2fa authenticator webapp
- Lightweight
- Secure
- Private
TOTP is a standard for generating temporary access codes. The idea is that a service provides you with a secret that you can store to create temporary access codes using an Authenticator app like Topo.
When you want to login to the service you will have to provide your credentials and a fresh temporary code.
But,
each website promotes its own authenticator, scattering user secrets across multiple applications. Popular authenticators include ads, sends user data over the internet or requires unnecessary permissions.
So,
the idea behind Topo is to have a free, simple and lightweight authenticator that respects privacy and security.
You can not share your secrets across different devices: you will have to back them up as QR codes, either as an image or a paper printed copy. This is intended.
If you clear your browser's localStorage, your data WILL BE LOST. Backup your QRs.
Some applications and websites push their own authenticator, which makes the QR code difficult to find.
Topo stores your secrets in localStorage to keep everything in the browser and avoid cookies, however localStorage files are not encrypted on your device. If your device is compromised and someone has access to your files they could easily steal your secrets.
Because Topo is written is JavaScript, XSS attacks are still a potential security issue of the language. Topo tries to mitigate that by having as minimal interaction as possible with the user and the environment. The only input that could be dangerous is a malicious QR code.
If your secrets are ever compromised, rotate your credentials: generate new QR codes for every application or service that was stored on Topo as soon as possible.
Feel free to open issues and PRs.
Workflow with vite:
You need nodejs and a dependency manager like npm.
npm iinstall dependencies.npm run devrun a local development server.npm run buildcreate a production build inside./dist.npm run previewrun a server serving./distcontent.
npm run test:watchinteractive unit testing.npm run test:runrun unit test headless.npm run e2e:openinteractive end to end testing (requires a server running).npm run e2e:runrun end to end tests headless (also requires a server running).