Setting up KeePassXC for MFA in Office 365

KeePassXC is a free (and open source) password manager that can also generate one-time codes for the MFA. KeePassXC can be downloaded directly from the KeePassXC password manager website. KeePassXC works with encrypted files that contain login databases. And within these databases, it is possible to set up one-time passwords (TOTP) for a specific account.

1. Creating a login details database

If you have an existing database that you want to use, you can skip this step. If you do not have an existing database of logins, you will need to create one. After starting KeePassXC, the program will prompt you to do so:

 

Click Create New Database. Fill in the appropriate database name and click Continue. You will see encryption settings that you may not pay attention to (default settings are secure). Click Continue. Then enter and confirm the password that will encrypt your login database. Click Done. The password database takes the form of a file, so KeePassXC prompts you to save the database file – select a suitable location and click Save.

2. Create an item for Office 365

The KeePassXC database is divided into groups and items. An item is a specific account for a specific service with a login name, password, and optionally also the TOTP one-time code generator. If you want to use KeePassXC to manage your passwords, it is a good idea to break the items into groups, and then create an item for your Office365 account in the appropriate group. If you use KeePassXC only to generate codes for Office365, create an item directly in the base group called Root.

In the Entries menu, choose New entry.

 

As a caption you can write Office365, optionally you can (but also do not have to) save your username and password to Office365. Then click OK.

3. Setting up TOTP

a) In KeePassXC, right-click the created Office365 entry and choose TOTPSet up TOTP:

 

b) Go to https://mysignins.microsoft.com/security-info page in your browser, sign in as needed, and click Add sign-in method.

c) Select the Authentication Application method from the drop-down menu.

 

d) Office365 will offer you the use of Microsoft Authenticator. Click on I want to use a different authenticator app.

 

e) Office365 will prompt you to set up the account in the authentication application. You are done with that already. Click Next.

 

f) Office365 will then prompt you to scan the QR code. Click Failed to scan the image.

 

g) Your Secret Password will be displayed and you can copy it to your clipboard using the associated button:

 

h) Insert this secret key (Ctrl-V) into KeePassXC in the Secret key box and click OK:

 

i) Now in KeePassXC, right-click the created Office365 entry again and select TOTPCopy TOTP. This will copy the one-time code to your clipboard and paste it (Ctrl-V) into the MFA setup dialog in Office365 and click Next:

 

Note: Note that KeePassXC deletes the clipboard after about 10 seconds for security reasons.

3. Use of the TOTP

After starting KeePassXC, the program automatically opens the last created database. If not, open the database with your Office 365 account, enter the database password, unlock the database, find the Office 365 account, right-click it, and choose TOTPCopy TOTP. Then paste this code (Ctrl-V) into the Office 365 prompt: