How to setup TOTP in KeePassium
KeePassium can generate time-based one-time passwords (TOTP) for services that require two-factor authentication (2FA). For security reasons, you should not keep your passwords and TOTP tokens in the same database.
Using QR code
This is the easiest and quickest method:
- Open the entry editor and tap Setup one-time password (OTP).
- Point the camera to the QR code shown by the target website
The QR code should contain an
otpauth:// URI (a de facto standard for 2FA QR codes). KeePassium will save the configuration URI to a custom field named
TOTP codes added by KeePassium are compatible with KeePassXC and most mobile apps. For KeePass, you will need the KeePassOTP plugin.
Using a TOTP secret key (token)
When you setup two-factor authentication on a website, choose the option to enter the TOTP secret code manually:
Now, open your database in KeePassium (or any other KeePass app), and open entry editor.
Create two custom fields:
TOTP Settingswith value
30;6(these are the refresh interval in seconds, and the number of digits in generated codes, respectively)
TOTP Seedwith your TOTP secret key (spaces and capitalization don’t matter)
The result should look like this:
Using an OTPAUTH link
Some websites will provide you an
otpauth:// link instead of the secret code:
In this case, instead of the two fields described above (
TOTP Seed and
TOTP Settings), create just one field named
otp. Copy the URL to that field — and that’s it.
Steam TOTP setup
Valve’s Steam service has its own TOTP format. KeePassium can generate Steam TOTP codes, too.
Open the Steam entry in your database and create two custom fields:
TOTP Settingswith value
30;S(30 is the refresh interval, and
Smeans that TOTP codes should have Steam-specific format)
TOTP Seedwith the secret key (in base32 format)
There is no easy way to extract Steam’s secret key, but this is possible. For more details, please follow this guide: How to get your Steam shared_secret key).
TOTP setup button is missing
Your database file has an old format that does not support custom entry fields. As a solution, upgrade your database to KDBX format.
Generated TOTP codes seem invalid
- Make sure the system time on your device is correct. Even a 30-second deviation can make generated codes invalid.
- Make sure that the secret key is entered without typos.
Last Updated: 2021-10-09