Locked Vault
Locked Vault uses zero-knowledge encryption. Your master key never leaves your phone. FactorCat cannot access your secrets. Best for high-value accounts.
Locked Vault is for users who want zero-knowledge encryption — meaning FactorCat has no technical ability to access your factors, even under a court order or data breach. You hold the only key.
How Locked Vault works
When you create your first Locked Vault, FactorCat generates a master key on your phone. This key encrypts everything in your Locked Vaults using AES-256-GCM. The encrypted data syncs to FactorCat’s servers for backup and cross-device access, but the key itself stays on your device. FactorCat never sees it.
This means:
- Your factors are encrypted with a key only you hold. FactorCat stores the encrypted blobs but cannot decrypt them.
- TOTP codes are generated locally on your phone. When you approve a push request, your phone computes the code and sends it to the extension — the server never sees the TOTP secret.
- Recovery depends on you. If you lose your master key and your device, your Locked Vault factors are permanently irrecoverable.
Your master key
During Locked Vault setup, the app shows your master key in two forms:
- Recovery phrase — 12 easy-to-read words (BIP39 standard)
- QR code — a scannable image encoding the same key
Your master key is also stored in your phone’s secure keychain, which is typically included in iCloud Keychain (iOS) or Google encrypted backup (Android).
You can view your master key again at any time: Settings > Security > Show Master Key (requires biometric confirmation).
Saving your recovery phrase
Your recovery phrase is the backup you fully control. How you store it is a security decision — more options help you find one that fits your situation:
- Print the emergency kit PDF — FactorCat generates a printable document with your recovery phrase and QR code. Store it where you keep important documents.
- Write down the 12 words by hand — pen and paper in a safe, a lockbox, or a secure drawer.
- Screenshot the QR code and transfer it to another device — AirDrop it to your Mac, email it to yourself, or move it to a trusted second device however you prefer.
- Save it to a password manager — if you use a separate password manager, your recovery phrase can go there. (Your password manager holds the recovery key; FactorCat holds the 2FA factors — they stay separated.)
- Store it in an encrypted note on a second device — Apple Notes with a password, a secure note in another app, or an encrypted file.
Pick whatever matches your comfort level. The point is to have at least one copy somewhere you’ll still have access to if your phone is lost or destroyed.
Without either OS backup or your saved recovery key, your Locked Vault data is permanently irrecoverable. This is the cost of zero-knowledge encryption — FactorCat never had your master key, so there is no reset, no override, and no backdoor. This is typical of most phone-based authenticators with zero-trust encryption.
What happens if you lose your phone
There are two safety nets, in order:
-
OS backup (automatic). Your master key lives in your phone’s secure keychain. On iOS, iCloud Keychain typically syncs it automatically. On Android, Google’s encrypted backup includes it by default. Restoring to a new device usually recovers your Locked Vaults without any action on your part.
-
Your saved recovery phrase or QR code (manual). If OS backup doesn’t cover you, enter your 12-word recovery phrase or scan your recovery QR on the new device. The app verifies it matches your vaults and restores access.
If neither safety net is in place, your Locked Vault factors cannot be recovered. Your Cloud Vault factors are unaffected — they recover automatically on sign-in.
For the full recovery process, see Emergency Kit & Recovery.
Risk acknowledgment
When you create a Locked Vault, FactorCat requires an explicit acknowledgment that:
- You understand FactorCat cannot recover your Locked Vault factors
- You’re responsible for saving your recovery phrase
- Loss of your master key means permanent data loss
This isn’t fine print — it’s a deliberate gate to make sure you’re making an informed choice.
When to use Locked Vault
Locked Vault is the right choice for:
- High-security accounts — banking, cryptocurrency, admin consoles, infrastructure access
- Accounts where you specifically want zero-knowledge encryption — you don’t want anyone, including FactorCat, to have technical access to your factors
- Security-conscious users who are comfortable managing their own recovery
It’s not required. Cloud Vault is secure and convenient for most accounts. Many users keep most factors in Cloud Vault and move only their highest-value accounts to a Locked Vault.
Cloud Vault vs Locked Vault
| Cloud Vault | Locked Vault | |
|---|---|---|
| Who holds the key | FactorCat (cloud-managed) | You (master key on your device) |
| Recovery | Sign in on any device | OS backup or emergency kit |
| FactorCat can decrypt | Yes (to generate TOTP codes) | No — zero-knowledge encryption |
| Setup | Instant | Key ceremony with recovery phrase |
| Best for | Most accounts, convenience | High-security accounts, zero-trust |
| Price | Free (up to 50 factors) | Free (up to 50 factors) |
Not sure which to use? Start with Cloud Vault — it’s secure, convenient, and recovers automatically. Move high-value accounts to a Locked Vault when you’re comfortable with the recovery model.
For the full security model, see the security page. For a deeper look at encryption, see How FactorCat Stores Your Secrets.