ZeroAuth
HomeSecurityPrivacyTermsSign in
Manifest Verification

Permissions & Privacy

ZeroAuth operates strictly offline. Below is an audit of every system permission our application requests—why it is needed and our promise to keep your secrets private.

Camera Access

On-Demand Scan
  • Used strictly to scan 2FA setup QR codes
  • Triggered only when you press "Scan QR" in the app
  • Camera stream is processed locally in temporary memory
  • No photos or video feeds are recorded, saved, or uploaded

Biometric Hardware

Enclave Isolated
  • Used to unlock the vault (Face ID / Touch ID / Fingerprint)
  • Authentication is handled entirely by your operating system
  • ZeroAuth never receives or stores your raw biometric templates
  • Flushed immediately upon closing or locking the app

PIN Protection

Hashed Locally
  • Acts as a secure fallback when biometrics are unavailable
  • PIN values are salted and hashed locally using PBKDF2
  • Protects the vault database from device shoulder-surfing
  • PIN hashes are stored in secure local hardware sandboxes

Clipboard Buffer

Write-Only Access
  • Used to copy generated 2FA token codes with a single tap
  • The app only writes to the clipboard — it never reads from it
  • Clipboard contents are never saved or sent to any server
  • Codes are cleared from the buffer in accordance with system rules

Local Disk Storage

Keychain Secured
  • Stores credentials, account labels, and app config locally
  • Utilizes iOS Keychain / Android Keystore encrypted sectors
  • No cloud-sync is running by default without your action
  • Deleting the ZeroAuth app wipes all stored credential data

Internet & Network

Offline First
  • ZeroAuth generates all TOTP passcodes fully offline
  • Network access is optional for checking updates
  • No account secrets or tokens are ever sent over a connection
  • The codebase contains no advertising or analytics tracking SDKs

Encrypted Backups

User-Initiated
  • Allows export of your accounts in an encrypted archive
  • Backups are encrypted using AES-256 with your password
  • Files are saved locally or shared via system sheet manually
  • You own and are responsible for protecting these files

Screen Security

Enforced Overlay
  • Prevents screenshots and screen recording of credentials
  • Obscures the app screen in the recent apps switcher preview
  • Protects against visual shoulder-surfing in public spaces
  • Protects against unauthorized mirror casting screens

Our Zero-Knowledge Promise

ZeroAuth contains absolutely zero telemetry code, advertising SDKs, tracking cookies, or analytics services. We have no backend databases where your cryptographic seeds are stored. Everything remains locally on your device.

Privacy Support

Optional Labs India • support desk