Being a security tool meant to keep secrets, one of 4OTP’s core features is safely encrypting and storing your 2FA codes. Here is how we’re doing it.

4OTP Encryption

2FA codes are derived from what’s called a seed, or secret key in 4OTP. The secret key is a random piece of data that websites or applications generate and display to you either as a QRCode or directly as a random string of text.

2FA authenticator apps such as 4OTP then store this secret in a very, very encrypted form. And from this secret key, they can compute the seemingly random 6-digit token that changes every 30 seconds, to increase the security of your sign-ins.

On-Device Encryption

4OTP encrypts all your data directly on your devices. This means that only you, with your unique password, can access your 2FA codes.

Your Password is Your Key

Your password is the only key to unlocking your 4OTP data. We use this password to generate a set of cryptographic keys that encrypt and decrypt your information.

Password

The password you enter to start using 4OTP on your phone or computer is NOT an account password. You do not need an account to use 4OTP. Even when syncing between your devices, your password is never stored on our servers, whether in encrypted or hashed form.

As your password is (nearly) directly used to encrypt your codes, there’s no “Lost password” feature in 4OTP. Your password is needed to decrypt your data and a new password can’t be set if you don’t have the old one.

Deriving a key from your password

Passwords, even strong ones, are not directly suitable for use as encryption keys. That’s why we use a Password-Based Key Derivation Function 2 (PBKDF2). Here’s how it works:

Salting: We generate a random, unique value called a “salt”. This salt is combined with your password. Salting prevents attackers from using pre-computed tables of common passwords (rainbow tables) to figure out your password.
Iteration Count: We then generate a cryptographically secure key using the Password-Based Key Derivation Function 2 (PBKDF2) algorithm. PBKDF2, configured to make 600,002 iterations, takes in your password and the salt to create that first key, called the User key. This high iteration count significantly increases the time and computational resources required to verify a password. This makes it extremely difficult and time-consuming for an attacker to try and guess your password (a “brute-force” attack), even if they have access to your encrypted data.

Key Stretching with HKDF

After obtaining a strong key from your password, we put that User key through another process called HMAC-based Key Derivation Function (HKDF). This step, also using a unique salt, “stretches” the key again, creating an even stronger and more secure key, which we call the Stretched User Key. It also allows us to later derive additional, separate, cryptographically strong keys, should we need them for other data types.

User and Stretched User keys are not transmitted to our servers

The 2 keys we just described are never sent over the network to our servers. They are only computed locally, on your device, when you enter your password.

There is no other way to compute these keys - and thus be able to decrypt your 2FA code secret keys than knowing your password.

The Encryption Process

With the Stretched User Key computed, here’s how we encrypt your 2FA data:

Main Encryption Key: 4OTP generates a separate, totally random 256 bits key. This is the key used to actually encrypt and decrypt your 2FA secret keys when storing them.
Encrypting Your Data: Your 2FA secret keys are encrypted using the Main Encryption Key as a key and the AES-GCM encryption algorithm. For each piece of data we encrypt, we generate a new salt and a new unique Initialization Vector (IV). An IV ensures that even if you have identical pieces of data, they will look completely different when encrypted, adding another layer of security.
Storing the Main Key: Your Main encryption key is then encrypted and stored itself. We again use AES-GCM encryption for that, this time with your Stretched User Key as the secret. As always, a new salt and new IV is created each time this encryption process takes place.

What is Stored

When you use 4OTP, it stores the following encrypted data on your device and/or our secure sync server:

The encrypted 2FA secret keys
The encrypted Main Encryption Key
The salts used in the PBKDF2 and HKDF processes
The Initialization Vectors (IVs) used

Sync Service

When you use the 4OTP sync service, the same encrypted data is securely transmitted and stored on our servers.

When a code is added or modified on one device, 4OTP sends the resulting fully encrypted data to our servers. This allows you to access your 2FA codes from multiple devices.

Your other devices are notified of the change, allowing them to download and merge the new codes with their locally stored data.

Synchronizing your encrypted 2FA codes to a device running 4OTP requires an Access Key. Your Access keys are available from your 4OTP dashboard (you can create/delete as many as you want).

Access keys are long, random strings of text that act like passwords for the 4OTP apps running on your devices.

When a 4OTP app contacts our server to learn about new or modified codes, it uses this Access Key to identify itself to the server. This is done by signing the request using its access key with the HMAC-SHA256 algorithm.

Our sync servers use the same signing algorithm to verify that each request for data is indeed coming from a device that has the proper access key.

Data is never decrypted during the syncing process

The 4OTP sync servers act as “transparent” message carriers. They pass your encrypted data around to the 4OTP apps running on your devices, without ever understanding what’s in the data in question.

We cannot access your data. Without your master password, your data is just a collection of unintelligible, encrypted text.

Encryption methodology