Frequently Asked Questions

TOTPBOX is a local-first authentication companion that helps you manage TOTP accounts while guiding upgrades to Passkeys. It focuses on authentication only, not password storage.

No. TOTPBOX follows a strict no-passwords boundary. It stores TOTP secrets and recovery materials, but it is not a general-purpose password manager. A breach of TOTPBOX yields no usable login credentials.

TOTPBOX emphasizes local-first encryption, recovery-code management, and migration guidance toward Passkeys. Unlike Google Authenticator, it encrypts secrets with AES-256-GCM on-device and provides an Auth Health Dashboard that shows which accounts are ready for a Passkey upgrade. Unlike Authy, it never stores master passwords or unencrypted secrets in the cloud.

Yes. The Free tier is $0/month and includes core local TOTP workflows, Passkey protocol awareness, and unlimited accounts. Paid plans add features like encrypted cloud sync ($4/month Pro) and team capabilities ($12/user/month Team).

TOTPBOX targets iOS, macOS, Windows, Android, and Linux workflows, with browser-extension support for fast login flows in Chromium-based browsers.

Yes. TOTPBOX supports import and export workflows so you can migrate data in or out as your security requirements evolve.

Yes. The Team plan is designed for shared security operations, including org-level visibility and controlled collaboration features.

No. Core local functionality can be used without creating a cloud account. Cloud-linked features are optional and tied to paid tiers.

TOTP (Time-based One-Time Password) is a two-factor authentication method defined in RFC 6238. It generates a temporary 6-digit code every 30 seconds by combining a shared secret key with the current time using the HMAC-SHA1 algorithm. The server and your device independently compute the same code, so no secret is ever transmitted during login. TOTPBOX stores these shared secrets locally with AES-256-GCM encryption.

TOTP (Time-based One-Time Password, RFC 6238) generates codes based on the current time, producing a new code every 30 seconds. HOTP (HMAC-based One-Time Password, RFC 4226) generates codes based on a counter that increments with each use. TOTP is more widely adopted because codes expire automatically, reducing the window for replay attacks. TOTPBOX supports both standards.

A Passkey is a phishing-resistant authentication credential based on the FIDO2/WebAuthn standard. Unlike TOTP, which requires you to manually enter a 6-digit code, Passkeys use public-key cryptography stored in your device's secure hardware enclave to authenticate automatically with a biometric or PIN. Passkeys eliminate shared secrets entirely, making them immune to phishing and server-side breaches. TOTPBOX manages your TOTP codes today while alerting you when each account supports upgrading to a Passkey.

Yes. SMS-based 2FA is vulnerable to SIM-swapping attacks, SS7 network interception, and social engineering at mobile carriers. TOTP codes are generated locally on your device using a shared secret that never travels over cellular networks. The National Institute of Standards and Technology (NIST SP 800-63B) has recommended against SMS-based authentication since 2017, favoring app-based TOTP or Passkeys.

Open Google Authenticator, tap the menu icon, and select 'Export accounts' to generate a QR code. In TOTPBOX, use the import function to scan this QR code. Your TOTP secrets will be encrypted with AES-256-GCM and stored locally. After verifying all accounts generate correct codes in TOTPBOX, you can safely remove them from Google Authenticator.

A local-first authenticator keeps sensitive data encrypted on the device by default. Any sync workflow uses encrypted payloads so service operators cannot read your secrets. This means your TOTP keys, recovery codes, and account metadata never exist in plaintext on any server.

TOTPBOX uses AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode) for vault encryption. AES-256-GCM is an authenticated encryption scheme that provides both confidentiality and integrity verification, meaning any tampering with the encrypted data is detected. Key derivation relies on modern platform primitives for secure storage boundaries.

A recovery code is a one-time backup credential provided by a service when you enable two-factor authentication. If you lose access to your authenticator, the recovery code lets you regain access to your account. Most people store these codes in insecure places like notes apps or screenshots. TOTPBOX's Recovery Code Vault stores them with AES-256-GCM encryption alongside your TOTP secrets, so they are protected by the same security model.

Local-first storage eliminates an entire category of risk: server-side breaches. When secrets are encrypted and stored only on your device, an attacker who compromises the service's servers gets nothing usable. Cloud storage introduces additional trust requirements — you must trust the provider's encryption implementation, key management, and access controls. TOTPBOX's local-first model means your secrets are only as vulnerable as your own device.

TOTPBOX surfaces which accounts are still TOTP-only versus Passkey-ready and gives migration guidance. When a service you use begins supporting Passkeys (FIDO2/WebAuthn), TOTPBOX highlights this in your Auth Health Dashboard. You can then follow step-by-step instructions to register a Passkey with that service. Passkeys remain managed by your platform's security stack — TOTPBOX does not store Passkeys themselves.

If you use the Free tier (local-only), you should export an encrypted backup or securely store your recovery codes. If you use the Pro tier, your encrypted vault syncs across devices, so you can restore from another device. In both cases, the Recovery Code Vault ensures your one-time backup codes are available for account recovery. TOTPBOX never stores your data in plaintext on any server.

See the TOTPBOX Whitepaper for architecture and threat-model context, the Security Documentation for implementation details, and the legal pages for data processing and privacy guarantees.