Avain

Secure OTP manager PWA

One-time passwords are a good way to protect your accounts. The problem is that they can be cumbersome to use. Avain (a key in Finnish) is easy, secure, modern and fast manager for one-time passwords. It also syncs securely between your devices.

All crypto is done client-side with Web Crypto, so only you can ever access your data. If you forget your password, it's impossible to recover the data, since the key never leaves your browser. Password is first hashed 1 million rounds with PBKDF2. The hash is then used as a master key for encrypting the OTP URLs with AES-CBC. Both operations are done with random SHA-256 salts.

Sign in is secured by enforcing HTTPS and rate-limiting concurrent password tries automatically.

PWA means progressive web application. You don't need to install anything, just visit Avain.app and you'll get access to your verification keys securely. If you like, you can add the web app to your homescreen for easier access.

Find Avain on Twitter and soon open sourced on Github as well!

You can also download Avain for Mac

!