TOTP (2FA) Within Keepass

Hello, I shifted from bitwarden to keepass.
and i am liking it very much.

I have a concern
should i use totp in keepass ?
is it safe to store both username and password with 2fa inside same app ?

what are your thoughts on this ?

The downside to doing this is that if anyone gains control over your local machine with KeePass on it, they now have access to your passwords and your 2FA codes. However, that is a pretty extreme scenario and you still gain many benefits from 2FA such as protection from credential stuffing and brute force attacks, even if your codes are stored along with your passwords.

I think for most accounts, this setup is fine. But for high-value accounts (bank accounts, etc.) it would probably be best to keep your 2FA codes on a separate device or better: use a hardware token.


Is it safe? Yes, probably. But you know what they say about putting all your eggs in one basket.

Safest option is to go with using Aegis on your phone and using a strong and complicated password on keepass vault.

The question you should be asking yourself is from what kind of threat are you trying to shield against. Does your threat model involve someone possibly obtaining access to your password database? If the answer to that is yes, then obviously you should not keep your TOTP seeds in the same database that you also keep your passwords.

If I were to do this myself I would create a second password database just for storing the TOTP seeds. Which then I would secure using a Yubikey. But if you already have a Yubikey that probably means you can already use the Yubico Authenticator app on your desktop and your phone.

1 Like

TOTP is sufficient security for most people if and only if it’s done right. Using the same app for your password vault and TOTP isn’t doing it right IMHO, because it introduces a central point of failure. This doesn’t just mean that you’ll be in trouble only if your password database gets compromised, but also if you lose access to your KeePass database for any reason.

There’s no reason to do this when apps like Aegis exist, it’s a free and open source app that lets you easily back up your 2fa codes, and the backup files are encrypted in AES 256 GCM. The app works completely offline and doesn’t even require internet access permission.

1 Like

First of all welcome to the forum as I see this is your first post.

I just wanted to add that if you rely to a single TOTP app on your phone like Aegis always make sure to take proper backups.

I know, I know, it is common sense. Even so, I cannot count how many times someone told me they lost or have broken their phone and can no longer login to their accounts. So, yeah, I will keep saying it with every chance I get no matter how much tired you get from hearing it.

Backup your TOTP seeds.


how do you even use TOTP? within keypass the idea of the TOTP is that they keep changing. and password stored on keypass are static arent they?

There is a field for totp in KeepassXC app.


@Arken @reformed_sandpaper
Thank you everyone, after hearing all of you i realize my mistake and therefore I switched to Aegis.
the only problem is that i have to keep my phone with me to see the TOTP because Aegis doesn’t support windows platform.
The App seems very good to me, easy to use,
And i’ve also taken backup of aegis account with encrypted json format.

You can export your Aegis Database and open it on your computer with 2fast, an open-source TOTP client for Windows. It is avaliable in the Microsoft Store.

Lately I have considered using two KeepPass Databases. One database which I sync through NextCloud, which I share with Family members. One database for higher threat and or passwords I just have no reason to share.
We had a discussion awhile back concerning this, but I do not have my notes in front of me. Not having all your eggs in one basket comes to mind.

You don’t have to go with TOTP for all your accounts. Just the important ones containing information you deem important.

I think the minor inconvenience is worth it, since an external attacker would have to compromise two devices in order to pwn you.