Back in November of 2020, I wrote an article entitled Two-Factor Authentication without SMS or a smartphone.
In those days, 2FA (Two-Factor Authentication) wasn’t terribly popular. Today, it’s everywhere!
I also recommended using Authy for Windows, which is a desktop version of the popular smartphone 2FA app.
So, problem solved, right? NO! Authy just announced they’re canceling their desktop Windows app. 🙁
What the heck are we supposed to do now?!
No more Authy Desktop?!
Nope. Fire up Authy today, and you’ll see this:
Search for a replacement 2FA app for desktop, and you’ll come up with almost nothing!
It seems we’re all being pushed into using smartphones for 2FA after all…
Your Honor, I object
No. That simply won’t do.
So what’s the solution? KeePass! KeePass is an encrypted password safe.
You set one long, complicated password, and then store all your logins/passwords for all your sites inside this one app. Pretty handy, and MUCH safer than letting your web browser store your logins and passwords – especially if that browser is Google Chrome…
Now, I know what you’re gonna say: “But Scottie, why not use KeePassXC? It has TOTP 2FA built-in and it looks so much better!”
Yes, but… There have been various versions of KeePass over the years. KeePass/L, KeePassX, KeePassXC, KeePassABCDEFG+, and so on.
Many of these versions have gone the way of the dinosaur, but KeePass is still around! Sure, it looks a bit dated, but who cares? It works, it’s updated regularly, and with a plugin, it does 2FA!
First, you need to install KeePass
Right, so, the version I suggest is the ZIP file.You want version 2.xx, Portable: KeePass Download Page
Why not the installer? Well, the portable version is just a ZIP file. Download it, and then extract it into whatever folder you want – for example, C:\MySecretStuff\KeePass
In that folder, just run the file KeePass.exe, and you’re off and running. Drag-n-drop a shortcut link to your desktop, the taskbar, or whatever you want.
The Portable versions also gives you two very handy things:
- Upgrading is as simple as downloading the new version’s ZIP file, decompressing it, and then copy/pasting the new files directly over the old ones in your (for example) folder C:\MySecretStuff\KeePass
- You can also copy your KeePass dir onto a USB stick, or a network drive, or whatever. Ta-DA! You’ve got a working backup. That was easy.
Or, if that’s too complicated, just download and run the installer version! 2FA will work either way.
What about your smartphone or tablet? Well, if you scroll down the Downloads page, you’ll find links to KeePass ports for Android and iOS. For example, I use KeePassDroid on Android, and then I copy over my KDBX encrypted password database (from within the KeePass directory). VOILA! Mobile access to all my logins/passwords if I need it, and it stays encrypted.
Next, install the KeePassOTP plugin
From the main KeePass homepage, you can click the Plugins link to see all the available add-ons for KeePass 2.x.
We’re looking for KeePassOTP, or you can just click here to download KeePassOTP.
To “install” the plugin, you do this:
- Download the plugin
- In KeePass, click Tools → Plugins → button Open Folder; KeePass now opens a folder called Plugins
- Move the plugin file KeePassOTP.plgx into the now open Plugins folder
- Restart KeePass in order to load the new plugin!
Well, that was easy.
Set up 2FA for each of your accounts
I’m going to assume that you have some idea how to use KeePass. It’s pretty straightforward.
Bad news: You’ll need to turn off 2FA for each of your accounts and then set it up again with KeePass instead. To do this, you’ll need to log in to each one, use Authy, and then disable 2FA. Then, re-enable 2FA – this time using KeePass to generate your secret codes. Annoying, but true!
To add 2FA to an existing account, you’ll want to do the following:
First, ensure that the 2FA codes will display properly once you’ve set up 2FA for each account. You’ll need to right-click the account listing header bar (Title, Username, Password…) and click Configure Columns. Scroll down to the bottom, and make sure KPOTP is checked and Asterisks (the password mask) is set to No:
Bueno. Next, find the account with username and password to which you want to add 2FA.
Right-click the account and choose KeePassOTP -> OTP setup…
(NOTE: You can also access the OTP Setup by clicking the Tools button at the bottom of the Edit Entry window)
First, it’s going to ask you if you’d like to store the OTP codes in a different database: JUST SAY NO! Otherwise, you’ll have to enter a password, and then you’ll have TWO passwords to type in every single time KeePass loads! Bad! It’s perfectly fine to store the OTP stuff in the same database as usernames/passwords – as long as your KeePass Master Password is strong.
Then, in the popup window, you need to just paste the Secret Code that your site/service gives you. If it tries to give you a QR code, click the other option which is usually something like, “Use code instead”:
Click OK, and you should now see 6-digit codes displayed in the KPOTP column:
Now, to login to some web site, you can open KeePass, double-click the username and paste it into the web site, double-click the password and paste it into the web site, and finally, double-click the 6-digit generated 2FA code.
BOOM! You’re logged in.
Note the (3) next to the two sites in the image above. That’s a countdown that shows in 3 seconds, the 2FA code will rotate. So, hang on a few seconds before double-clicking so you can get the new code.
There you have it
So, that’s not so bad. You should be using a password safe anyway. Now you are, and you no longer need the separate Authy app!
Note that KeePass supports TOTP (time-based One Time Passwords) as well has HOTP (HMAC-based One Time Passwords).
If what I described above doesn’t work, you may need to search a bit and try HOTP instead, or tweak the OTP generator settings.
For the vast majority of sites and service, the default TOTP as I described above works like a charm!
Let me know if you found a better solution!!
Update: But wait, how do you keep KeePassOTP up to date? Easy! You set up automatic KeePass updates!
In the past year I’ve adopted Bitwarden. It has the best free tier available and the premium tier is cheap ($10/year ?). They allow self hosting for the geeky. The specs & code are open source and a lightweight server re-implementation vaultwarden can even run on an old rpi2 in docker. The built-in 2fa TOTP works well. Master password can be augmented with yubikey 2fa. I like the reports looking for weak, re-used, leaked, 2fa lacking, https lacking entries.
With tailscale family/friends can share the server remotely.
The self-hosting with keepass might be easier though. With a very strong master password I don’t hesitate to tell my less geeky friends to use Bitwarden servers.
Another good option is KeepassXC. This is a newer version with TOTP built in natively, so no plugin needed! Here’s how to do it with that version: https://keepassxc.org/docs/KeePassXC_UserGuide#_adding_totp_to_an_entry