ZeroAuth
HomeSecurityPrivacyTermsSign in
Zero-knowledge by architecture

Privacy-first authenticator
your data never leaves your device.

ZeroAuth is built on a local-first architecture where credentials, TOTP seeds, and saved passwords are encrypted on-device and never transmitted to external servers. No telemetry is collected from the authenticator engine. The encryption key exists only in your device hardware enclave.

Zero-Knowledge Specification →Security Architecture →

Privacy Model

Six privacy properties

No credential telemetry

The authenticator engine does not transmit behavioral data, usage patterns, or any credential-related information to external services.

Local-first storage

Your vault is stored exclusively on your device inside an AES-256-GCM encrypted container. There is no server-side copy of your credentials.

Zero-knowledge encryption

Your PIN derives the encryption key via PBKDF2. Optional Labs holds no master key and cannot decrypt your vault under any circumstances.

Hardware enclave isolation

The derived encryption key is stored in the device hardware enclave (iOS Keychain / Android Keystore), isolated from software-accessible storage.

No third-party analytics in vault

No analytics SDKs, no ad networks, and no third-party tracking operate within the credential management scope of the application.

Open encryption specification

The full cryptographic specification — algorithms, iterations, key derivation — is documented publicly so it can be independently reviewed.

What ZeroAuth does not do

  • Store your credentials or TOTP seeds on ZeroAuth servers
  • Transmit vault data to any third party
  • Collect usage behavior or analytics from the credential engine
  • Hold a master decryption key for your vault
  • Require internet connectivity for TOTP code generation
  • Share your data with advertising or analytics networks

Questions

Privacy questions answered

Does ZeroAuth collect any telemetry or usage data?

No. ZeroAuth does not collect telemetry, usage analytics, crash reports tied to identity, or behavioral data from the core authenticator engine. What happens in your vault stays on your device.

Does ZeroAuth store my credentials on its servers?

No. ZeroAuth operates a strict local-only boundary. Your credentials, TOTP seeds, and passwords are encrypted and stored exclusively on your device. Optional Labs has no access to, and no copy of, your vault contents.

What personal data does ZeroAuth process?

ZeroAuth processes your credentials locally on your device for the purpose of generating authentication codes and enabling autofill. Account authentication for the ZeroAuth app itself may involve a Firebase Auth token, which is handled under our Privacy Policy. No credential vault data is transmitted.

Is ZeroAuth zero-knowledge?

Yes. The vault encryption model is zero-knowledge by architecture. The encryption key is derived from your PIN using PBKDF2 and is stored in your device hardware enclave. Optional Labs cannot decrypt your vault even if compelled to do so.

Does ZeroAuth use cloud sync?

Local-first architecture is the foundation. Cloud sync is not required for any core function. Optional transport and enterprise sync features may be introduced in future versions with explicit user consent and transparent architecture.

Offline Authenticator →Local-First Architecture →Privacy Policy →

Written by the Optional Labs Security Team · Published May 2025 · Updated May 2025