KeepassXC is listed as a suitable 2FA application, however there seems to be no way for it to generate a security code from a QR code.
https://support.mozilla.org/kb/secure-firefox-account-two-step-authentication lists KeepassXC as the only Win/Linux/MacOS application suitable for 2FA which requires generation of a security code from a provided QR.
However this functionality does not appear to be in the application which is primarliy a password manager, if it is there it is well hidden and not described in any docs I could find.
الحل المُختار
OK thanks for that, it fills in a big gap between the moz://a instructions and KeepassXC. Unfortunately there is no docmentation I could find for KeepassXC so for the benefit of anyone else struggling with it here is the walkthrough that got me going:-
- Create a Keepass entry for Firefox and highlight it in the list
- From the menu bar select [Entries->TOTP->Set up TOTP...]
- Display the QR code in the FF set up web page and copy to the [Secret Key:] field from above.
- Accept defaults and press [OK]
- From the menu bar select [Entries->TOTP->Show TOTP..].
- copy this number into the response field in the FF set up web page
It should now be all set up. To use highlight the entry and select [Entries->TOTP->Show TOTP... ](or copy TOTP... if easier)
The Keepass docs talk about storing the TOPT, but what they mean is not storing the passwords but the secret key and URL to generate them.
Read this answer in context 👍 0All Replies (6)
See the FAQ docs for more information:
Modified
I read the KeepassXC FAQ docs before posting here. I have looked again and still cannot see any explanation so if it is there it is not at all obvious (to me at least).
The only reference to 2FA I can find is in relation to Yubi keys where it says that its not really 2FA.
Did you read all questions that deal with 2FA in the KeypassXC docs ?
But the feature list says KeePassXC supports TOTP. I am confused. We do support generation of timed one-time passwords (TOTP), but do not (and cannot) support it for securing your KeePassXC database. KeePassXC allows you to store TOTP secrets for online services inside a database and generates the corresponding timed one-time passwords for you. For TOTP, see also the question KeePassXC allows me to store my TOTP secrets. Doesn't this alleviate any advantage of two-factor authentication?
Modified
Since there is no section on '2FA' in the docs I searched for '2FA' and also scanned every FAQ answer. I saw the reference to supporting TOTP (which acroynm is new to me so it didn't strike me as relevant to 2FA) but no indication of how that feature is supposed to be used and therefore how it might fit in the Firefox QR code challenge response scenario. It seemed to be talking about storing TOPT which sounded like a contradiction since I though the point was they are generated on the fly.
Such things might be obvious to those that know, but for someone just trying to make sense in unfamiliar territory, the information and instructions there are seem far to terse and cryptic to be of help.
You seem to be suggesting that the KeepassXC TOTP feature is what needs to be used for Firefox 2FA. If that is so it is far from clear how to make it work and therefore by fumbling around there seems to be the very real risk of getting in the situation where one has enabled 2FA but is unable to use it.
I recognise that clear instructions for KeepassXC are not the responsibility of moz://a. But there needs to be enough to enable someone to get things working without danger of getting themselves in a lockout situation.
TOTP means Time-based One-Time Passwords and that is what is used for 2FA (two factor authentication). The QR code or the otpauth://totp/Firefox:a@mozilla.com link that is in the QR code block is used to generate the 6 digit TOTP code.
الحل المُختار
OK thanks for that, it fills in a big gap between the moz://a instructions and KeepassXC. Unfortunately there is no docmentation I could find for KeepassXC so for the benefit of anyone else struggling with it here is the walkthrough that got me going:-
- Create a Keepass entry for Firefox and highlight it in the list
- From the menu bar select [Entries->TOTP->Set up TOTP...]
- Display the QR code in the FF set up web page and copy to the [Secret Key:] field from above.
- Accept defaults and press [OK]
- From the menu bar select [Entries->TOTP->Show TOTP..].
- copy this number into the response field in the FF set up web page
It should now be all set up. To use highlight the entry and select [Entries->TOTP->Show TOTP... ](or copy TOTP... if easier)
The Keepass docs talk about storing the TOPT, but what they mean is not storing the passwords but the secret key and URL to generate them.