Frequently asked questions

How does 2FA auth work?

2FA auth runs entirely in your browser. It uses the Web Crypto API to compute RFC 6238 time-based one-time passwords (TOTP) from the Base32 secret you paste. No secret or code is sent to a server.

Is 2FA auth safe to use?

The tool itself is designed to be zero-knowledge: all cryptographic operations happen locally in your browser. Treat it as you would any authenticator app — only enter secret keys you own or are authorized to test, and avoid pasting secrets on shared or untrusted devices.

What does "client-side" and "local-first" mean?

Client-side means the TOTP math and key handling run in your browser, not on our servers. Local-first means any saved codes or settings are stored in your browser's localStorage unless you choose otherwise. We never see your data.

Can I save my secret keys for later?

Yes. The Saved Codes feature lets you store names and secrets in your browser. They are stored in localStorage and can be optionally encrypted with a passphrase using the Web Crypto API.

What happens if I forget my encryption passphrase?

If you enable passphrase encryption, the keys are encrypted before being stored. Forgetting the passphrase means the saved secrets cannot be recovered — there is no backdoor or reset mechanism. Keep your passphrase somewhere safe.

Can I import or export my saved codes?

Yes. You can export your saved codes to JSON or a plain text backup. Imports support the same formats; the importer skips invalid or duplicate entries and reports what was skipped so the rest of the file still loads.

Does 2FA auth work offline?

Once the page is loaded, the core TOTP generator and saved codes work without a network connection. The site only needs the internet to load initially or to update.

Do I need an account?

No. The generator works without an account. Some optional features, like the admin dashboard, may require signing in, but generating TOTP codes and saving them locally does not.

Which services are compatible?

Any service that supports standard TOTP authenticator apps (Google, GitHub, Microsoft, AWS, Dropbox, and many more) is compatible. The tool expects a Base32 secret key, which is the default format used by most authenticator setups.

How is this different from Google Authenticator or Authy?

2FA auth is a web-based tool for quick generation, testing, and learning. It does not require installing an app, but it also does not offer backup sync or account recovery the way dedicated authenticator apps do. Use it for convenience, testing, or emergencies, not as your primary 2FA vault.

Are there keyboard shortcuts?

Yes. The Saved Codes drawer supports shortcuts such as focusing search, navigating items, copying a selected code, and removing it. Look for the shortcut hints inside the saved codes panel.

Is 2FA auth affiliated with Google, Microsoft, or Authy?

No. 2FA auth is an independent educational project and is not affiliated with any authenticator vendor or service provider.

Can I use this for production 2FA logins?

The code is generated using the same open standard as production authenticator apps, so the numbers are valid. However, the tool is provided as-is for educational and testing purposes. You are responsible for the security of the device and browser you use it on.

How do I report a bug or request a feature?

Use the contact channel listed on the About page. Please include the browser, steps to reproduce, and what you expected to happen.