Getting the OtpKeyProv HOTP plug-in to work with Google Authenitcator

Print Friendly

Supported Generator Tokens

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

The OtpKeyProv plug-in is truely awasome!
http://keepass.info/plugins.html#otpkeyprov

Slight problem, no documentation on getting it to work with Google Authenitcator.

The solution was on this page:
http://sourceforge.net/p/keepass/discussion/329220/thread/be102635/#e37a

Google authenticator secret key for manual setup for HOTP (counter based – not time based) base32 secret keys length are in multiples of 8 characters. With no padding of “=” which KeePass allows.

But I’m pasting it here in case it drops off the face of the Internet – thank you “Wellread1”:

The difficulty arises with Google authenticator user documentation. It is expecting a base32 (secret) key. You must set the Secret Key to base32 in KeePass and restrict your Secret Key to the base 32 character set: a-z, 2-7. KeePass allows “=” but Google authenticator does not. Also base32 secret keys length are in multiples of 8 characters.

A test configuration that works:

Set the Configure OTP Lock:
Length: 6
Secret key: abcdefghxz234567 (base32)
Counter: 0 (Dec)
Number of OTPs: 3
Look ahead: 9 (allows 3 failed KeePass unlock attempts using newly generated OTPs before a recovery becomes necessary because the counters have become too far out of sync.)

Set Google authenticator
Secret Key: abcdefghxz234567
counter: counter based

The first 6 OTPs will be:
442843
724600
994767
847513
160505
583080

Make sure you never lose the Secret key or you will be permanently locked out of KeePass if the counters get out of sync. Also recognize that the true secret is the Secret Key not the OTPs.

 

Leave a Reply

Your email address will not be published.