Most people juggle at least three or four apps just to stay secure online. A messaging app here, an email client there, a standalone authenticator somewhere else. We've been thinking about that for a while, and it always felt like something we could simplify.

Starting today, Crypton includes a built-in authenticator. You can store your TOTP secrets for any service -- Google, GitHub, Discord, your bank, whatever uses two-factor authentication -- and generate 2FA codes right inside the platform. No separate app needed.

Why we built this

The honest answer is that it just made sense. Crypton already handles your phone numbers, messages, email, and eSIM data plans, all with end-to-end encryption. Having your 2FA codes scattered across a different app on a different device felt like a gap. If you trust us with your communications, you should be able to keep your authentication codes here too, protected by the same encryption.

We're not trying to replace every authenticator out there. If you're happy with your current setup, keep using it. But if you want fewer apps and one less thing to worry about, this is here for you.

How it works

Add an account by entering the secret key manually, pasting an otpauth:// URI, or scanning a QR code. The codes refresh automatically with a visual countdown, and copying a code is a single click.

For services we recognize -- Google, Microsoft, GitHub, Discord, Steam, Telegram, and about 30 others -- you'll see the actual brand icon instead of a generic letter avatar. Small thing, but it makes scanning through a list of accounts much faster.

Everything works without JavaScript too. The QR scanner obviously needs it, but manual entry, URI pasting, code display, and even copying codes all function perfectly with JS disabled. We know some of our users run hardened browsers, and we don't want to make their experience worse.

Encryption

This is the part that matters most. Your TOTP secrets, account labels, and service names are all encrypted with your personal encryption key before they ever hit the database. The same Halite-based asymmetric encryption that protects your contacts and conversations protects your authenticator data.

What this means in practice:

  • We can't see your secrets. The server stores ciphertext. Without your passphrase, the data is meaningless.
  • Admins see nothing useful. The admin panel shows that accounts exist and their technical parameters (algorithm, digit count, period), but the actual service names, labels, and secrets are encrypted and invisible.
  • The API respects this too. If you manage your accounts through the API, encryption and decryption happen through your token's embedded key. The codes endpoint won't even respond without a valid encryption key.

API support

The full authenticator is available through the API for those who want to integrate it into their own workflows. Five endpoints cover listing accounts, fetching live codes, creating, updating, and deleting accounts. Rate limits are in place, and everything is documented on the API docs page.

What we didn't build

We intentionally kept the scope tight. There's no cloud sync with third-party authenticator apps, no push-based authentication, and no HOTP (counter-based) support. This is TOTP only, which covers the vast majority of services that use authenticator codes. If demand for HOTP shows up, we'll consider it.

There's also a hard cap of 100 accounts per user. That should be more than enough for anyone, and it keeps things manageable on our end.

The authenticator is available now for all users. You'll find it in the app sidebar. It is completely free to use. If you're using the API, the new endpoints are documented under the Encrypted Endpoints section of the API docs.

As always, if something breaks or doesn't feel right, let us know through the support system.