Security Model
Your TOTP secrets never leave your device. The browser extension is architecturally prevented from ever holding them. Here's exactly how it works.
How the approval flow works
When you hit a login page that needs a 2FA code, here's what happens:
- Extension detects the MFA field — the browser extension recognizes the site and identifies the TOTP input field.
- Push notification to your phone — the extension requests a token from the server. The server sends a push notification to your phone with the site name and account.
- You approve with biometrics — Face ID, fingerprint, or device PIN. Your phone generates the 6-digit TOTP code locally.
- Code fills in automatically — the computed code is sent back to the extension, which fills it into the field. Your TOTP secret never left your phone.
The extension never holds your TOTP secrets. It receives only the computed 6-digit code, after you've approved on your phone. This is an architectural constraint, not a policy — the extension physically cannot access your secrets.
Two vault types — you choose
Every factor you add goes into a vault. FactorCat offers two vault types with fundamentally different security properties. Both are free.
Cloud Vault
Convenience-first. Easy recovery. Best for everyday accounts.
- Encryption: Cloud-managed keys. FactorCat holds the encryption key.
- Recovery: Sign in on the web dashboard — your tokens are there.
- Multi-device: Automatic, free for all users.
- Best for: Social media, streaming, forums — accounts where convenience matters more than maximum security.
Locked Vault
Zero-trust. You hold the keys. Best for high-value accounts.
- Encryption: User-derived master key. FactorCat cannot decrypt your secrets.
- Recovery: Emergency Kit only — a recovery phrase and QR code you create at setup.
- Multi-device: Scan your Emergency Kit QR on each new device.
- Best for: Crypto exchanges, cloud infrastructure, financial accounts — anything where a breach is catastrophic.
"Choose vault security to match your priorities. Chipotle account? Cloud Vault. Crypto exchange? Locked Vault. Both free."
What we store vs. what we don't
| We store | We don't store |
|---|---|
| Account info (email, OAuth link) | Passwords (never, by design) |
| Token metadata (site names, URLs) | TOTP secrets in plaintext |
| Encrypted blobs (Cloud Vault: we can decrypt) | Your encryption keys (Locked Vault) |
| Encrypted blobs (Locked Vault: we cannot decrypt) | Biometric data |
Recovery: what happens when you lose your phone
Recovery is the hardest part of security to get right. We believe in being transparent about what's recoverable and what isn't.
Cloud Vault recovery
Immediate. Sign in to the web dashboard at app.factorcat.com. Your Cloud Vault tokens are there — viewable and usable from any browser. Your TOTP codes are generated server-side and displayed with a countdown timer. You can copy codes manually while you set up a new phone.
Locked Vault recovery
Requires your Emergency Kit. When you create a Locked Vault, FactorCat generates a recovery phrase (12–24 words) and a QR code that encodes your master key. You save this — on paper, in a safe, wherever you keep critical documents.
To recover: download FactorCat on your new phone, scan the Emergency Kit QR code, and your master key derives all vault keys, decrypts your tokens, and restores everything. Takes about two minutes.
If you lose both your phone and your Emergency Kit, your Locked Vault tokens are permanently unrecoverable. This is by design — it's what "zero-trust" means. FactorCat cannot help you because we never had your master key. You accept this explicitly when creating a Locked Vault.
How the Emergency Kit works
- Recovery phrase — 12–24 human-readable words. Can be handwritten, read aloud, or stored digitally.
- QR code — encodes the same master key for quick device scanning.
- Spot-check at creation — FactorCat asks you to confirm 3 specific words from your phrase before marking recovery as verified. We don't let you skip this.
Recovery summary
| Scenario | Cloud Vault | Locked Vault |
|---|---|---|
| Phone lost | Web dashboard (instant) | Emergency Kit (scan QR on new phone) |
| Phone offline | Web dashboard eye icon | No fallback (phone holds master key) |
| Phone + Emergency Kit lost | Web dashboard (recoverable) | Unrecoverable (by design) |
Design principles
- MFA and passwords stay separate. FactorCat is not a password manager and never will be. Combining them creates a single point of failure — one breach compromises both your password and your second factor. We keep them apart by design.
- The extension cannot hold secrets. This is architectural, not a policy. The extension receives computed TOTP codes (6 digits, valid for 30 seconds) after phone-side approval. It has no mechanism to request, store, or cache the underlying secret.
- Recovery is transparent. We tell you exactly what's recoverable and what isn't, per vault type, before you make a choice. No surprises.
- Security is free. Both Cloud Vault and Locked Vault are free. FactorCat never charges for security — the mission is to get more people using MFA, and security gates work against that.
Transparency
- Open-source browser extension — the extension code will be publicly auditable. You can verify that it never touches your TOTP secrets.
- No tracking in the product. The marketing site uses analytics. The app, extension, and web dashboard do not track your behavior.
- Responsible disclosure. Found a vulnerability? We want to hear about it. See our Responsible Disclosure Policy for reporting instructions, scope, safe harbor, and response commitments.
Common questions
What if someone steals my phone?
They still can't access your tokens. FactorCat requires biometric confirmation (Face ID, fingerprint, or device PIN) before generating any TOTP code. The TOTP secrets are encrypted at rest on your device.
Can FactorCat read my Locked Vault secrets?
No. The master key never leaves your device. We store encrypted blobs that we cannot decrypt. This is verifiable — the encryption happens client-side, and the extension source code will be open.
Why not use a password manager for MFA?
If your password manager stores both your password and your TOTP secret, a single breach compromises both factors. The entire point of multi-factor authentication is that the factors are independent. FactorCat keeps your second factor separate from your passwords.
Is the approval flow vulnerable to phishing?
FactorCat shows you the site name and account in the push notification. You verify the request matches what you're doing. Unlike SMS codes, the code is never transmitted in a way that can be intercepted. Unlike Google Prompts, the code is generated locally — there's no relay-based phishing vector.
Security you can verify
FactorCat launches soon. Get notified when it's ready.