I found that my personal favourite OTP app Authy seemed to be getting worse with each iOS release. Its usability has never been great, and iOS 18 meant that it lost its Home Screen Widget that let me view my OTP codes without opening the app. I decided to switch to another app, then became frustrated that I couldn't easily export my secrets from Authy. Of course I'm sure there are good security related reasons for this, but I didn't want to migrate all my OTPs just to end up in the same situation in the near future. I also didn't want to have to trust another external service with my OTP secrets being stored on their servers (irrational I'm sure). The obvious answer for this would be to use Apples new 2FA support in Keychain, however the usability for this outside of Safari autofill isn't great either.

So that's the long-winded reason for why I built my own OTP app. I hope that anyone else feeling the same way will find this app useful. Of course, learning how TOTP codes works was a nice bonus for my curiosity.

OVault stores your OTP metadata inside your devices Keychain, so that you don't have to trust any new service with your data. Unless you have iCloud Keychain enabled, this also means your secrets never leave your device.

If you do have iCloud Keychain enabled, your OTP metadata will be synced between all your devices, which ensures your data is never lost.

The app provides widgets that you can put in your iOS Home Screen or macOS Notification Center so that you can view your OTPs without opening the app. This was my favourite feature of Authy (until iOS 18).

To the best of my knowledge, OVault supports all TOTP codes that are compliant with RFC6238 [1], which means that it supports codes of lengths 6-8, three hash algorithms (SHA1, SHA256, SHA512), and all suggested time periods (15s, 30s (default), 45s, 60s). Exposing these options means that it supports a wide array of TOTP codes, even those that seem non-standard (like those used in HID Approve MFA and other "proprietary" 2FA solutions).

Your OTP secrets are yours, so OVault allows you to view the saved secret on demand. This gives you enough information to import your OTPs to any other authenticator you want, avoiding lock-in to a specific app.

It's worth mentioning that this app isn't designed to be "super high" security. If you already use Keychain for your passwords, you'll find yourself storing OTP secrets and passwords in the same database. Depending on your threat model, this may not be ideal. For me, I'm happy with threat model this leaves me with (I personally prefer to trust fewer parties), but everyone should critically evaluate if this works for them.

If you want to evaluate the app, here's how to add a sample OTP:

1. Tap the "+" button in the toolbar, then tap "+ Manual"

2. Switch to the "From URL" tab

3. Paste in the following URL: otpauth://totp/Example:alice@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example

I'd love to hear any feedback, this has been a fun side project and it would be fun to see if it's useful at all to anyone else.

[1] https://datatracker.ietf.org/doc/html/rfc4226