2FA/MFA in Kee Vault


From another thread…

There’s no real need for a 2nd factor at the kdbx level because the local client machine already has access to everything required to decrypt the Vault. 2FA is more suitable when utilised for services that require remote sign-in (some of which are online password managers). It can also offer protection against weak passwords - as you know (from discussion in the original thread and elsewhere), the KeePass format has inherent protection against this anyway, and Kee Vault offers even more already. I might consider enforcing a minimum password strength in future but would need to see some evidence that this adds something significant to the overall security of the system first.

Theoretically, the Kee Vault account authentication service could utilise 2FA but since your Vault is always encrypted and a compromise of this service doesn’t make it any more likely that your Vault will be broken into, the only real beneficiary of such a system would be Kee Vault Ltd (in terms of a further disincentive against fraudulent login attempts, DOS attacks, etc.)


When you say 2FA here, do you mean a key file or do you mean a different form of 2FA?


Both really. I’m not sure I see the need to consider key files as a separate form of MFA at this time but if you have some thoughts that lead to different security or usability trade-offs based upon different sources of MFA data, please feel free to elaborate.