Trezur is a fast, simple, light-weight web-app to generate TOTP and HOTP1 codes for two-factor authentication.
- No sign up, ever! Trezur doesn't have any concept of user accounts and doesn't need any personal information to be functional.
- Trezur works entirely browser-side. After first load, you can use a majority of features offline2. It's also a Progressive Web App (PWA), so you can install it on your device for a native app-like experience.
- Your confidential token data never leaves browser storage3; it is always stored encrypted at rest, with AES-256-GCM. Optionally, you can set a passcode for additional protection.
- You can choose to backup and sync your tokens securely via your preferred cloud sync provider. Currently we support Google Drive (Application Data folder), and support for S3-like providers is coming soon. Please reach out if you have a specific provider in mind.
- To help you get started, you can import your existing tokens from a plethora of 2FA apps.
Commentary by the author @babhishek21:
I had been a long-time user of Authy, and I liked their cross-platform (including desktop) availability. It didn't hurt that I trusted Twilio and Authy's E2E encryption. In early 2024, Twilio decided to sunset Authy Desktop. At that time I started exploring alternatives and realized that it was ridiculously hard to export tokens out of Authy; this raised major red flags for me.
I started looking for alternatives and landed on Raivo, which was an amazing open-source iOS option at that time. While the lack of cross-platform availability was a sore point, I was sold on the ease of import/export and the large user base. Unbeknownst to me at that time, Raivo had already been acquired by a Moroccan mobile app development company the year before. Sure enough, in the summer of 2024, Raivo switched to a paid subscription model, with reports of user data being kept hostage. I was fortunate enough to have exported my tokens out of Raivo before lockout.
This was a major wake-up call for me and a great source of frustration. I don't want to migrate tokens or go through account recovery every year. I just want my 2FA tokens to be available across all my devices, without worrying about lockouts, data loss, or security. I wanted a solution that was open and auditable, cross-platform, secure and didn't require me to trust a third party with my data.
I looked around at that time for something I could migrate to for one last time. Most options were missing one or more key requirements.
- Bitwarden Authenticator had just come out and sync required signing up for a Bitwarden plan.
- Ente required signing up to their Photo Cloud for sync, where the authenticator was a byproduct. Yes, I could self-host, but do I really want to host an entire cloud product suite just for 2FA?
- 2FAS Auth cannot do syncs across OSs.
- Google and Microsoft Authenticator are closed-source, don't have desktop apps and have a poor track record on user support and privacy.
- I'm fairly ingrained into the Apple ecosystem, and squarely trust them with my passwords, but their modern replacement Passwords app (which has TOTP support) didn't exist then.
Out of options and lacking the one-and-done solution that I desired, I decided to do it myself. Trezur is the result of that frustration and the desire to create a better solution for myself and others. It's still early days, but I'm committed to making it a great app that meets those goals.
Trezur was born out of a dual motivation:
-
The reasons that I have talked about in the commentary above.
-
Modern web technology has come a long way; the web browser is where people spend most of their time daily. It is now possible to build a secure, performant, cross-platform authenticator app that works entirely in the browser. I wanted to leverage this to create a web-app that is more accessible and easier to maintain than native apps.
Please read TODO.md.
Trezur is free to use at trezur.quirkdom.com. Please read the Terms of Service.
We don't track nor do we collect any user data. Please read the Privacy Policy.
This repository is free to view and audit. An explicit license is not included. Ergo, copyright applies (subject to the rights afforded to the user due to publishing this repository on GitHub). For permission related queries, or to request other permissive licenses, please reach out.
There is no explicit support provided; please use at your own risk. However, we are committed to improving the app and keeping it secure. Please email contact@quirkdom.com with issues or questions.
We highly recommend that you use two authenticator apps for a good balance between availability, reliability and risk. Here are some alternatives that might pair well with Trezur:
- Chronos is a lean open-source option on iOS, with encrypted iCloud sync. Early versions of Trezur were inspired by Chronos.
- Aegis Authenticator is a free and open-source authenticator app for Android only.
- Bitwarden Authenticator is a good option if you are already using Bitwarden for password management, but it doesn't have a desktop app and doesn't support cross-platform sync without using Bitwarden's password manager.
- Ente cloud provides an open source alternative to Authy via Ente Auth. Provides E2E encryption but backups are made to their own cloud (requires signing up for an account). Possible to self-host.
- 2FAS Auth is another popular open-source option, but with limited cross-platform sync features.
We don't recommend other options like Google Authenticator, Microsoft Authenticator, Apple Passwords, Duo nor Authy for various reasons, including lack of cross-platform interoperability, lack of auditable source code, cross-selling paid products, and/or lack of security guarantees.
- Svelte + SvelteKit
- TailwindCSS
- Vite (through SvelteKit)
- Cloudflare Workers
- Other pieces of software used can be found listed in the package.json file.
Trezur is almost entirely written in JavaScript, with JSDoc type hints used for type checking and documentation.
- Andrey Sitnik for the excellent nanoid library.
- Héctor Molinero Fernández for the excellent otpauth library.
- Maxwell Barvian for the excellent number-flow library.
- Paul Miller for the excellent QR code library.
- Paul Miller and Patricio Palladino for the excellent scure library.
- Favicon: Key by Bucky Clarke from Noun Project (CC BY 3.0).
- Modification: Color of the icon material changed from black to orange.
Footnotes
-
Not implemented yet; coming soon. ↩
-
Features like QR code scanning & generation require dynamically loading libraries on-demand when the features are utilized; once loaded, they will be available for use offline. Other features like Cloud Sync & Backup require network connection. ↩
-
Except when a Cloud Sync provider is connected. ↩