Frequently Asked Questions

OTPManager uses the following terms and are important to understand correctly:

The token is [the result of the generation of] the One Time Password. So if you see "001 123" as the 'password', that IS the Token, and normally valid for 30 seconds.
We also use the term Token to indicate the complete set of Issuer, Username and Secret including the generated Token.

This is the website or app that 'Issues' the secret you need to generate the Token. So for instance Amazon, Gmail, Evernote

This is the username for the account on the website or app you have activated 2FA.

The (Base63 Encoded) shared secret (or password) that is provided by the Issuer. This is the seed for generating the OTP Token.

^* Both the Issuer and Username field have no effect on the generated OTP Token and are there for identification purposes only (as required by the standards).

OTPManager is an Authenticator and Manager for HMAC Time based One Time Passwords (TOTP).

It implements the standards as developed by the Initiative for Open Authentication (OATH) and the HMAC TOTP specifications described in RFC 6238.

The industry standard for Two Factor Authentication is using a time limited component generated from the possession factor next to the knowledge factor for authentication: a Time based One Time Password (TOTP).

OTPManager does NOT enable Two-Factor Authentication for a site. It is merely a '2FA Password Manager' if you would like to think of it that way.

Two-factor Authentication must be enabled on the site or app for which you want to activate Two-factor Authentication, NOT in the OTPManager software.

The result of the 2FA activation (QRCode, Shared secret, etc) is then added in OTPManager.

The authentication factors

• Something you know (e.g. password)
• Something you possess (e.g. phone, Token)
• Something you are (biometric)
• Somewhere you are (location)

Two-Factor requires you to present 2 of the factors listed above for Authentication. So if an attacker has one of the factors, your accounts are still secure.

Two Factor Authentication normally uses a time limited component generated from the possession factor next to the knowledge factor: a Time based One Time Password (TOTP).

From wikipedia:
A good example of two-factor authentication is the withdrawing of money from an ATM; only the correct combination of a bank card (something the user possesses) and a PIN (something the user knows) allows the transaction to be carried out.

OTPManager uses the iCloud Keychain for storage of your Tokens, and uses iCloud for change notification to alert other devices there was a change in the iCloud Keychain.

In Order to take advantage of the Cloud the following must be configured correctly on your device:

• You must be logged into your Apple ID
• The keychain must be enabled in your Apple ID's iCloud Configuration
• iCloud Drive must be enabled (for change notification)

When You have your Apple ID configured as above (on iOS and macOS) you have a fully functioning Cloud Synchronised OTPManager!

TL;DR: Yes, we firmly believe it is.

The iCloud Keychain uses end-to-end encryption (E2EE). This means that your data is stored and transmitted in an encrypted form that no one else can read, not even Apple.

The encryption key used to protect Keychain data is created from:
1. information unique to your device and
2. your personal device passcode

This ensures that you and your device are the only thing that can produce the proper decryption key required to view that encrypted data

More information:
- iCloud Keychain Security overview
- CVE database for iCloud Keychain

Note: In order for other iCloud Services to be E2EE encrypted,
enable two-factor aurthentication on your Apple ID :

- iCloud Security overview

The Token configuration, including the shared secret are safely stored in the iCloud Keychain.

This means that no data regarding your Tokens are saved on disk by the OTPManager software: everything is encoded in the Token that is saved in the iCloud Keychain.

The iCloud Keychain uses end-to-end encryption (E2EE). This means that your data is stored and transmitted in an encrypted form that no one else can read, not even Apple.

You can find your Tokens by opening the Keychain Access app on your Mac and searching for "OTPManager"

Please do not change anything in the Keychain Item, this could crash OTPManager and render your 2FA useless.

Because the Store for your secrets (the iCloud Keychain) is a distributed and encrypted store, you should not have to backup your tokens. But if you choose to do so please consider the following:

The only data stored on your device, are the settings as presented in the application (and some extra data to make the software run smoothly). There is nothing important about having a backup of that information.

The Two-Factor information you got from the Issuer is a special kind of password, don't keep backups or exports in plain format on your drive: use an encrypted disk image to store your tokens.

Follow the steps below to create a secure backup of your Tokens:

• Use OTPManager on the Mac to export your Tokens
• Move the exports you've made onto a encrypted disk-image (make sure you delete and empty the trash if you copy them).
• If a site has recovery or backup codes, add them to the encrypted disk-image.
• Add the encrypted disk-image to your backup folder

Repeat this whenever you add a new token.

A Keychain is the secure password store that Apple uses to store you certificates, keys and password. Both the iCloud and Local keychain are End-to-End (E2EE) encrypted. This means that the keychains are stored and transmitted (iCloud Keychain) in an encrypted form that cannot be read by anyone, even by Apple.

1. The iCloud Keychain

Tokens in this Keychain will be synchronized to all other devices running OTPManager; If you are logged into your Apple ID Account and have the iCloud Drive and the Keychain enabled in the Apple ID iCloud Settings.

Moving tokens to the iCloud Keychain, removes them from the Local Keychain and will be synchronized.

If you want to work with the tokens in the iCloud Keychain, you must enable the iCloud Keychain in the OTPManager Preferences, and be logged into your Apple ID Account.

2. The Local Keychain

Tokens in the Local Keychain will never be synchronized, even if you have fully configured the iCloud Keychain in your Apple ID.

Moving tokens to the Local Keychain, removes them from the iCloud Keychain, and will therefore never be synchronized.

If you want to work with the tokens in the Local Keychain, you must disable the iCloud Keychain in the OTPManager Preferences.

The iCloud Sync setting in the OTPManager preferences determines which of the two Keychains you use as default: the Local Keychain or the iCloud Keychain.

When you disable iCloud Sync in the Preferences, there is no communication between other devices running OTPManager, and you are working on the Local Keychain.

When (re-) enabling iCloud Sync (switch to using the iCloud Keychain), and there are tokens on other devices, the system doesn't know which of the devices is the prefered provider of the tokens. This may result in merge issues (double tokens, other versions of tokens, etc.) that have to be resolved manually.

So, we strongly suggest before installing OTPManager on an other device, to make sure iCloud Sync is enabled on the mac, so it starts as being master-of-change and there is perfect population of tokens on your newly added device.

We recommend backing up your tokens before switching keychains.