Yubico Forum

Hi. I've been playing with using my Yubikeys with KeePass and OTP, instead of static password. I got it working with my first key, but when I copied the secret key to my second Yubikey, I wasn't able to use this to log in to the KeePass database. Is this a known limitation of the implementation?

We use KeePass for a small group of people in work, and I would like to be able to secure access to it with Yubikey OTP, instead of static passwords.

Thanks.

Yes, it's not possible to make it work with two or more Yubikeys even if they have the same SECRET because the COUNTER that increments every time you generate an OTP will be different between each other.

Basically, the OTPs you generate using the OTHER keys will be generating OTPs that were ALREADY generated by the first key...

Example:
1- Configuring both keys
KEY1:
SECRET: 7c ed f7 e3 38 d0 01 af 9e 2a fd 51 6a 3d 63 f0 e5 95 3e 0f
COUNTER: 0
KEY2:
SECRET: 7c ed f7 e3 38 d0 01 af 9e 2a fd 51 6a 3d 63 f0 e5 95 3e 0f
COUNTER: 0
2- Open KeePass using 3 OTP from KEY1
a) 809933
b) 993647
c) 153405
//Now the counter of KEY1 is 3
3- Open KeePass using 3 OTP from KEY2
KeePass expects these OTP:
a) 473053
b) 657885
c) 478723
But because you use KEY2 that has it's counter still at 0, you get these OTPs again...
a) 809933
b) 993647
c) 153405
Will it open the database? Only if you set KeeOTP with forward looking count to 3 or more. But as you use the KEY 1 more and more without using KEY2, you will lose access... and increasing the forward looking count becomes unsafe quickly.

Hope it helps!

Many thanks Morphlin, makes perfect sense.

Do you know if the PasswordSafe implementation, with Challenge/Response, has the same limitation? Or if there are any other, non-web based systems, which can support multiple yubikeys?

Thanks.

It doesn't have the limitation and works perfectly with as many keys as you want, as long as they are all programmed with the same secret.

I did not go with PasswordSafe for these reasons:
1- The interface is not pretty enough for me.
2- Not enough awesome features.
3- Doesn't have awesome plugins.
4- Updates are not released fast enough for a security software.
5- I use Challenge-response with the PRESS BUTTON option enabled and because PasswordSafe ask for a challenge twice (one to lock, and one to unlock) I though it was kind of annoying. even though there is no other way for a non-web based program to use Challenge-Response to secure something locally...
6- I've had many communications with the KeePass developer and he's just great, he made many adjustments to KeePass for me to be able to develop plugins that fitted some of my pickiest needs and also for some plugins I made for the community.

I'm slowly working on a plugin to get KeePass to work with Challenge-Response, but it will have the same behavior as PasswordSafe asking for challenge to lock and to unlock. Although this is irrelevant to people that programmed their key without enabling the option, these people must keep in mind that a compromised computer could theoretically have a virus that could ask the key to compute challenge-response without the approval of the user...

Please let us know when you have the plugin ready

Then, someone just needs to implement the same support for an Android version..

I'm wondering if it would it be possible to create a second "dummy" db with the same secret and then use it just for incrementing the password.

My idea is to have the primary yubikey that I carry with me for daily use. Then I have a backup one attached to a USB keychain that contains the dummy database. If I were to lose/misplace my first yubikey I could increment the passwords on the backup key using the dummy database until it worked with my KeePass database.

Anyone tried something like this?

KeePass is the primary reason that I bought a Yubikey to evaluate. I appreciate the work going towards a KeePass plugin for Challenge-Response.

To the original poster: the Yubikey outputs the OTP based on its count and the secret key. It does not matter where the keyboard output is directed. This means that you do not need a dummy KeePass database to increment a second Yubikey. I think that protecting the secret key in a different format would be easier (in a locked safe). But with your idea of a duplicate Yubikey, you could open the .otp.xml file associated with your KeePass database and see what the counter setting is at and dump that many OTPs into notepad and then use it to unlock your original KeePass database. Of course this would be a painful process depending on how large the counter number is.

Probably a great plugin would use the challenge response feature, which then should be given in input to the PBKDF2 key derivation functions in combination with the user's pass-phrase.

The Yubico OTP could be validated against the YubiCloud, but a solution using both would be less user friendly. Moreover if you have both credentials on the same devices this would still reduce it to a 2-TFA solution unless you store the Yubico OTP on a different key.

Two different Yubikeys to open one pwd db, is it really necessary? An overkill for the majority...

If i missed any plugin you guy published, please let me know and i will have it sticky, tweeted and facebooked by our marketing team.

_________________
-Tom