Client-side 2FA: why your secret should never leave the browser

What a cloud-synced authenticator sees

When your authenticator syncs across devices, your TOTP secrets sit — encrypted or not — on someone else's servers. A breach of that vendor is a breach of every account those secrets protect.

The zero-knowledge alternative

A client-side generator like 2FA auth never transmits your secret. The HMAC and truncation run in your tab via the Web Crypto API; close the tab and there is nothing left behind on any server.

Trade-offs

You give up automatic sync and backup. For high-value accounts, pair a hardware key or an audited authenticator with a written backup of your recovery codes.