TOTP protection in Database Security (in addition to Password, Key File and YubiKey Challenge-Response)

[reneleonhardt]

I searched issues and discussions, apologies if this already has been proposed.

Database Settings 3. Security / Database Credentials

https://keepassxc.org/docs/KeePassXC_UserGuide#_database_settings

In addition and combinable to the Master Password, Key File and YubiKey Challenge-Response, it would be great if it would be possible to add a new protection method to databases: TOTP codes.

The secret could be randomly generated and maybe stored inside the database file (in a special internal entry), readable after all other protections successfully decrypted the database itself.
Alternatively it could be provided by the user as text (if storing inside the database or as yet another Key File isn't acceptable) upon QR code / otpauth URL creation first, and then when unlocking the database.
[If Touch ID could be easily used to create a secret instead of a user thinking of a new password, that would be nice too.]

Workflows

Setup

1. User adds another protection to the database (randomly generated secret or user provided)
2. QR Code and otpauth URL are shown
3. User confirms by entering a valid TOTP

Unlocking

1. User enters a valid TOTP (in addition to all other required protections)

This would allow more unlock combinations, or maybe even a fallback if the YubiKey has been forgotten at home while traveling.

Details

• 20 bytes (160 bits, 32-character Base32 string) seems to be the widely supported secret length for maximum security if compatibility is an issue
• If possible, allowing a time skew for both devices seems to be commonly accepted for user convenience (previous, current and next codes are valid)
• Will Rust plugins eventually be allowed? Then even I could contribute 😄

[droidmonkey]

You cannot use totp to secure an offline encryption method.