KeePassXC: TOTP-MFA without Smartphone

The password manager KeePassXC offers the ability to generate temporary passwords, allowing you to use a second factor for your account without needing a smartphone, biometric recognition on the device (fingerprint or facial recognition), or a FIDO2 hardware token (such as Yubikey).

However, we strongly advise against this solution and recommend using it only when no other alternative is available!

The purpose of authentication through a second factor is to enhance security. Compared to other methods, KeePass provides significantly less additional security for your account.

KeePassXC must be installed on your device beforehand. You can find the download for the program here.

1. Click “Neue Datenbank erstellen” (Create New Database).

2. Create a database name (e.g., KeePass GWDG) and a description for the password database, then click “Weiter” (Next).

3. In the next window, simply click “Weiter” (Next), as no adjustments are necessary here.

4. The database must be secured with a password. Create a password and then click “Fertig” (Finish).

Important: Please store this password securely. Also, do not use the same password as your AcademicCloud account password.

5. A save dialog will appear. Save the database in a secure location on your computer.

6. To add a new password entry, select the Plus icon in the top menu bar.

7. Enter a title for the password. For username and password, enter your AcademicCloud login credentials, then click “OK.”

8. You should now see a new entry in the list. Right-click on this entry, and in the “TOTP” tab, select “TOTP einrichten” (Set up TOTP).

9. Do not close the KeePassXC window that opens! This will now be used during the factor setup in the AcademicCloud account portal.

Open your account portal as described here under the heading “How do I set up an additional factor?”

10. In the AcademicCloud account portal, go to the “Sicherheit” (Security) section under “Authenticator App” and press the “Mein Konto absichern“ (Secure my account) button.

11. Add a suitable description for the factor so you can identify it later (e.g., KeePass).

12. A QR code will appear. Below it, it says: “To copy the secret for extended use to your clipboard, click: here.” Save the secret to your clipboard by clicking “here.”

13. Return to KeePassXC and paste (CTRL+V) the secret into the open window, then click “OK.”

14. Go back to the AcademicCloud browser window. Click “QR-Code gescannt” (QR Code Scanned). A window will open where the factor needs to be confirmed.

15. Find the corresponding code in the KeePassXC application. Copy the code from KeePass and paste it into the account portal browser window.

16. The factor is now successfully added.

1. The next time AcademicCloud requires a second factor for login, open KeePassXC first.

2. Unlock the password database and click on the entry with the 2FA.

3. In the entry, you’ll see a 6-digit code and a bar that gets smaller over time. This bar indicates how long the code is valid (each code is only valid for a few seconds).

4. Double-click the code to copy it to your clipboard, then paste it during the login process.