Skip to content

Using OTP is using two factor authentication?

Jump to bottom
Rookiestyle edited this page Jun 11, 2020 · 1 revision

tl;dr: If you aim for real two factor authentication you have to use different devices to store these facors all the time or - at least - use two different ways for storing the two factors in a secure way.

KeePassOTP aims for a more secure way of storing OTP secrets as by default these secrets are stored in a separate database which is embedded in the databse containing your account data.

OTP is used for two factor authentication.
The added value of a second factor for authentication is to protect you in those case where your password (being the first factor) is compromised or fails due to other reasons. If you store both factors in the same database you essentially use one factor authentication and this factor is your database's masterkey. It will protect against shoulder-surfers and - to some extent - against keyloggers. It will not protect against anything else. You're not using two factor authentication but two step authentication in this case - consider the OTP secret a second password.

Reg. keyloggers:
A keylogger might log your database masterkey, your account password and the OTP used. Without having access to the database that's not sufficient to steal your account. Well, why do I write "to some extent" then?

  1. Your password is known to the keylogger which leaves OTP the only remaining factor
  2. If a keylogger is running at your device it's not your device anymore and you have to assume your database is in possession of the keylogger as well

You're using two factor authentication only if you store the OTP secret at a device you never use for login.

Example:

  • Use KeePass on your laptop for storing username and password of your mail account
  • Use this very laptop for logging in to the mail account
  • Use an OTP app like Google Authenticator on your smartphone for generation of your OTP for your mail account and enter them on your laptop

Congratulations, you're using 2FA!

If you install a KeePass port like KeePass2Android at your smartphone to check your mails while being on the road this will bring you back to one factor authentication.

I'm not saying this is bad (still better than using a password only) and I'm definitely not saying KeePass2Android is bad/insecure.
It does not reduce security compared to using passwords only.
One just needs to know that doing it this way will contribute less than one might assume initially.

Clone this wiki locally