Skip to main content

Overview

PassAgent stores TOTP (Time-based One-Time Password) secrets alongside your password entries. Secrets are encrypted client-side with your vault key — the server never sees plaintext TOTP secrets.

Adding 2FA to a vault entry

  1. Open a vault entry and click Add 2FA
  2. Paste the base32 secret key or otpauth:// URL provided by the service
  3. The secret is encrypted with your vault key before being stored
  4. TOTP codes are generated locally in your browser

Code generation

TOTP codes are generated entirely in your browser using the Web Crypto API:
  • Algorithm: SHA-1 (default), SHA-256, or SHA-512
  • Digits: 6 (default) or 8
  • Period: 30 seconds (default) or custom
  • Countdown: visual timer shows remaining validity
For zero-trust entries, the server returns 410 Gone if you request a TOTP code via the API. This is by design — codes must be generated client-side.

Account 2FA

Separately from storing TOTP for your vault entries, you can enable 2FA on your PassAgent account itself:
  1. Navigate to Dashboard > Settings > Security
  2. Click Enable 2FA
  3. Scan the QR code with any authenticator app
  4. Enter the verification code to confirm
  5. Save your recovery codes in a secure location
If you lose access to your authenticator and your recovery codes, you will be locked out of your PassAgent account.