The OTP Manager

The OTP Manager is a simple Application for managing One Time Password (OTP) Tokens. OTP Tokens are 30 second time limited 6 digit numbers generated from a base63 encoded shared secret. The OTP secret keys are securely stored in the default KeyChain on your Mac. You can find them by searching for "OTPManager:" in the keychain.

The interface displays a general ProgressIndicator above the Tokens, that indicates how long the tokens are valid. When a token enters the last 4 seconds of its lifetime, a token enters 'expiry mode': the token digits turn red and copy functionality is disabled.

In this document we'll call a 'banner' with the username, issuer and OTP Token an account. The selected account has a darker background than other accounts in the main window.

Main window
Screenshot of the main window with tokens in active state. The first account is selected.


How to add an account

In order to add an Account to the OTP Manager, you need the pre-generated secret from the site or application you wish to add the account for. The OTP Manager does not enable Two Factor Authentication, this must be enabled with the Issuer.

To add an account to the manager, do any of the following:

It will open a dialogue prompting for 3 inputs:

Add an Account

Using the Statusbar

Version 1.2 adds the statusbar menu as a convient way to access your tokens. The menu reflects the sequence you drag the tokens in in the main screen. The Statusbar enables you to hide the main application, thus reducing clutter on your desktop while maintaining easy access to your tokens, and adds a shortcut to unhide the OTP Manager application.

Selecting an account from the statusbar menu copies the token to the system clipboard, as described in copying tokens.

statusbar menu

Copying Tokens

A token can only be copied when the token is not expiring (i.e., in the first 26 seconds of its cycle). If a token is in expired state, the digits turn red. In active state, a token can be copied to the system clipboard in any one of the following ways:

The token is copied to the system clipboard and can be pasted in any other application or browser.


How to delete an account

Removing an account does NOT disable Two Factor Authentication (TFA).
Removing an account could prevent you from logging in to the associated application.

If you want to disable TFA, please log in to the site (for which you will require a valid token) and disable TFA before removing the account from the OTP Manager

In order to remove an account from the OTP Manager you need to select the account you wish to remove by clicking on it in the interface. The delete can be done in either of three ways:

delete an account

Configurable settings (v1.3)

Due to user comments, we have implemented a basic settings screen with 2 configurable options. Options are accessable via the Preferences menu item (⌘ + , or OTP Manager > Preferences).

delete an account


OTP Manager is compatible with all HMAC TOTP based Two Factor Authentication implementations, like Googles Gmail, Facebook, Dropbox, Evernote and many more.

Background of One Time Password

There are 3 independent authentication factors: What you know (password), what you possess (hardware token, mobile phone) and who you are (fingerprint). Multi Factor Authentication means the system is using two of these factors for authentication.

The industry standard for Two Factor Authentication is using a time limited component generated from the possession factor next to the knowledge factor for authentication: a Time based One Time Password (TOTP).


Our implementation of the One Time Password is based on the open standards developed by the Initiative for Open Authentication (OATH). From these standards we use the HMAC based Time-based-One-Time-Password (TOTP) as specified in RFC 6238.