PassCryp shield logoPassCryp
Sign inStart free

Two-Factor Authentication, Built In

PassCryp generates TOTP two-factor codes inside the vault, right next to the password they protect. Seeds are end-to-end encrypted, codes refresh every 30 seconds, and you never have to juggle a separate authenticator app again.

Start your free vault Security model

TOTP codes next to passwords

Open an item, see the password and the rolling 6-digit code. One click copies either; clipboard clears in 30 seconds.

End-to-end encrypted TOTP seeds

Seeds encrypt with AES-256-GCM alongside passwords. We can't generate your 2FA codes.

Cross-device sync

Same codes on laptop, phone, tablet. No more lost codes when you switch phones.

Encrypted backup of seeds

Lose your phone? Your TOTP seeds are in your vault, backed up the same way as passwords.

Import from Google Authenticator

Scan the migration QR from Google Authenticator and PassCryp imports every seed in one step.

Why a separate authenticator app is fragile

Google Authenticator and Authy store TOTP seeds locally (or with limited cloud backup). Lose your phone, change phones, factory-reset, and you lose access to every account those codes protect. Recovery is per-account: contact support, prove identity, regenerate.

Storing TOTP seeds in your password vault makes them part of your normal backup story. Sync covers them, recovery kits cover them, and switching phones is a non-event — sign in to PassCryp on the new phone and your codes are there.

Is keeping the password and TOTP together less secure?

Security professionals split on this. The classical 2FA argument is 'something you know + something you have' — splitting password (in vault) and TOTP (on phone) means a compromised vault still requires a second device.

The counter-argument: a compromised vault means the attacker has unlocked your vault, which requires your master password. If they have your master password, your account security has already failed in a way 2FA-on-a-second-device won't save you from.

The pragmatic answer: keeping TOTP in PassCryp is much better than having no 2FA at all, which is what happens when authenticator apps become annoying. The strongest setup is hardware keys (YubiKey, etc.) for your most sensitive accounts plus TOTP-in-vault for everything else.

How to set it up

When a site offers 2FA setup, scan the QR code with PassCryp's built-in scanner (browser extension or mobile app). The seed is parsed, encrypted, and stored on the matching vault item. From then on, the 6-digit code displays next to the password.

For Google Authenticator migration, open Authenticator → Transfer Accounts → Export. Scan the migration QR with PassCryp. Every seed imports in one step.

For high-value accounts (your email, banking, primary cloud provider), pair PassCryp TOTP with a hardware key for defense in depth.

Frequently asked questions

Is TOTP in PassCryp free?

Yes — TOTP code generation is on the Free tier. No upgrade required.

Can I import from Google Authenticator?

Yes — open Authenticator → Transfer Accounts → Export, scan the migration QR with PassCryp. All seeds import in one step.

What if I lose my phone with PassCryp?

Sign in on another device, your TOTP codes are there. Then revoke the lost phone's session from Settings.

Does this replace hardware keys?

For most accounts, yes. For your most sensitive accounts (email, banking, cloud), we recommend pairing TOTP-in-vault with a hardware key (YubiKey).

Are TOTP seeds end-to-end encrypted?

Yes. Seeds encrypt with AES-256-GCM alongside passwords. We cannot generate your 2FA codes even if asked.

Does TOTP work offline?

Yes. Code generation is local — no network call. Works on a plane or in airplane mode.

Related reading

Password vault

TOTP, passwords, and notes in one place.

Browser extension

Autofill with TOTP code injection.

Security model

How encryption protects TOTP seeds.

Zero-knowledge

What we can and can't see.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault