Docs › Two-Factor Authentication (TOTP)
Two-Factor Authentication (TOTP)
Store and generate TOTP (Time-based One-Time Password) codes for all your accounts directly in SecurityCreds. No need for a separate authenticator app.
What is TOTP?
TOTP (Time-based One-Time Password) is a form of two-factor authentication that generates a 6-digit code that changes every 30 seconds. When you enable 2FA on websites like Google, GitHub, or your bank, they typically use TOTP.
Why Use TOTP?
Two-factor authentication adds an extra layer of security. Even if someone steals your password, they can't access your account without the TOTP code. SecurityCreds lets you store both your password and TOTP secret together, making login convenient while staying secure.
Adding TOTP to a Credential
You can add TOTP to any existing credential:
Method 1: Scan QR Code
- Open the credential detail view
- Click Add TOTP
- The website's 2FA setup will show a QR code
- In SecurityCreds, click Scan QR Code
- Use your camera to scan the code
- The TOTP secret is automatically added
Method 2: Enter Secret Manually
- Open the credential detail view
- Click Add TOTP
- Select Enter Manually
- Copy the secret key from the website (usually shown as "Can't scan? Use this key")
- Paste the secret into SecurityCreds
- Click Save
When Adding a New Credential
You can also add TOTP when first creating a credential:
- Click Add Credential
- Fill in the basic details
- Expand the Two-Factor Authentication section
- Add the TOTP secret
- Save the credential
Using TOTP Codes
Once TOTP is set up, viewing and using codes is easy:
Viewing Your Code
- Open the credential
- The current 6-digit code is displayed
- A countdown timer shows when the code will refresh
Copying the Code
Click the copy icon next to the TOTP code to copy it to your clipboard. The code is automatically available to paste into the login form.
Auto-Refresh
TOTP codes refresh every 30 seconds. SecurityCreds automatically generates the new code - no need to refresh the page.
TOTP Security
TOTP secrets are protected with the same zero-knowledge encryption as your passwords:
- The secret is encrypted client-side before transmission
- Only you can decrypt and generate codes
- Even SecurityCreds servers cannot see your TOTP secrets
Sharing TOTP with Team Members
When you share a vault containing credentials with TOTP:
- Viewers can see and copy TOTP codes
- Editors can also add or update TOTP
- Admins can also remove TOTP
This is useful for shared accounts where multiple team members need to log in with 2FA.
Removing TOTP
To remove TOTP from a credential:
- Open the credential
- Click Edit
- In the TOTP section, click Remove
- Confirm the removal
Warning
Before removing TOTP from SecurityCreds, make sure you've disabled 2FA on the actual website or have another way to generate codes. Otherwise, you may be locked out of your account.
Troubleshooting
Code Not Working
If your TOTP codes aren't being accepted:
- Check your device time - TOTP depends on accurate time. Ensure your device clock is correct.
- Wait for the next code - If you're near the end of a 30-second window, wait for the next code.
- Verify the secret - Ensure the secret was entered correctly (no extra spaces).
Lost Access to TOTP
If you've lost your SecurityCreds access and need to log in to a 2FA-protected site:
- Use backup codes (if you saved them when setting up 2FA)
- Contact the website's support for account recovery
- Use your SecurityCreds recovery key to regain access
Best Practices
- Enable 2FA everywhere possible - Especially for email, banking, and important accounts
- Save backup codes - When setting up 2FA, save the backup codes in the credential's notes
- Double-check secrets - Verify the code works before completing 2FA setup
- Keep your master password strong - Your TOTP secrets are only as secure as your SecurityCreds account
Related Documentation