How to enable 2FA with KeePass

How to enable 2FA with KeePass

Unfortunately KeePass does not have native support for 2FA (two-factor authentication). However, support for 2FA can be added to KeePass with the KeeChallenge plugin. Using Linux it is quite a hassle to get this working. The easiest solution in my opinion is to use KeePassXC instead of KeePass as it has native support for hardware-backed OTP challenge-response 2FA. In addition, another authentication factor can be added by generating a key file. To make the most of this method the key file should be stored separately from the KeePass database. So the setup would look something like,

  • Computer contains the KeePass database
  • USB key contains the KeePass key file
  • Hardware 2FA device such as a Yubikey that supports OTP challenge-response

For most people I would actually recommend using Bitwarden. The free version does not have 2FA, however for $10 a year you get 2FA functionality (and Yubikey, U2F and Duo support) as well as 1GB storage, Health Reports and more. If you don’t want to pay $10 per month you can also host your own Bitwarden server for no cost as the the code is open source. The benefit of hosting Bitwarden yourself is that you can have unlimited storage (limited by your own storage) and you get access to all the premium features. If you want other password recommendations see this previous post.

Updated article to correct the price of Bitwarden - was supposed to be ‘year’ not ‘month’

Thanks for reading! As always reader participation is not just welcomed, but encouraged! If you have any suggestions, corrections or anything in between, feel free to leave a comment.

Want a good laugh? Check out our other blog created entirely by artificial intelligence (AI).

We've done the research, so you don't have to!


Braeden Mitchell's Picture

About Braeden Mitchell

Braeden has an MSc specialising in Information Security and freelancing as an IT consultant