Smart2FA v2 oxid

Premium 2FA authenticator

What was done

The "Oxid Edition" client-side 2FA authenticator was completely rebuilt from scratch:

• Complete template replacement: the template has been replaced with pure Vue 3 + Vite. The backend is no longer used—the app works 100% offline.
• Industrial-Metallic design system: Rust Orange #E25822 over Dark Charcoal #1A1B1E, glassmorphism, metallic edges, JetBrains Mono (for codes) and Inter (for the UI).
• Full 2FA token lifecycle: PIN generation → unlock → add via QR/manually → display with countdown → copy → delete → export/import → wipe.
• Real cryptography:
• The PIN is hashed using PBKDF2 + SHA-256, 25,000 iterations** for verification.
• Token storage in localStorage is encrypted with AES-256 CBC using a key derived from the PIN using the same PBKDF2 (but with a different salt).
• Real TOTP: otpauth library (RFC 6238), supports SHA-1/256/512, 6/7/8 digits, 30/60 sec periods.
• Real QR scanner via html5-qrcode with otpauth:// URI recognition and parsing of all parameters (issuer, label, algorithm, digits, period).
• Categories with colored dots: Crypto, Social, Work, Finance, Email, Gaming, Other — with automatic detection by known providers (GitHub → Work, Coinbase → Crypto, etc.).
• Themes: dark (default) and light steel, saved in localStorage.
• Biometric unlock via WebAuthn (Touch ID / Face ID / Windows Hello).
  WebAuthn can be used to "wrap" the encrypted key: the PIN remains as a backup, while in 95% of cases, the user unlocks the app with a single touch.
• Auto-Lock on Inactivity.
  For example, after 60 seconds of idle time — an automatic call to auth.lock(). A mandatory feature for corporate use cases.
• Testing: Automatically ran 17 scenarios — all passed (100%).

Security Logic

1. On first launch, the user creates a 4-digit PIN.
2. The PIN is not stored in plaintext. Only the PBKDF2 hash (oxid:pin-hash) is stored.
3. The PIN itself is stored in the Pinia store's RAM only during an unlocked session. After a page refresh or pressing "Lock," it is erased.
4. All tokens are serialized as JSON and encrypted with AES-256 before being written to localStorage under the oxid:vault key. Without the correct PIN, they cannot be decrypted—even if an attacker gains access to local storage.
5. The .oxid export file is the same encrypted payload; it can be safely sent to yourself via email or the cloud: without the PIN, it is useless.

TOTP Code Generation

• A timer on each card is triggered once per second: the code and remaining time are recalculated.
• The progress bar under the code gradually shrinks from 100% to 0%.
• Five seconds before the code expires, the bar turns red—a visual warning.
• Tap the code → copy to clipboard + metal "toast."

Features — Detailed List

PIN Screen

• 3 automatic modes: Create / Confirm / Enter (depending on the presence of 'oxid:pin-hash').
• Indicator dots fill with a rusty orange color with a slight glow.
• If the PIN doesn't match, a shake animation is played and the user is reset to Create mode.
• Background — low-contrast brushed steel texture (10–15% opacity).

Vault (main screen)

• Sticky-glass header: number of codes, Lock and Settings buttons.
• Search field — real-time filtering by issuer / label / category.
• Horizontal filter bar with 7 categories (colored dot + uppercase label).
• Token cards: issuer, label, algorithm badge (for SHA-256/512), 6-digit code with a dot separator in the middle, thin progress bar.
• FAB "+" — add token.
• Empty state with a 3D illustration and a "Forge First Token" button.

Add token

• QR scan: camera permission request → live video with reticle (angle brackets + ticker) → auto-parsing otpauth URI → auto-category → save.
• Manual: issuer / label / Base32 secret with validation (A-Z2-7 only), select categories (with issuer auto-suggestion), expandable advanced (algo / digits / period).

Settings

• Theme: Dark / Light switch (persistent).
• Export Vault: Download an encrypted .oxid file with a timestamp.
• Import Vault: Upload file → enter the PIN used for export → merge without duplicates.
• Lock Now: Return to the PIN screen.
• Wipe All Data: A modal requiring the word 'WIPE' for confirmation; completely destroys all 'oxid:*' keys.

Toasts

• Appears at the bottom center.
• Options: 'success' (rust) / 'error' (red).
• Auto-hide after 2.2 seconds with an easing animation.

Technical Decisions & Justification

Tech / Feature	Decision & Justification
PBKDF2 (25k iterations)	Balance between "expensive for brute force" and "acceptable for mobile"
AES-256 CBC + PKCS7	Industry standard, available in crypto-js with zero extra dependencies
otpauth (instead of custom TOTP)	Full RFC 6238 compliance; native compatibility with Google/GitHub/AWS QR codes
html5-qrcode	Works directly in <video> without WASM; mobile-first by default
localStorage	Specification rules out server sync; IndexedDB is overkill for this data volume
PIN in memory, not storage	If an attacker dumps the storage, they only get encrypted data

Smart 2FA

Smart2FA is a free, secure, open-source app allows you protect your accounts by adding 2-factor authentication (2FA). The app brings together best-in-class security practices and a seamless user experience together. Enable Smart2FA for your favorite online services.

v1.0.1

• Add Pin code
• Add Reset all data
• Fix pbkdf2, otpauth-migration-parser
• Import keys from Google Authenticator APP
• View clean data and keys
• Export in Json file
• Downloading 2fa authorization tokens from sites via QR or by entering a code
• Multilingual
• Webcam support for scanning qr-codes
• Desktop/Mobile
• Generation of a single QR to export a RAW key to another device
• Built-in auto-synchronization of token time
• Cross-Platform

---

Русский

Smart2FA Authenticator позволяет быстро и легко защитить ваши учетные записи, добавив двухфакторную аутентификацию (2FA). Приложение сочетает в себе лучшие в своем классе методы обеспечения безопасности и удобный пользовательский интерфейс. Smart2FA — это бесплатное безопасное приложение с открытым исходным кодом. Включите Smart2FA для ваших любимых онлайн-сервисов.

Основные возможности Smart 2FA

• Пин код
• Сброс всех данных приложения
• Бесплатный и с открытым исходным кодом
• Безопасный
• Резервные копии с 256-битным шифрованием AES. Экспортируйте зашифрованные файлы JSON с ключами на настольное устройство. Это позволяет вам полностью контролировать свои данные и обеспечивает надежное резервное копирование.
• Совместимость с Google Authenticator
• Поддерживает стандартный алгоритм TOTP
• Добавляйте онлайн-аккаунты вручную или с помощью QR-кода.
• Импорт из других популярных приложений аутентификации
• Кроссплатформенность

По улучшениям возможностей приложения пишите в https://community.smartholdem.io или внесите свой вклад в развитие приложения на https://github.com/technologiespro/smart2fa

Smart2FA 1.0.1 sha256 sums:

smart2fa-win-x64-1.0.1.exe
720d28e8bfa39a40e7fc512d0cf8893f6833fa3dceb6426dd231d2eca0108927

Smart 2FA

Smart2FA is a free, secure, open-source app allows you protect your accounts by adding 2-factor authentication (2FA). The app brings together best-in-class security practices and a seamless user experience together. Enable Smart2FA for your favorite online services.

Main features v0.1.0

• Import keys from Google Authenticator APP
• View clean data and keys
• Export in Json file
• Downloading 2fa authorization tokens from sites via QR or by entering a code
• Multilingual
• Webcam support for scanning qr-codes
• Desktop/Mobile
• Generation of a single QR to export a RAW key to another device
• Built-in auto-synchronization of token time
• Cross-Platform

This is an early beta version, use at your own risk.

---

Русский

Smart2FA Authenticator позволяет быстро и легко защитить ваши учетные записи, добавив двухфакторную аутентификацию (2FA). Приложение сочетает в себе лучшие в своем классе методы обеспечения безопасности и удобный пользовательский интерфейс. Smart2FA — это бесплатное безопасное приложение с открытым исходным кодом. Включите Smart2FA для ваших любимых онлайн-сервисов.

Основные возможности Smart 2FA

• Бесплатный и с открытым исходным кодом
• Безопасный
• Резервные копии с 256-битным шифрованием AES. Экспортируйте зашифрованные файлы JSON с ключами на настольное устройство. Это позволяет вам полностью контролировать свои данные и обеспечивает надежное резервное копирование.
• Совместимость с Google Authenticator
• Поддерживает стандартный алгоритм TOTP
• Добавляйте онлайн-аккаунты вручную или с помощью QR-кода.
• Импорт из других популярных приложений аутентификации
• Кроссплатформенность

По улучшениям возможностей приложения пишите в https://community.smartholdem.io или внесите свой вклад в развитие приложения на https://github.com/technologiespro/smart2fa

Smart2FA 0.1.0 sha256 sums:

smart2fa-win-x64-0.1.0.exe.blockmap
029c4c55da30ed00dd429aa9c66a7ee32a1f5bd153bcce971cfb4fc91e18aba0
smart2fa-0.1.0.apk
28684b180cf4ef344ff7029bdc7ca4961706089ed77423873dd7d38038987bf6
smart2fa-win-x64-0.1.0.exe
d3004496de89979dc80b8cc931640c7c6560357f55490188e6701dae481f107f
smart2fa-linux-amd64-0.1.0.snap
ab2af1ee56e2b85359f570f99a05eb64436de19b86ce7b2a81d3f11c121e657b
smart2fa-linux-amd64-0.1.0.deb
fc1ba2dcde428bb520193db52416ad97b5234855be7cde8e4ce98350bf16da29
smart2fa-linux-x86_64-0.1.0.AppImage
5edf0059fe043cfc0a695237d0911989620e616e51404d6fd6d2519e5f568c32