This response is then used to enhance your decryption key by hashing and transforming it together with your password and (optionally) your key file. KeePassXC presents a (pseudo-)random challenge (the database's master seed, which changes every time you re-encrypt, i.e., save your database) to the YubiKey and gets a unique response in return. The YubiKey is used in a mode which is slightly different from what it was designed for.
The answer by Jeffrey from 1Password is technically accurate. KeePassXC developer here, I got directed to this thread and want to add some remarks. So, is it reasonable to use a hardware security key for KeePassXC if you already use a strong master password? However, change every time you save your database.Īssuming an attacker has access to my KeePassXC database and perhaps even installed a keylogger on my system, the additional YubiKey is useless in this case, am I right here? Qualify as a separate second factor, since the expected responseĭoesn't change every time you try to decrypt your database. Sense, it makes your password stronger, but technically it doesn't Generates a challenge and uses the YubiKey's response to thisĬhallenge to enhance the encryption key of your database. Strictly speaking, it's not two-factor authentication. KeePassXC supports YubiKeys for securing a database, but KeePassXC supports the so called "HMAC-SHA1 Challenge Response mode".ĭoes KeePassXC support two-factor authentication (2FA) with YubiKeys? To further improve security, I thought about buying a YubiKey to have 2-Factor-Authentication. At the moment, I am using KeePassXC with a relatively strong master password.
0 kommentar(er)
