How-To Set up KeePassXC as a token
This guide describes how you can use your workstations as software tokens for multi-factor authentication with KeePassXC.
KeePassXC is a freely available password manager software that anyone can use. For this guide it is assumed that you have already set up KeePassXC.
If KeePassXC is not yet installed, please follow the instructions linked on the right first.
Multi-factor authentication (MFA) is carried out in 3 steps, which together secure your logins to all supported services from now on.
- The first step is to create a token in LinOTP, the web service for managing your own tokens for use in university services. LinOTP can be accessed around the clock from the university network or via VPN on the linked page.
- The second step is to set up this token in KeePassXC. Once set up, KeePassXC generates one-time passwords for each login. This ensures that only people who have access to the second device in addition to the usual login data can log in to the MFA-enabled services.
- While the first two steps are only carried out once per device, the third step (logging on to an MFA-enabled service) is carried out many times. Initially, the university's VPN will be supported. Other services will follow. Detailed instructions on how to use MFA in the respective service can be found in the service catalogue entries for the relevant services.
Video Tutorial
In addition to these instructions, you can watch the german video tutorial, which briefly shows you how to set up the token. We recommend that you also read the instructions in text form, as this contains more detailed information.
Creating a token
1. Open the MFA Token Self Service platform in a browser on a trusted device.
Log in with your regular university access data. Before entering your data, you should check the domain and the shield symbol next to it to ensure that all transmitted data is actually exchanged with our MFA solution.
Under “Soft token (time-based)” click on "Set up".
In the window that opens, you can enter a name under “Token description” (e.g. "Work laptop"). Then click on "Next".
Click on "Show token details" under the QR code in your browser to view the secret key for KeePassXC.
Please do not click on "Next" until KeePassXC has been set up successfully!
Select the key in the text field that opens. Double-click on the character string between “secret=” and “&issuer=” to highlight it easily. Copy the key to your clipboard.
Setting up a token in KeePassXC
Now switch to the KeePassXC application. Here, add the information for multi-factor authentication to an entry that has already been set up by right-clicking on the entry. In the context menu that appears, please select "TOTP" and then "Set up TOTP...".
In the dialogue that opens, insert the key into the secret key field and confirm the dialogue with "OK".
A clock symbol will now appear in front of your entry, confirming that KeePassXC has been set up correctly as a token.
You can display your current MFA token one-time password at any time by right-clicking on the entry and selecting "TOTP" and then "Show TOTP".
The number displayed here is the valid one-time password as the second factor for logging in to all MFA-enabled services of the university.
Testing a token
Back on the self-service platform, you can now click on "Continue" and the confirmation of the token setup will appear. Click on "Test" to continue with the test.
In the dialogue that opens, please enter the current one-time password from your token and press "Submit".
It will now be shown whether your test was successful.
Test successful
If possible, set up a second token (e.g. Android or iOS device) or log out of the platform.
You can now use MFA in all compatible applications. You can find specific help on this in the instructions for the corresponding services.
Test unsuccessful
If the test was not successful, please try again immediately. If this test is also unsuccessful, please delete the token immediately by clicking on the three dots in the overview and then on "Delete".
In this case, please contact your IT representative or the IT service.
Auto-type (optional)
If you would also like to have the token automatically inserted into login fields, please edit the corresponding entry and select "+" in the "Auto-Type" section at the bottom centre to add a new assignment.
Now select the window title on the right, i.e. the name of the window in which the user name, password and token are to be entered. In the example, Auto-Type is to be used for logging on to the MFA self-service platform LinOTP, which is why the browser window "Token Self Service - LinOTP - Mozilla Firefox" is selected. The Auto-Type sequence can be specified here:
{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 1000}{TOTP}{ENTER}
Executing the auto type when the window is active now causes the user name and password to be entered in the first window and, after a short pause, the TOTP-based MFA token is automatically entered in the second window, whereupon you are logged in.
If you use several tokens, you can switch to the correct token in the token overview as follows:
{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 1000}{DOWN}{ENTER}{DELAY 1000}{TOTP}{ENTER}
Please repeat "{DOWN}" as often as necessary to select the correct token.