOTP is not a frequently requested feature, so I'm afraid it might spend quite some time in the queue...

keepassium avatar Jul 28 '21 20:07 keepassium

Thanks for the explanation, that makes sense. I was speaking more from a desktop user point of view (mobile is usually read-only for me...)

No worries. It is not popular after all (and among those I use there's only one uses HOTP, and it is actually quite hard to get the secret from. So a casual user wouldn't even need to import that in keepassium.)

ickc avatar Jul 28 '21 20:07 ickc

Do you know any implementations besides KeePass' own {HMACOTP} placeholder? It seems KeePassXC does not support HOTP yet. I'd rather adopt something existing than invent a new format :)

@MacPass does support HmacOTP and uses the default KeePass system for storing the settings as custom fields. There is no special sauce since it’s more or lesser the underlying technology for TOTPs.

mstarke avatar Feb 27 '22 12:02 mstarke