Skip to content

iamkunal9/local-authenticator

BranchesTags

Repository files navigation

Local Authenticator: Private TOTP Vault

A standalone Chrome extension for generating private 2FA codes from an encrypted local TOTP vault. It is designed to stay isolated from websites: no content scripts, no host permissions, no background page, and no website messaging surface.

Features

  • Google Authenticator-style popup UI.
  • Add TOTP accounts manually, from otpauth:// URLs, or from Google Authenticator export QR images/camera scans.
  • Live six-digit codes with countdown.
  • Copy code button.
  • Search, edit, and delete accounts.
  • Encrypted vault with password setup and unlock screen.
  • Optional platform biometric/passkey unlock for the active 24-hour session.
  • Manual lock button.
  • 24-hour unlock session using chrome.storage.session.

Security Model

  • The extension manifest only requests storage.
  • Websites cannot access the vault through content scripts because there are no content scripts.
  • Websites cannot call into the extension because there is no externally_connectable surface.
  • Secrets are encrypted at rest with @metamask/browser-passworder, using the same class of PBKDF2 + AES-GCM browser vault design used by MetaMask tooling.
  • The password is not stored.
  • Decrypted secrets live in popup memory only while unlocked.
  • The 24-hour convenience unlock stores exported vault key material in chrome.storage.session, not the raw password. Without biometric unlock it is cleared by manual lock, expiry, browser restart, extension reload, update, or disable.
  • Biometric/passkey unlock uses WebAuthn with a platform authenticator and no explicit RP ID, which is the supported pattern for extension origins. When enabled, manual lock keeps the vault closed in the UI but requires successful device verification before the cached session key can be reused. New enrollments also wrap the vault session key with WebAuthn PRF material so biometric unlock can restore the session after expiry on devices that support PRF.
  • Clipboard copy writes only the current TOTP code, not the secret.

Install From Source

npm install
npm run build

Then load the extension:

  1. Open chrome://extensions.
  2. Enable Developer mode.
  3. Click Load unpacked.
  4. Select the dist/ folder.

Development

npm install
npm run dev

Tests

npm test
npm run build
npm run test:e2e
npm audit

Release Package

Create a zipped extension package:

npm run package:extension

This creates local-authenticator-private-totp-vault.zip from the generated dist/ folder.

GitHub Releases

Compiled dist/ output is intentionally not committed. Tagged releases build the extension and upload local-authenticator-private-totp-vault.zip as a release artifact.

Create a release by pushing a version tag:

git tag v0.1.0
git push origin v0.1.0

About

Private 2FA code generator with an encrypted local TOTP vault, password unlock, optional biometric unlock, and no website access.

github.com/iamkunal9/local-authenticator

Topics

chrome-extension privacy totp authenticator 2fa webauthn biometric-authentication local-first

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 4

v0.3.0 Latest
Jun 9, 2026
+ 3 releases

Packages

 
 
 

Contributors

Languages