This project has moved. For the latest updates, please go here.

How to use Keepass2Android with YubiKey NEO

Please refer to the documentation on the Keepass website (http://keepass.info/help/kb/yubikey.html) or the Yubico website (http://www.yubico.com/applications/password-management/consumer/keepass/) on how to set up a Keepass 2 database with Yubikey/OTP protection.

After successful setup you should have the database file, e.g. yubi.kdbx, and the OTP auxiliary file, e.g. yubi.otp.xml, both in the same folder.
OTPAuxFile

Make sure you make both files available to Keepass2Android, e.g. by placing them both in your Dropbox.

Now you should check your NDEF setup of the Yubikey NEO. Therefore, go to the Tools menu in the Yubico Personalization Utility. Select the same slot as used for OTPs with Keepass 2. The default setting for NDEF type and payload should work. If you experience problems, you may use the configuration as shown in this screenshot or simply press the “Reset” button:

image



In Keepass2Android, select "Open file" and locate your database file, e.g. yubi.kdbx.

In the password screen under "Select master key type" select "Password + OTP".

Screenshot_2013-12-13-06-38-50

Click "Load auxiliary OTP file". This is required to load the information how many OTPs must be entered. As loading the file might require user action in some cases, this is not performed automatically.
Screenshot_2013-12-13-06-38-12
After loading the OTP auxiliary file, you should see a few text fields for entering the OTPs. Now swipe your YubiKey NEO at the back of your Android device. If you have multiple apps which can handle NFC actions, you might be prompted to select which app to use. Select Keepass2Android in this case. Swipe your YubiKey again until all OTP fields are filled. Note: You don't need to select the next text field, this is done automatically!
Screenshot_2013-12-13-06-38-36
Don't forget to also enter your password and click OK. You will see the “Saving auxiliary OTP file…” dialog. Note that there is some encryption envolved which is probably fast on your PC but might take some time on your mobile device. You can reduce the look-ahead window length to speed this up.
Screenshot_2013-12-13-06-39-47

 

A note about offline access

If your database is stored in the cloud or on the web, you can still access it if you have enabled file caching (which is on by default). With OTPs, this becomes a little bit more complicated: If you repeatedly open your datbase while being offline, the OTP counter stored on the Yubikey will be increased. Don’t forget to synchronize the database (which will also synchronize the OTP auxiliary file) as soon as possible to avoid problems with accessing your database on other devices! If you often need to open the database while you’re offline, consider increasing the look-ahead window length!

Last edited Dec 18, 2013 at 4:11 PM by PhilippC, version 4

Comments

scorpio_x Aug 13, 2016 at 6:47 PM 
Hi ridz84,
I have encountered the same problem as you, since some time around May. I've tried the same things as you. When I swipe the NEO, Opera (browser) opens the page https://my.yubico.com/neo/[OTP code].
I have not managed to solve the problem for a few months now. I have installed YubiClip as an workaround until further, but it's no fun solution.

ridz84 May 12, 2016 at 7:50 PM 
I understand this is an old article and it used to work perfectly for me until recently. I run Keepass2android on both a Nexus 6P and Nexus 5X. On the Nexus 5X it functions as expected but on the Nexus 6P, tapping the Yubikey NEO seems to trigger the browser. I've tried the following:
1. Removing any default actions associated with the browser. (didn't work)
2. Removing and reinstalling keepass2android (didn't work either)

Any idea what could be the issue?