Ghost Auth

open-source authenticator

A free, privacy-first authenticator for all your two-factor accounts. Your secrets are encrypted locally — no servers, no accounts, no tracking. Available on Windows, macOS, Linux, iOS, Android, and as a browser extension for Chrome and Firefox.

Features

TOTP codes — RFC 6238, SHA-1 / SHA-256 / SHA-512
QR code scanning — camera on mobile, screen region in extension
Manual entry — or paste an otpauth:// URI
Encrypted storage — AES-256-GCM, keys in platform keychain
PIN lock with recovery codes — Argon2id-hashed, escalating rate limiting
Biometric unlock — iOS and Android
Encrypted backups — Argon2id key derivation, AES-256-GCM
Device & extension sync — QR pairing, E2E encrypted, mutual authentication
Search, reorder & clipboard auto-clear

Privacy

Ghost Auth is offline-first. It does not use cloud APIs, collect analytics, or share data with third parties. Network activity only occurs when you explicitly start device sync over LAN, or if you opt in to crash reporting.

Platforms

Chrome

Firefox

iOS

Android

Coming soon

Windows

macOS

79 Languages

Ghost Auth is available in 79 languages, including full right-to-left support for Arabic, Hebrew, Farsi, and Urdu.

Open Source

Ghost Auth is licensed under GPL v3. Review the code, audit the cryptography, or contribute on GitHub.