These days I am using a number of services on a regular basis that require a 2nd factor authentication in addition to a password. Two of them send me a 6 digit time-based one time password (TOTP) over SMS each time I want to log-in. The other two send the 6 digit code by email. While that works quite well in general, there are two problems with this: First, SMS is sometimes a bit laggy and said not to be secure enough. And second, using email as a second factor for authentication makes me dependent on a particular provider if I don’t own the domain name. Not ideal. So when I recently had a closer look at the TOTP mechanism, I noticed that it is a standardized procedure and there are open source authenticator apps available that work with pretty much all services that offer TOTP passwords with an authenticator.
This is a game changer for me, as I was shying away from TOTP apps so far, as I didn’t want to install a multitude of authentication apps. Also, a proprietary app that syncs key material with a hyperscaler was obviously out of the question as well. Having an open source implementation that is totally local and under my control, however, changes the story. And even better, I already had an app installed on my Android device that could do the job for all websites I’m using: KeePassDX.
KeePassDX on Android
I’ve been using KeePassDX on Android ever since I moved to GrapheneOS as a password vault to log into web services in the browser and to supply usernames and passwords to apps that occasionally ask for them. And it turns out it can also be used as an TOTP authenticator. Getting it to work is quite simple: The website that wants to use TOTP shows a 2D barcode that I scan with my phone. The decoded text is then forwarded to KeepassDX, which then creates a new entry for the service. The screenshot above shows the format of the text that is encoded in the 2D barcode which I generated with this demo site. The entry then shows a 6 digit passcode whenever I open the app. Very nice and painless to get working.
Plan B: Use A Backup of the Vault File with KeePassXC on the Notebook
A TOTP app and generator on my phone is nice, but what if the phone is stolen or lost? I’m not afraid of misuse, as the phone is properly secured and unusable if found locked, but not being able to log into services would be a major issue. But fortunately, KeePassDX on Android uses a format for the vault file that is compatible with KeePass and KeepassXC on desktop/notebook operating systems. So if I loose my smartphone, I can simply copy a backup of the vault file to another phone, or use it on my notebook. Opening the copy of the vault file on another device is all that is required. I gave it a try in practice and it works as intended. Perfect, so I have a way forward in case of theft and loss of my authenticator device.
I’m really glad I discovered this, as it significantly simplifies and enables secure 2 factor authentication in practice for me without depending on proprietary solutions!