Setting Up Authenticator Apps

See why customers enjoy using Pleasant Password Server with a KeePass client

(Versions 7+)

Provides Two Factor Authentication (2FA) using One Time Password (OTP) codes generated by the Google Authenticator App, or other similar apps.

Supported Authenticator Apps: 

  • Google Authenticator, Microsoft Authenticator, Authy, DUO mobile, etc.
  • See Supported Providers for more...


  • Time-Synchronization must be enabled: on the Server machine & client devices
  • Users can self-enroll or are configured with 2FA, before the policy requires 2FA


  • Warning: Be careful when setting Two Factor Required, as it could prevent users from logging in unless:
    • Their accounts can be self-enrolled, or,
    • They have been individually configured to use at least one 2FA provider (eg. Authenticator Apps).
  • If users have already been locked out, please Contact us!

Step 1: Configure the Provider

  • Open an existing Policy
  • Once the policy is created: you will see a list of possible 2FA Providers:

2FA Providers List

  • Under Two Factor Policy section, click Configure in the Google Authenticator row of the Configurations table:

Google Authentication provider configuration

  • Service Name: Enter a service name. This will be seen in the application as the label for the Token Generator and will be seen by all Policy users
  • Click the Enabled checkbox: the other checkboxes are optional - read their explanations for further details.
  • Click Save.

Step 2: Configure Two-Factor Settings

  1. Status Required: Requires all users who have been assigned this policy to authenticate with 2FA
    • Note: 2FA Required will prevent users subject to this Policy from logging in unless their accounts
    • Self-Enrollment will not be possible if this flag is not checked.
    • have been individually configured to use at least one TFA provider (eg. Google Authenticator).
    • If users have already been locked out, please Contact us!
  2. Browser Remember Flag: Allows users skip 2FA for secure browsers
  3. Refer to Two Factor Authentication for additional details of the options (below):

Two Factor Policy Settings

Step 3: Set the Policy

  • Attach the Policy to a Role or User:
    • Attach to a Role:
      • Navigate to Users & Roles > Manage Policies.
      • Click Set Role Policy (in the Role Policies section).
      • In the popup that results (shown below), attach the Policy to a role of your choice and click Set policy.
  • attach policy to role user 
    • Attach to a User
      • Navigate to "Users & Roles > Manage Users"
      • Either click Add New User, or click Edit in an existing user's "Actions" dropdown
      • Set the "Policy" field appropriately
      • Click Create or Save (as appropriate)

Step 4: (Optional) Configure a User's Secret

  • It is best to let the user configure their own secret, however, admins can also set as necessary.
  • Navigate to Users & Roles > Manage Users
    • Click the name of either a user with the role from step 3 or the user from step 4.
    • In the Policy Information section you should see a 2FA table; click Configure in the Google Authenticator row.
    • Click Enable; you'll be taken back to the user's Details page.
    • Click Configure again, and keep the resulting page open.
    • (Optionally) Save the secret in a secure location, and/or forward this info to the user.

Step 5: Double-Check Server Time Synchronization

  • The Authenticator application protocol is time-based
    • Ensure that the server and mobile devices remain synced with Network Time Protocol (NTP)
    • This is necessary for this algorithm to function correctly
  • If the time on any of these are out-of-sync (even by 30 seconds), the user will have trouble authenticating: 
    • Check:
      • The Server time
      • The Device time
      • The Authenticator app time (Android) - this app feature can be used to compensate for the device time
  • more info: Google Authenticator help
  • This has been the only authentication issue for users of Authenticator apps, which gives an "Invalid Token" error.

Step 6: Use the App

Choosing Your Two Factor Authenticator

Users with more than one 2FA Provider configured (whether directly or via their roles) will be prompted to choose one during login:

Two Factor Choices