KeePass and Multifactor Authentication

One of the frustrations of modern security is the imposition of more onerous user-verification requirements. The benefits of the University introducing Multifactor Authentication (‘MFA’) are well-proven, but it does add a further step that can be inconvenient. In an effort to make life a little bit easier, and following a debate about this area on our IT Discussion mail-list, I share the following advice.

Using a password manager is an essential step in keeping secure. KeePass is an excellent example of the genre and my personal favourite. The latest version has also added a feature that promises to make life that little bit easier: it can act as your MFA authentication app.

I’m assuming that you already have a KeePass entry for your SSO logon, with an auto-type entry set. If not, here’s the auto-type syntax that I use:
{USERNAME}{TAB}{TAB}{TAB}{TAB}{ENTER}{DELAY 1000}{PASSWORD}{ENTER}

The steps to allow KeePass to also handle your MFA are as follows:

1.Visit https://mysignins.microsoft.com/security-info and, yes, log yourself in.

2. Click ‘add sign-in method’:

 

 

 

 

3. Choose ‘Authenticator App’ from the list:

 

 

 

 

 

4. Microsoft will recommend their own Authenticator application, but click instead on ‘I want to use a different authenticator app’:

 

 

 

 

 

5. You’ll need to have KeePass installed and running shortly, but at this stage you can just click ‘Next’:

 

 

 

 

 

6. You’re presented with a QR code, as most apps are mobile-based and can use a phone camera. Ignore the QR code and click ‘can’t scan image’:

 

 

 

 

 

7. The page will create a security key code, with a ‘copy to clipboard’ button next to it. Click on that:

 

 

 

 

 

8. Switch to KeyPass, right-click your entry for your University SSO account, select ‘Edit Entry (Quick)’, then ‘OTP Generator settings’. You’ll get a dialogue box. Paste the security code into the ‘shared secret’ field. No other values need to be changed, so then click ‘OK’:

 

 

 

 

 

 

 

 

9. When prompted for your MFA authentication code, ask KeyPass to copy that to the clipboard for you:

 

 

 

 

 

10.  In the ‘Enter Code’ window, just right-click and ‘Paste’:

 

 

 

 

 

 

 

 

I’m hoping that future revisions of KeePass will make this even easier*, but this is a great step forward and makes a useful app that little bit better still.

 

*I haven’t yet worked out the correct syntax for auto-type to also supply the code. So far this is almost, but not quite, entirely unlike the right answer:
{USERNAME}{TAB}{TAB}{TAB}{TAB}{ENTER}{DELAY 1000}{PASSWORD}{ENTER}{DELAY 1000} {TIMEOTP}{ENTER}

This provides username, password, and the first five digits of the current MFA code, even with 6 specified. That’s a work-in-progress but if you’ve solved it I’d be delighted to hear.

Posted in Uncategorized | Comments Off on KeePass and Multifactor Authentication

Comments are closed.