Protection Model

ZeroAuth is designed from the ground up with a zero-trust, local-first security architecture.

No Server-Side Storage

We operate on a strict "Local-only" philosophy. ZeroAuth does not transmit, sync, or store your TOTP secrets, account names, or generated codes on our servers or any cloud provider. Your keys never leave your device unless you explicitly export an encrypted backup.

PIN-First Security Model

The primary line of defense for your vault is a secure PIN. This ensures that even if your device is unlocked, an attacker cannot access your 2FA codes without explicit authorization.

Optional Biometric Layer

For convenience without sacrificing security, you can enable biometric authentication (FaceID/TouchID/Fingerprint) as an optional layer on top of your PIN.

Local-Only Storage

Your secrets are stored securely within the encrypted hardware enclave or secure keystore provided by your mobile operating system. They are never written in plaintext.

AES-256 Encrypted Backups

When you choose to export your data, the backup file is symmetrically encrypted using AES-256 with a strong password of your choosing. The encryption happens entirely offline.