---

Start QR Reader Stop QR Reader

Copy the above and paste it somewhere where you would like to save it. copy

---

Update from backup:
Update

Click button above again to hide
Passphrase:	Update passphrase This should be long & difficult to guess, for security. Stored: Stretched to: Nonce:

Purpose

tootp is meant to be used for 2 factor authentication, with the popular totp method, where you at first get a seed code from the web site when you enable 2 factor authentication, and then you are supposed to enter an authentication code at each login, and what that authentication code is changes every 30 seconds. It's surprisingly difficult to backup the seed codes in many totp clients, such as FreeOTP, Authy or Google Authenticator. The purpose of tootp is to be a totp client where it is easy to make backups of your totp site entries, and where all code is open source and included in the tootp page.

Where data is stored

All data is stored in cleartext locally in your browser, in something called localstorage. If you uninstall the browser or in another way delete localstorage, your data is gone. Unless you've backed it up, see next section:

How to backup and restore

First make sure you've set a password in the "Passphrase for backup & restore:" section. Then just copy the contents of the "Encrypted backup" field and store that contents somewhere, preferrably in multiple places.

Restore by pasting the contents into the "Update from backup" field, and then click "Update". The backup will update your local database, it won't delete entries not present in the backup.

This is what a backup looks like:

{
  "cryptoText": "Cpl3aA979MF8sbDgXJhqlQxJk4Wv6QKVMdtxLgTNoGwsa3",
  "keyStretchFactor": {
    "logN": 16,
    "r": 8,
    "p": 1,
    "dkLen": 32,
    "encoding": "hex"
  },
  "keyStretchMethod": "scrypt",
  "cipher": "chacha20",
  "nonce": "30bc02549c74cf7b8d92b9f1"
}

The password in tootp needs to be the same at the moment of restoring as it was when the backup was made.

Using the QR scanner

Click the "Start" button to start scanning. When the scanner finds a qr code, it will automatically put it into the "Seed" field at the top. Click "Stop" to stop scanning. The only way to turn the camera off completely as of now, is to reload the page. Currently the scanner puts everything in the qr code into the seed field. You may want to clean that up before saving, if there is other data than just the seed there.

Security

This project is quickly cobbled together and makes no guarantees. The status of this project is "Seems to work for me but I will use one more client, such as FreeOTP to be on the safe side." All javascript is included in the page, no network access should happen after the page loads. If you load this page from your local device, then no network activity should happen at all. This means you can run tootp from a browser with no network access, such as a browser running in a virtual machine which has no network access, from a computer with no network access (such as an Android phone or tablet with radios disabled) or from a profile in your web browser that has no network access (for example setting an invalid SOCKS proxy might do the trick).

All seeds and the password are stored in cleartext in localstorage in your browser.

It is recommended that you save the source of this page as a backup, so that you always have a copy of the precise execution environment for restore purposes, in case there are unintentional quirks of the encryption in tootp. Beware that if you run tootp as a local file, in my tests it seems that in some versions and browsers locally opened files share and hence can read each other's local storage entries. In others it seems that there is separate localstorage for each file location.

If you are afraid of exploits in the browser getting at tootp data, consider running tootp in its own browser, maybe even in an environment that does not have network access. If you are worried about local keyloggers and screen scrapers having infected your system, then run tootp on another device than the one you log in on. This is the usual way of running totp clients.

However if your system is in that bad shape so that the attacker can manipulate your screen, you could still be compromised in different ways, regardless of defensive technology used.

You may well want to choose a long and difficult password. It is stored in localstorage by tootp, so you do not need to re-enter it. You can always display it to see what it is and if you have configured multiple devices, chances are that you have at least one of them left in your possession at any given time. If you believe that your seeds have been compromised, you should change the password and request new seeds from the sites.

Consider hosting the tootp page on its own sub domain, being the only page on that sub domain, see: Same-origin policy - Wikipedia (local storage is supposed to follow the same rules as listed there. "Failure" is good in that table btw, for our purposes).

License

This project released under the Apache License version 2.0

Credits

A number of libraries have been used for this:

• JS-OTP library from Allan Jiang
• JSchacha20 library from Bubelich Mykola, MIT License
• QR code reader by Lazar Laszlo, Apache License 2.0
• scrypt-async-js by Dmitry Chestnykh, BSD License
• Copy script by Craig Buckler
• various snippets from Stack Overflow and gists

Tootp is made by Jörgen Modin <jorgen@webworks.se>.