Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Yubikey Challenge-Request as 2FA #26

Closed
TheZ3ro opened this issue Oct 4, 2016 · 12 comments · Fixed by #127
Closed

Add Yubikey Challenge-Request as 2FA #26

TheZ3ro opened this issue Oct 4, 2016 · 12 comments · Fixed by #127
Assignees
@phoerious
Milestone
v2.2.0

Comments

@TheZ3ro
Copy link
Contributor

TheZ3ro commented Oct 4, 2016

All the details in this PR keepassx/keepassx#52
Maybe @kylemanna can help
@droidmonkey
Copy link
Member

droidmonkey commented Oct 6, 2016
edited
Loading

Is YubiKey popular with KeePass users? I would much rather add something like Google Authenticator 2FA.

Perhaps this can be modularized such that multiple 2FA services can be incorporated into the interface.

@TheZ3ro
Copy link
Contributor Author

TheZ3ro commented Oct 6, 2016

Yubikey also works as OTP (TOTP as GoogleAuthenticator).
It Would be nice to select between 2FA method (OTP or Challenge-Response) to support both

@stmllr
Copy link
Contributor

stmllr commented Oct 6, 2016

yubikey supports challenge/response, so 2fa would even work offline in opposite to Google Authenticator.

@TheZ3ro
Copy link
Contributor Author

TheZ3ro commented Oct 6, 2016
edited
Loading

Google Authenticator works also offline because it's Time-based OTP (after the first sync online).
Here a guide to implement TOTP with GAuthenticator (maybe can help), but this will take some time to develop.
I'm a Challenge-Response fan

@kylemanna
Copy link
Contributor

re: @TheZ3ro @stmllr

The YubiKey challenge response works completely offline. Google Authenticator and all TOTP mechanisms don't make any sense as they don't enhance the crypto key. They are usually used by a remote "trusted" third party (i.e. Google, Lastpass, etc) to control access to actual encrypted payload.

My implementation of the YubiKey challenge-response optionally adds strength to standalone key files and static passwords by hashing all the combinations together to generate a stronger key. This process occurs completely offline with just the YubiKey, supporting host libraries and KeePassX with this pull request.

@kylemanna
Copy link
Contributor

To restate this:

TOTP controls access to the encrypted payload in the case of services like lastpass.

Challenge-Response makes the encrypted payload key stronger. If done right, challenge-reponse would force someone to attack the crypto cipher instead of brute forcing or guessing passwords that in standalone implementations are the basis for the key.

@TheZ3ro
Copy link
Contributor Author

TheZ3ro commented Oct 7, 2016

Can you rebase your PR on the KeePassX Reboot code? (On the develop branch, or in a feature/* branch) Thanks 👍

@kylemanna
Copy link
Contributor

Honestly, I don't have the time in the near term. The most time consuming part is verifying that all the edge cases (that I can remember) work so that people don't lose their databases due to something silly like corruption since it does manipulate the way the crypto key is derived. Let's revisit it sometime down the road.

@TheZ3ro
Copy link
Contributor Author

TheZ3ro commented Oct 7, 2016

I will try to rebase your changes, If I need help I will ask you 😅

@droidmonkey
Copy link
Member

@kylemanna great explanation and that makes perfect sense, thank you!

@droidmonkey droidmonkey modified the milestone: v2.2.0 Nov 25, 2016
@johseg johseg mentioned this issue Nov 28, 2016
Closed
@TheZ3ro TheZ3ro mentioned this issue Dec 14, 2016
Merged
8 tasks
@Thynix
Copy link

Thynix commented Jan 1, 2017

@TheZ3ro Have you been able to rebase? Can I help?

@Thynix
Copy link

Thynix commented Jan 1, 2017

My bad, I now see that #127 is that rebased version.

@phoerious phoerious self-assigned this Feb 26, 2017
@martinl martinl mentioned this issue Apr 27, 2017
Closed
@phoerious phoerious mentioned this issue Feb 6, 2021
Closed
@Germano0 Germano0 mentioned this issue Dec 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phoerious phoerious

Labels
None yet
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging a pull request may close this issue.

Add Yubikey 2FA for unlocking databases keepassxreboot/keepassxc
6 participants
@Thynix @TheZ3ro @stmllr @phoerious @kylemanna @droidmonkey