HMAC-SHA1 Challenge response?

Hi, the Yubikey 4 supports HMAC-SHA1 for challenge response mode, to be used with KeePassXC (and maybe other applications). I found out that the Nitrokey supports HOTP passwords, but I don’t think these are the same thing? Are they?

If not, is support for HMAC-SHA1 planned for future versions of Nitrokey?

1 Like


technically the Nitrokey Pro and Storage does support HMAC-SHA1, which we frequently refer to as HTOP. Whether this is working the same way it is on Yubikey I can’t say.

As your question seems to aim on KeePassXC there is no support for Nitrokey as second factor right now, as far as I know. See this GitHub issue as well.

But there is a plugin for KeePass if you can’t wait until KeePassXC has implemented such support for OpenPGP Card or HOTP compatible devices. This is described here.

Kind regards

Nice finding! I have dropped them a message.

@anon99020392 You can always register a feature request on Pro’s issues site.

Thanks, I don’t even fully understand what HMAC-SHA1 is, so creating an issue for this doesn’t make a lot of sense for me hehe. ^^

So as far as I understand it, the Nitrokey doesn’t support his yet and cannot be used instead of a Yubikey in KeepassXC. I hope this will be supported in the future! :slight_smile: Thanks for your help.

Mh, that depends on how you see it. I would say KeePassXC does not support Nitrokey yet :smile: But you are right, the Nitrokey is not working the same way as the Yubikey regarding the feature already included in KeePassXC (challenge-reponse), yes. They could either include a HOTP field like it is done in the plugins for KeePass or they find a more general way which works for other smartcards as well, as suggested in the issue.