Offline authenticator app
no internet required.
ZeroAuth generates time-based one-time passwords entirely on-device using the TOTP algorithm (RFC 6238). Your credentials live in a local AES-256-GCM encrypted vault — no cloud sync, no server connection, no dependency on ZeroAuth infrastructure for code generation.
Architecture
How offline TOTP works
Local seed storage
TOTP seeds (shared secrets) are imported via QR code or manual entry and immediately encrypted with AES-256-GCM. The encrypted data is written to the device hardware enclave — never transmitted anywhere.
On-device code generation
When you open ZeroAuth, codes are computed locally using HMAC-SHA1 over the current Unix timestamp divided by 30 seconds. This is RFC 6238 TOTP. No network request is made.
Zero server dependency
ZeroAuth has no server component involved in TOTP generation. The app works identically in airplane mode, on air-gapped networks, or in environments where internet access is restricted or unavailable.
Comparison
Offline vs. cloud-synced authenticators
| Property | ZeroAuth (offline-first) | Cloud-synced authenticators |
|---|---|---|
| Works without internet | ✓ Always | ✗ Sync/restore requires connectivity |
| Seed storage location | Device hardware enclave | Cloud server + device |
| Server breach risk | None — no server copy | Exists if server is compromised |
| Backup method | AES-256 encrypted file (local) | Cloud account sync |
| Account recovery | Encrypted backup file | Cloud account login |
Common questions
Frequently asked questions
Does ZeroAuth work offline?
Yes. ZeroAuth generates TOTP codes entirely on-device using the RFC 6238 algorithm. No internet connection is required for code generation, vault access, or autofill. The app functions fully in airplane mode, on isolated networks, or in environments without any connectivity.
Can ZeroAuth work without cloud sync?
Yes. ZeroAuth uses a local-first architecture. Your credentials and TOTP seeds are stored exclusively in an AES-256-GCM encrypted vault on your device. Cloud sync is not required for any core function. Optional transport features may be available for enterprise environments.
How are TOTP secrets stored offline?
TOTP seeds and credentials are encrypted with AES-256-GCM. The encryption key is derived from your PIN using PBKDF2 with HMAC-SHA256 (100,000–310,000 iterations). The derived key is stored exclusively in the device hardware enclave (iOS Keychain or Android Keystore) and never transmitted.
Is an offline authenticator more secure than a cloud-synced one?
An offline authenticator eliminates server-side attack surface. If there is no server storing your TOTP seeds, there is no server to breach. Trade-offs include manual backup responsibility. ZeroAuth provides AES-256 encrypted local backups so you retain recovery capability without cloud exposure.
Can I migrate from Google Authenticator to ZeroAuth?
Yes. ZeroAuth supports QR code import from standard TOTP setup URIs and encrypted migration from other authenticator apps. The migration process occurs entirely on-device.
Written by the Optional Labs Security Team · Published May 2025 · Updated May 2025