Yubico Forum

Hi all,

there is something I do not understand regarding the usage of OTP (HOTP/TOTP) or U2F along with local password managers. With local I mean the program is running on your local machine and the database-file is also stored on your local machine.
A use-case with KeePass is described here: https://www.yubico.com/why-yubico/for-i ... s/keepass/

As the database-file is stored encrypted on the local machine, the password manager needs to get information about the encryption key from somewhere. The key itself or some information it can derive the key from.
As the authentication through OTP or U2F does not bring in any information about the encryption key, I assume the password manager must store the encryption key also on the local machine. At least as long you do not specify a additional master password, what doesn't seems to be the case in the mentioned KeePass tutorial.
So an attacker would "simply" extract the encryption key from the local password manager program and decrypt the database-file.

Even if you use a master password (from which probably the encryption key will be derived), OTP or U2F would not give you more security. With the master password and the data on the local machine all the information is there to do the encryption. An attacker could modify the password manager program to skip authentication. So, no need for the YubiKey to access the database.

What am I missing?
Thanks in advance to help me understanding OTP or U2F authentication on local password managers.
Hans

If anybody else has the same question, I found the answer in the KeePass Forum
https://sourceforge.net/p/keepass/discu ... 33f7/#af0d

This applies at least for HOTP. I think, using U2F to secure a local password database is no good idea.

The only problem is that using HOTP for crypto means you have a SERIOUS Problem if you desync.
and aside from that that's not how OTP normally works, although it is an intresting kind of system abuse.