Help

Common questions and how things work

Adding accounts

Tap the + button, then choose how to add your account:

  1. Scan QR code — point your camera at the QR code shown by the service you're enabling 2FA on. Ghost Auth reads the otpauth:// URI automatically.
  2. Scan from image — select a screenshot or saved image containing a QR code.
  3. Manual entry — enter the issuer name, account label, and secret key provided by the service. You can also paste a full otpauth:// URI.

Once added, Ghost Auth generates a new 6- or 8-digit code every 30 seconds. Tap a code to copy it to the clipboard. The clipboard is automatically cleared after 30 seconds.

PIN lock

You can set a 4–8 digit PIN in Settings to lock the app. When a PIN is set, you must enter it each time you open Ghost Auth or return from the background.

After 5 incorrect attempts, a 30-second lockout begins. Continued failures extend the lockout to 5 minutes, then 15 minutes.

On iOS and Android, you can also enable biometric unlock (Face ID, Touch ID, or fingerprint) as a faster alternative to entering your PIN.

Recovery codes

When you set a PIN, Ghost Auth generates 8 one-time recovery codes. These are the only way to regain access if you forget your PIN. Store them somewhere safe — a password manager, printed on paper, or in a secure note.

Each recovery code can only be used once. Using a recovery code removes your PIN, allowing you to set a new one.

Syncing between devices

Ghost Auth syncs directly between devices over your local network. No servers or accounts involved. Both devices must be on the same Wi-Fi network.

  1. On the device with your accounts — open Settings and tap "Sync to another device." A QR code appears with a one-time sync code.
  2. On the receiving device — open Settings and tap "Sync from another device." Scan the QR code, or enter the sync code manually.
  3. Review and confirm — the receiving device shows a preview of accounts to be added or updated. Confirm to complete the sync.

The sync code expires after 60 seconds. All data is encrypted end-to-end with AES-256-GCM using a session key derived from the sync code. The connection uses mutual HMAC-SHA256 authentication — both devices verify each other before any data is exchanged.

Syncing with the browser extension

The Chrome and Firefox extensions can sync accounts from your phone or desktop app.

  1. In the extension — open Settings and tap "Sync from app." The extension displays a QR code.
  2. On your phone or desktop — open Settings, tap "Sync to extension," and scan the extension's QR code.
  3. Confirm — accounts are transferred with the same end-to-end encryption as device sync.

Encrypted backups

You can export all your accounts to an encrypted backup file and import it later on the same or a different device.

Export: Settings → Export backup. Choose a password (minimum 8 characters, must include a number and a special character). The backup is encrypted with AES-256-GCM using a key derived from your password via Argon2id.

Import: Settings → Import backup. Select the .ghostauth file and enter the password you used when exporting.

Backups are stored locally wherever you save them. Ghost Auth does not upload backups anywhere.

Importing from other apps

Ghost Auth can import accounts from:

  1. Google Authenticator — use Google Authenticator's "Transfer accounts" feature to generate a QR code, then scan it with Ghost Auth's import screen.
  2. Aegis — export an unencrypted JSON backup from Aegis, then import it via Settings → Import.
  3. 2FAS — export from 2FAS and import the JSON file.
  4. andOTP — export a plain JSON backup and import it.

You can also import any standard otpauth:// URI via the manual entry screen.

My codes aren't working

TOTP codes are time-based. If your device's clock is wrong, codes will be out of sync with the service you're logging into. Make sure your device is set to automatic date and time.

I forgot my PIN

Use one of your 8 recovery codes. On the lock screen, tap "Forgot PIN?" and enter a recovery code. This removes the PIN so you can set a new one.

If you've lost your recovery codes, your accounts are still safe in an encrypted backup — provided you made one before setting the PIN. Without a recovery code or backup, there is no way to bypass the PIN. This is by design.

Contact

For support or questions, email ghostauth@kestrel.no.

For bug reports and feature requests, open an issue on GitHub.

For security vulnerabilities, see our responsible disclosure policy.