How FactorCat stores your secrets

You’re trusting FactorCat with your MFA secrets. You should know exactly how they’re stored, who can access them, and what happens if things go wrong.

This post explains both encryption models honestly — including the trade-offs. For the full security model — including the approval flow, backup architecture, and design principles — see the Security page.

Two vaults, two trust models

FactorCat offers two vault types. Both are free. The difference is who holds the keys.

Cloud Vault

How it works: Your TOTP secrets are encrypted and stored on FactorCat’s servers. The encryption keys are managed server-side. When you approve an MFA request, the server decrypts the secret and generates the code.

What this means:

• Your factors sync across all your devices automatically
• If you lose your phone, you can recover by logging in on a new device
• FactorCat (the company) has the technical ability to access your secrets

Who this is for: Most people, most accounts. Your email, social media, streaming services, work tools — anything where convenience matters more than maximum paranoia.

The honest trade-off: You’re trusting FactorCat the same way you trust your email provider or password manager. We encrypt everything at rest and in transit, but we could theoretically be compelled to decrypt it. For a Chipotle account, this is a perfectly reasonable trade-off.

Locked Vault

How it works: Your TOTP secrets are encrypted on your device with a key derived from your passphrase. The encrypted blob is synced to FactorCat’s servers for backup, but the decryption key never leaves your device. FactorCat cannot access the plaintext.

What this means:

• True zero-knowledge encryption — we can’t see your secrets, even if we wanted to
• Recovery requires your Emergency Kit (generated when you create the vault)
• If you lose your phone AND your Emergency Kit, those secrets are gone forever

Who this is for: High-value accounts where the cost of compromise is severe. Cryptocurrency exchanges, financial institutions, infrastructure credentials.

The honest trade-off: You get maximum security at the cost of recovery options. If you lose access and don’t have your Emergency Kit, FactorCat genuinely cannot help you. We don’t have a backdoor, and that’s the point.

The Chipotle vs. crypto exchange framework

We think about vault selection like this:

• Chipotle account — if someone gets in, they order a burrito on your tab. Use Cloud Vault. The convenience of automatic sync and easy recovery far outweighs the theoretical risk.
• Crypto exchange — if someone gets in, they drain your wallet. Use Locked Vault. The inconvenience of managing an Emergency Kit is worth it when real money is at stake.

Most people end up with Cloud Vault for 90% of their accounts and Locked Vault for the handful that really matter. That’s exactly what we designed for.

What happens if FactorCat shuts down?

This is a fair question. Here’s the answer for each vault type:

Cloud Vault: You would need to re-enroll your factors with another authenticator before the service goes offline. We would provide advance notice and migration tools. Your secrets are encrypted at rest, so even if the servers go dark abruptly, your data isn’t exposed — it’s just inaccessible.

Locked Vault: Your encrypted backups are useless without your device key. If you have your Emergency Kit, you can decrypt locally. We plan to open-source the Locked Vault encryption format so third-party tools can import from it, regardless of whether FactorCat exists.

What we encrypt and how

• At rest: AES-256-GCM for all stored secrets
• In transit: TLS 1.3 for all API communication
• Locked Vault key derivation: Argon2id from your passphrase
• Cloud Vault key management: Server-side HSM-backed keys

We don’t store plaintext secrets. We don’t log decrypted values. We don’t sell data. Our business model is subscriptions (Pro at $24/year), not advertising.

Why we’re telling you this

Most authenticator apps don’t explain their encryption model clearly. They say “encrypted” and leave it at that. We think you deserve to understand the actual trust boundaries before you hand over your MFA secrets.

If Cloud Vault’s trust model isn’t acceptable for an account, use Locked Vault. If neither is acceptable, don’t use FactorCat for that account. We’d rather you make an informed decision than a convenient one.

Learn more

• Security model — full technical details
• Data protection & backups — how we back up your data daily with immutable, tamper-proof storage
• Emergency Kit & Recovery — how to save your Locked Vault recovery key
• How FactorCat works — the approve-and-autofill flow
• Download FactorCat — try it free