A secure, local-only TOTP authenticator with QR code import, encryption, and a beautiful UI
Features • Demo • Installation • Usage • Security • Tech Stack
Cipheria is a modern, privacy-focused TOTP (Time-Based One-Time Password) authenticator that runs entirely in your browser. Unlike cloud-based solutions, Cipheria never sends your secrets to any server - everything is stored locally and encrypted with military-grade AES-GCM encryption.
- 🔒 100% Local: All secrets stay on your device, never leave your browser
- 🔐 Military-Grade Encryption: PBKDF2 → AES-GCM encryption for all stored data
- 📷 QR Code Import: Easily import accounts by uploading QR code images
- 🎨 Beautiful UI: Polished interface with light/dark mode support
- ⚡ Fast & Responsive: Built with Next.js for optimal performance
- 📱 Mobile Friendly: Works great on all device sizes
- 🧩 Easy Migration: Easily switch from any authenticator like Google, Proton, Bitwarden, etc.
- 🔄 Sync Ready: Export your encrypted database for safekeeping
https://github.com/user-attachments/assets/placeholder-video-showing-cipheria-in-action.mp4
Note: This is a placeholder. Actual demo video coming soon.
- Node.js 18+ installed
- npm, yarn, or pnpm package manager
# Clone the repository
git clone https://github.com/DevJSTAR/Cipheria.git
# Navigate to the project directory
cd cipheria
# Install dependencies
npm install
# Run the development server
npm run devOpen http://localhost:3000 in your browser to see the application.
# Build for production
npm run build
# Start the production server
npm start- First Run: Set up your master password to encrypt your TOTP accounts
- Add Accounts:
- Click "Add Manually" to enter account details
- Use "Import from QR" to upload QR code images
- Import from file (Proton Authenticator format supported)
- Access Codes: Your TOTP codes update automatically every 30 seconds
- Manage Accounts: Edit or delete accounts as needed
- Backup: Export your encrypted database regularly
Cipheria prioritizes your security and privacy:
- Zero Knowledge: Your secrets never leave your device
- End-to-End Encryption: All data encrypted with PBKDF2 → AES-GCM
- No Analytics: No tracking or data collection of any kind
- QR Code Safety: Images deleted immediately after decoding
- Open Source: Fully auditable codebase
- Key Derivation: PBKDF2 with 100,000 iterations
- Encryption: AES-256-GCM
- Storage: Encrypted data stored in browser's IndexedDB
- Password: Never stored, only used for encryption/decryption
To verify that your data is properly encrypted:
-
Browser DevTools Check:
- Open Developer Tools (F12)
- Go to Application/Storage tab
- Look for IndexedDB storage
- Data should appear as encrypted strings, not readable account information
-
File Export Verification:
- Export your database
- Open the file in a text editor
- Verify that account information is not human-readable
-
Network Tab Monitoring:
- Open Developer Tools Network tab
- Use the application normally
- Verify no account data is sent to external servers
- Next.js 15 - React framework with App Router
- TypeScript - Type-safe JavaScript
- Tailwind CSS - Utility-first CSS framework
- shadcn/ui - Re-usable components built with Radix UI
- Framer Motion - Animation library
- Lucide React - Beautiful SVG icons
- Zod - TypeScript-first schema validation
- React Hook Form - Performant, flexible forms
Contributions are welcome! Please read our Contributing Guide first.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature) - Commit your changes (
git commit -m 'Add some AmazingFeature') - Push to the branch (
git push origin feature/AmazingFeature) - Open a Pull Request
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
Junaid - junaid.xyz
Made with ❤️ by Junaid