TOTPBOX Logo
TOTPBOX
HomeWhitepaper

TOTPBOX Security Whitepaper

Architecture and security model for local-first authentication workflows bridging TOTP and Passkeys.

Last updated: March 19, 2026

Author: Perry Lei

Reviewed: March 21, 2026 by TOTPBOX Security Review

Scope: this whitepaper describes the product security design and operational assumptions for TOTPBOX as of March 19, 2026.

1. Product Overview

TOTPBOX is an authentication companion focused on two outcomes: protecting TOTP workflows today and reducing long-term dependence on shared-secret OTP through Passkey migration.

  • Manage and generate TOTP credentials with local-first encryption
  • Track security posture through account-level health workflows
  • Store and manage recovery materials in encrypted form
  • Guide users toward Passkey adoption where supported

2. Local-First Security Boundary

TOTPBOX enforces a strict separation between authentication secrets and remote services. Sensitive payloads are encrypted on-device before any sync or backup action.

  • Master keys are not transmitted to service infrastructure
  • Vault records are encrypted before persistence or transfer
  • Service operators handle ciphertext, not plaintext secrets
  • Passkey credentials stay under platform credential managers

3. Cryptographic Model

3.1 Data Confidentiality

Vault objects use AES-256-GCM for authenticated encryption. This provides confidentiality and tamper detection for stored records.

3.2 Key Handling

Key derivation and secure key storage use platform-provided security primitives whenever available. The design goal is to avoid exposing usable key material to server-side systems.

3.3 Integrity Checks

Encrypted blobs include integrity metadata so modified payloads fail verification during decrypt operations.

4. Threat Model

TOTPBOX is designed to reduce exposure to common OTP-management risks rather than eliminate all account compromise vectors.

  • Mitigates plaintext secret exposure in hosted infrastructure
  • Reduces blast radius of service-side database compromise
  • Supports safer account recovery handling through dedicated vaulting
  • Does not prevent endpoint compromise on user devices
  • Does not replace account hygiene such as phishing-resistant login practices

5. TOTP-to-Passkey Transition Model

TOTPBOX treats Passkeys as the destination security model and TOTP as a transitional compatibility layer. The product maps account readiness and encourages staged migration.

  • Identify Passkey-capable account targets
  • Guide migration planning by account criticality
  • Retain fallback TOTP only where migration is blocked
  • Promote hardware-bound credentials for high-value services

6. Audit and Assurance Roadmap

Independent third-party security assessment is planned as the product reaches broader production rollout. Until then, this whitepaper and the public legal/security documents define the current trust posture.

  • Publish scope and methodology before third-party review begins
  • Release high-level findings and remediation status
  • Track recurring security reviews as release cadence increases

7. Security Contact

For disclosure, review questions, or architecture clarifications, contact perry.lei@gmail.com.

8. External references

This whitepaper references public standards and security guidance to keep terminology, threat assumptions, and migration language aligned with widely used industry baselines.