A clean, lightweight, and private two-factor authenticator browser extension. Generate TOTP codes directly in your browser — no phone required for daily use.
Inspired by popular extensions like Authenticator, built as a simpler, focused alternative.
- 🔐 TOTP codes with live updating timers (progress ring)
- ➕ Add accounts:
- Scan QR code images (otpauth:// from screenshots or exports)
- Manual entry (issuer, account, secret, digits, period)
- 📋 One-click copy — click card or Copy button
- 🔎 Search — type to filter, press
/to focus search (like the original) - ✏️ Edit / Delete accounts via the ⋯ menu on each entry
- 📤 Export / Import JSON backups from the gear menu
- 🌙 Modern dark UI — compact popup, keyboard friendly
- 🛡️ Optional pure client-side encryption — enable a password to encrypt all your 2FA secrets locally with AES-GCM (PBKDF2, 250k iterations). Password and keys never leave your device. We cannot access them.
- If you forget the password, secrets are permanently lost — always export a backup first!
- "Lock now", change password, and disable protection are available in the settings (gear) menu.
- Session remember: once unlocked, the popup stays unlocked for the current browser session (re-asks after browser restart).
- ⚡ No external requests, no tracking
Supports standard TOTP (SHA1 + 6/8 digits, 30s common). HOTP, Steam Guard, and advanced imports (Google Authenticator protobuf) planned.
npm install
npm run build- Open
chrome://extensions - Enable Developer mode
- Click Load unpacked
- Select the
dist/folder
After code changes:
npm run build
# or
npm run dev # (watch mode — rebuilds on src/ changes)Then click the reload icon on the extension card in chrome://extensions.
npm run build:prodCreates a minified dist/.
- Click the toolbar icon to open the popup.
- Click + to add your first account.
- Either:
- Go to the service (GitHub, Google, etc.) → enable 2FA → show QR code → screenshot it → drop the image into the Scan tab, or
- Choose Manual and paste the provided secret key.
- Codes refresh automatically. Click any code or the Copy button to copy to clipboard.
- Use the gear (⚙) for Export / Import / Clear.
Tip: Many services let you view the existing QR again in 2FA settings, or use a mobile authenticator's "export/transfer" to generate a QR you can screenshot.
- All code generation happens in the browser using Web Crypto (HMAC).
- By default secrets are stored in plain text locally (still only on your machine). You can enable strong client-side password encryption from the ⚙ menu at any time.
- Always keep a secure backup (Export while unlocked). If password protection is on and you forget the password, data is permanently lost.
- The extension requests only the minimal
storagepermission. Clipboard works via the Web Clipboard API with user gesture.
- Password-protected encrypted storage (Web Crypto PBKDF2 + AES-GCM) — optional, local only
- Per-account icons / better branding
- Argon2 KDF option (via WASM) for even stronger derivation
- Per-account notes / icons (brand favicons or custom)
- Import from Google Authenticator (otpauth-migration:// protobuf)
- HOTP support + counter increment
- Firefox / Edge packaging
- Backup to file + optional cloud (user controlled)
- Better keyboard navigation and drag reorder
- Theming (compact / accessibility modes)
2FAAuth/
├── dist/ # Built extension (load this)
├── icons/ # PNG icons (new professional logo)
├── logos/ # Source logo variants (1.jpg,2.jpg,3.jpg + 128px previews)
├── scripts/
│ └── build.js # esbuild + asset copier
├── src/
│ ├── manifest.json # MV3 manifest
│ ├── popup.html # Popup UI (inline styles for simplicity)
│ └── popup.ts # All logic: TOTP, QR (jsQR), storage, render
├── package.json
└── tsconfig.json
- TypeScript + esbuild (no heavy bundler)
- jsQR (for QR decoding)
- Pure Web Crypto for TOTP (no external OTP libs)
- Chrome Extension Manifest V3
PRs welcome! Start with npm run dev, load unpacked, and iterate.
- No data is ever sent to any server.
- Optional encryption happens 100% in your browser using the Web Crypto API.
- See the full Privacy Policy (bilingual EN/ZH). You can host this file yourself (GitHub Pages, Netlify, etc.) and link it from the Chrome Web Store listing.
When you enable password protection:
- A random salt is generated.
- Your password is turned into a key via PBKDF2 (250,000 iterations, SHA-256).
- Accounts JSON is encrypted with AES-GCM.
- The only way to recover the data is with the exact password you chose.
The extension uses a modern professional logo (shield + stylized 2 with security elements in indigo).
Three design variations were generated:
logos/1.jpg(primary, used for icons — shield with integrated 2)logos/2.jpglogos/3.jpg
Previews of the 128px versions are in logos/logo-variant*-128.png.
The icons/ folder contains the final rounded 16/32/48/128 PNGs used by the manifest and popup header.
MIT
Made for the 2FAAuth project.
For Chrome Web Store publishing: Remember to upload the privacy-policy.html (or host it) and fill the Privacy practices section in the Developer Dashboard honestly. The current permission set (storage) is minimal and justified.