1

We use in our team KeePass to store the credentials and the MFA secret key of AWS account root users.

Is it possible to use KeePass to directly generate the AWS MFA codes (TOTP / Time-Based One-Time Password)? Otherwise, every team member would have to add every MFA secret key inside an authenticator app (like Microsoft Authenticator or Google Authenticator) to generate the needed MFA codes during login.

Improve this question
1
  • Generally root accounts should be used very rarely for exceptional events that can't be done by an administrator. It would be better to give your admins an IAM user with admin rights, or federate to a central identity store. Two or three people can then add root MFA to their own authenticator app.
    – Tim
    Commented Jan 26, 2022 at 20:37

1 Answer 1

Reset to default
1

KeePass provides, since version 2.x, an option ({TIMEOTP} – Generating Time-Based One-Time Passwords) for generating AWS MFA codes out of the box.
Simply go to the advance tab and add the String fields:

  • Name: MFA Code / Value: {TIMEOTP}
  • Name: TimeOtp-Secret (use TimeOtp-Secret-Base32 for AWS MFA secret keys) / Value: 12345678901234567890

KeePass Advanced String fields

There will appear a new option called MFA Code inside the context menu with the current MFA code.

Copy MFA Code

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .