Getting the OtpKeyProv HOTP plug-in to work with Google Authenitcator

Print Friendly, PDF & Email

Supported Generator Tokens

All generator tokens that follow the OATH HOTP standard (RFC 4226) are supported.

The OtpKeyProv plug-in is truely awasome!

Slight problem, no documentation on getting it to work with Google Authenitcator.

The solution was on this page:

Google authenticator secret key for manual setup for HOTP (counter based – not time based) base32 secret keys length are in multiples of 8 characters. With no padding of “=” which KeePass allows.

But I’m pasting it here in case it drops off the face of the Internet – thank you “Wellread1”:

The difficulty arises with Google authenticator user documentation. It is expecting a base32 (secret) key. You must set the Secret Key to base32 in KeePass and restrict your Secret Key to the base 32 character set: a-z, 2-7. KeePass allows “=” but Google authenticator does not. Also base32 secret keys length are in multiples of 8 characters.

A test configuration that works:

Set the Configure OTP Lock:
Length: 6
Secret key: abcdefghxz234567 (base32)
Counter: 0 (Dec)
Number of OTPs: 3
Look ahead: 9 (allows 3 failed KeePass unlock attempts using newly generated OTPs before a recovery becomes necessary because the counters have become too far out of sync.)

Set Google authenticator
Secret Key: abcdefghxz234567
counter: counter based

The first 6 OTPs will be:

Make sure you never lose the Secret key or you will be permanently locked out of KeePass if the counters get out of sync. Also recognize that the true secret is the Secret Key not the OTPs.


Posted in weblog.

Leave a Reply

Your email address will not be published. Required fields are marked *