// terminal
Native CLI + TUI
Scriptable TOTP retrieval from anything. tofa code github --copy clips the OTP on every platform. The TUI shows live countdown bars and click-to-copy rows.
★ open source · MIT · no telemetry
Stop grabbing your phone for codes.
TOFA is the open-source TOTP authenticator for people who live in their computer. A native CLI, TUI, and macOS menu bar app — all reading one offline-encrypted vault. Import 2FA codes from nine authenticators in one go.
Works offline · macOS & Linux · AES-256-GCM · Argon2id
RFC 6238 TOTP · MIT licensed · no telemetry · no account · 9 importers · AES-256-GCM · Argon2id
One vault. Three faces.
Pick the surface that fits the task — they all read the same encrypted vault.
// offline
No cloud. No account.
One encrypted file on disk holds every TOTP secret. AES-256-GCM with an Argon2id-derived key. The passphrase never touches disk. Auto-locks after 10 min idle.
// menu bar
macOS app, same vault
Native menu bar app reads the same TOTP vault as the CLI. Auto-updates in place. Cmd-click any account, the OTP's on your clipboard before you switch tabs.
See it in thirty seconds.
Lead demo auto-plays when you scroll into view. The other two play on click — only one plays at a time.
Everything you'd want from an authenticator. And then some.
Click-to-copy TUI
Live TOTP countdown bars per code. Click any row to copy the OTP. Search by typing.
Paste otpauth:// URIs
Standard otpauth TOTP URIs, one or many at a time. tofa add --uri or the app's "Paste URI".
Drop a QR image
tofa add --qr screenshot.png, or drag a PNG/JPG into the macOS app — every TOTP QR is recognized.
Scan your screens
tofa scan captures every connected display and imports every TOTP QR it finds.
Export to QR
Single migration QR, one PNG per account, or the Save All zip with a printable one-pager.
Encrypted TOTP vault
AES-256-GCM with an Argon2id-derived key holds every TOTP secret offline. Auto-locks after 10 min idle.
Scriptable CLI
TOFA_PASSPHRASE env var unlocks the vault for CI. tofa code <name> clips the OTP on every platform.
Auto-updating macOS app
Checks for a new release on launch and every 24h. Signed in-place updates.
Open source, MIT
Audit the RFC 6238 TOTP and crypto code in tofa-core. No telemetry. No cloud. Ever.
The last 2FA migration you'll do for a while.
Pull every account from your existing authenticator into your TOFA vault once. Add new ones from your computer.
Aegis
andOTP
2FAS
Google Authenticator
Bitwarden
Raivo OTP
Ente Auth
KeePassXC
FreeOTP / FreeOTP+
| Source | How | Status |
|---|---|---|
| Aegis | JSON export | direct |
| andOTP | JSON export | direct |
| 2FAS | JSON backup | direct |
| Google Authenticator | Multi-account migration QR | direct |
| Bitwarden | JSON export | direct |
| Raivo OTP | JSON / ZIP export | direct |
| Ente Auth | Plain-text export | direct |
| KeePassXC | CSV export | direct |
| FreeOTP / FreeOTP+ | TXT URI export | direct |
| 1Password | TOTP fields export | coming soon |
| Apple Passwords | CSV export (macOS 15+) | coming soon |
| Authy | No user-facing export | not possible |
| Microsoft Authenticator | Cloud-only backup, no plain export | not possible |
Per-vendor migration guides on docs.tofa.stratif.io. Want a vendor prioritized? Open an issue.
How TOFA compares.
Comparison reflects published behavior as of 2026. Corrections welcome — open a PR.
| Feature | TOFA | Authy | Google Auth | Microsoft Auth | 1Password | Aegis |
|---|---|---|---|---|---|---|
| Native TUI | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Native CLI | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ |
| Open source | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| No telemetry | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Encrypted local vault | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Works without an account | ✓ | ✗ | ✓ | ✗ | ✗ | ✓ |
| Import otpauth URI / QR | ✓ | ✗ | ✓ | ✗ | ✗ | ✓ |
| Export your secrets | ✓ | ✗ | ✓ | ✗ | ✗ | ✓ |
| Desktop app (no phone) | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ |
Your vault. Your responsibility.
AES-256-GCM with an Argon2id-derived key. The passphrase never touches disk — it lives in memory with a 10-minute TTL and is zeroed on lock.
Read the full threat model →No cloud means no recovery. If you lose the file, no one can restore it. If you forget the passphrase, no one can decrypt it. There is no "forgot password" link, and that's the point.
Back up the vault yourself
- Drop the file in iCloud Drive, Dropbox, or any folder your OS syncs
- Run
tofa exportand stash the JSON in a password manager - Use
tofa qr <name>to print a paper backup - Click Save All in the macOS app for a zip with one QR PNG per account + a printable one-pager
One line. You're done.
brew tap stratif-io/tofa
brew install tofa
# menu bar app:
brew install --cask tofamacOS: TOFA isn't notarized yet, so macOS quarantines it on first launch. See the unsigned-build note for the one-line fix.
If TOFA looks useful, star the repo — it's the easiest way to say thanks.
Star on GitHub