Keepass & Yubikey issue: failed to create OTP key

2

So I wanted to move from lastpass to Keepass with my yubikeys. I set it up just like yubico http://www.yubico.com/applications/password-management/consumer/keepass/

All went well, installed OtpKeyProv plugin, configured it and was able to unlock my db with 3 OTPs (8 digit). Was working on the db, shut down my laptop and after 2 hours I wasnt able to get into Keepass: "Failed to create OTP key" Secret code recovery made it work, but whenever I try to generate new OTPs and access db, same error comes up. I even tried creating it from scratch, but no luck. It magically stopped working

user301916

Posted 2014-03-12T18:54:15.010

Reputation: 21

Answers

0

If you generated OTPs with your YubiKey that were not entered in KeePass, the counters have gone out of sync and the and OptKeyProv will have stopped accepting them.

From the documentation:

Look-ahead count. OtpKeyProv supports look-ahead windows. When a number n is specified as look-ahead count, n OTPs may be skipped and opening will still work. For example, if the OTP sequence is A B C D E F G H (where each letter represents a multi-digit OTP), 4 OTPs are required and the look-ahead count is 2, then all of the following OTP sequences will open the database: A B C D, B C D E and C D E F.

The default look-ahead count is 0, i.e. only exactly one OTP sequence will work. The higher the look-ahead count is, the less secure the protection of the database is.

One solution would be to re-initialize your YubiKey using the personalization tool and to reinit the OptKeyProv counter to 0.

You might want to make the Look-ahead greater than 0 and you might also want to be careful about not generating OTPs outside of KeePass.

joce

Posted 2014-03-12T18:54:15.010

Reputation: 375

Asked: 2014-03-12T18:54:15.010

Viewed: 2 351 times

Active: 2019-11-25T10:02:30.400