Offline, Local-First
No network required. Secrets never leave your machine.
desktop-2fa
Own your keys. Own your codes.
An offline TOTP authenticator built on open standards—transparent, auditable, no cloud sync.
pip install desktop-2fa What is it and why it was built
desktop‑2fa is a local‑first TOTP authenticator for people who want their second factor to live on machines they actually control. No cloud sync, no proprietary mobile apps, no vendor lock‑in — just a small, auditable tool that does one job well.
It was built for developers, sysadmins, and privacy‑focused users who prefer reproducible, scriptable workflows over opaque GUIs. Many authenticators hide their storage behind platform keystores or online accounts. desktop‑2fa takes the opposite approach: a documented vault format, strong password‑based encryption, and predictable CLI behavior you can trust and automate.
It doesn’t try to replace hardware tokens or solve every threat model. It focuses on clarity, portability, and giving you full ownership of your TOTP secrets — without depending on anyone’s cloud.
Features
Encrypted Vault
AES-256-GCM encryption with Argon2 key derivation.
Open Standards
Transparent code. Every line is readable and auditable.
CLI-First Workflow
Designed for terminal users and automation scripts.
Reproducible, Auditable
Deterministic builds. High coverage on critical paths.
No Cloud, No Telemetry
Zero tracking. Zero data collection. Zero exceptions.
Install
Install from PyPI:
pip install desktop-2faBasic usage:
# Add a TOTP entry
desktop-2fa add
# Generate a code
desktop-2fa code <account>
# List all entries
desktop-2fa listComparison
| Feature / Tool | desktop‑2fa | Proton Authenticator | Google Authenticator | Authy |
|---|---|---|---|---|
| Platform | Linux (CLI) • macOS (CLI) • Windows (CLI) | Android, iOS • Windows (GUI) • macOS (GUI) • Linux (GUI) | Android, iOS | Android, iOS • Windows (GUI) • macOS |
| Offline-only | ✔️ | Offline‑first (cloud backup optional) | ✔️ | ✖️ |
| Cloud sync | ✖️ | Optional encrypted Proton backup | ✖️ | ✔️ |
| Vault encryption | AES‑256‑GCM + Argon2 | Web/desktop: encrypted local vault (React/Tauri app) • Mobile: AES‑256‑GCM + Argon2 | Device-level only | Cloud-managed |
| App architecture | Native desktop app (Python + Qt) | Web‑based React app packaged as a desktop wrapper (Tauri/Electron) | Native mobile app | Proprietary multi‑platform app |
| Open source | ✔️ | Yes (mobile aps +WebClients monorepo) | Partial | ✖️ |
| Suitable for air‑gapped use | ✔️ | Not recommended (web‑based architecture) | ✔️ | ✖️ |
Comparison philosophy: This table highlights architectural differences between tools. It does not judge security or quality — each project has different goals and trade‑offs. Information is based on publicly available documentation and open‑source repositories.
Design philosophy
- Local-first — no cloud, no sync, no vendor lock‑in.
- Deterministic — predictable behavior across platforms and releases.
- Minimal — no hidden magic, no surprise background processes.
- Reproducible — testable behavior, stable interfaces, clear invariants.
- Honest — no overpromising; limitations are documented, not hidden.
FAQ
- Does it sync across devices?
- No. desktop‑2fa is offline‑only.
- Can I recover my vault password?
- No. There is no recovery key or remote reset.
- Is there a GUI?
- Not yet. A GUI is planned as a separate layer.
- Can I import QR codes?
- otpauth URLs are supported. QR import is planned.
- Is it suitable for air‑gapped machines?
- Yes. It requires no network access.
Roadmap
- GUI interface
- HOTP support
- QR code import
- Rust backend
Support the Project
desktop‑2fa is an independent open‑source tool built with a focus on autonomy, transparency, and offline security. If you find it useful and want to support ongoing development, you can do so through the platforms below.
Ko‑fi
One‑time or recurring support.
Buy Me a Coffee
Simple way to support the project.
AirTM
Direct support via AirTM.