Privacy Policy — Authenticator

Overview

Authenticator ("the Extension") is a two-factor authentication (2FA) code generator for TOTP and HOTP standards. Your privacy and security are our top priorities. This policy describes what data the Extension collects, how it is used, and how it is protected.

      Key principle: By default, all data stays on your device.
      If you enable the optional Chrome Sync feature (disabled by default), account data
      is replicated across your signed-in Chrome browsers through Google's built-in sync
      infrastructure — no third-party servers are ever involved.
    

Data Collection and Storage

The Extension stores the following data locally on your device using Chrome's built-in storage APIs:

Account data: Service names (issuers), account labels, and TOTP/HOTP secret keys that you add manually or via QR code scanning.
Settings: Your preferences such as theme, auto-copy, and auto-fill settings.
Encryption metadata: If you set a master password, a cryptographic salt and encrypted verification token are stored persistently to enable password verification. The master password itself is never written to disk. For the 24-hour unlock window, the password is held in chrome.storage.session (Chrome's in-memory-only storage that is never persisted to disk and is cleared automatically when the browser quits).

All data is stored locally using chrome.storage.local. If you enable the optional Chrome Sync feature (disabled by default), account data (including encrypted secrets) is synced across your Chrome browsers via Google's built-in sync infrastructure, subject to Google's own privacy policies. No third-party servers are involved.

Data the Extension Does NOT Collect

No browsing history, search queries, or web activity is collected or stored.
No personal information (name, email, address, etc.) is collected.
No analytics, telemetry, or usage tracking data is collected.
No data is transmitted to any third-party server or remote endpoint. If you enable optional Chrome Sync, account data is replicated through Google's built-in sync infrastructure — no other external services are involved.
No advertising data is collected or used.

Auto-Fill Feature

The Extension provides a "Autofill 2FA Code" context-menu item that appears when you right-click an input field. This uses Chrome's activeTab and scripting permissions to fill a code only into the field you right-clicked, and only when you explicitly trigger it. No content script runs in the background on any page.

The Extension generates codes from the accounts stored in your vault and either fills the single available code or lets you choose which one to fill when multiple accounts exist.
No page content, DOM data, or browsing activity is read, stored, logged, or transmitted.

You can disable the context-menu autofill feature at any time in the Extension's Settings.

Encryption and Security

TOTP/HOTP secrets can be encrypted at rest using AES-256-GCM with a key derived from your master password via PBKDF2 (100,000 iterations, SHA-256).
The master password is never written to disk. A cryptographic salt and an encrypted verification token are persisted to verify the password. For the 24-hour unlock window, the password is held in chrome.storage.session, Chrome's in-memory-only storage that is automatically cleared on browser quit and is never saved to disk.
The derived decryption key is held in the popup's in-memory JS context and is lost when the popup closes. It is re-derived from the session-stored password on each reopen, until the 24-hour window expires or the browser restarts.
Exported backups are encrypted with a separate user-provided password using the same AES-256-GCM scheme.
All cryptographic operations use the Web Crypto API — no third-party cryptographic libraries are used.

Permissions Used

The Extension requests only the permissions necessary for its core functionality:

storage: To save your accounts and settings locally.
clipboardWrite: To copy generated codes to your clipboard.
activeTab: To capture the current tab for QR code scanning and to fill 2FA codes via the context menu (granted only when you interact with the extension).
contextMenus: To provide a right-click "Autofill 2FA Code" option on input fields.
scripting: To fill 2FA codes into the input field you right-clicked.

Third-Party Data Sharing

The Extension does not share, sell, transfer, or disclose any user data to third parties. No data is used for advertising, analytics, or any purpose other than providing the Extension's core 2FA functionality.

Chrome Web Store User Data Policy Compliance

The use of information received from Chrome APIs adheres to the Chrome Web Store User Data Policy, including the Limited Use requirements.

Data Deletion

You can delete all Extension data at any time by going to Settings → Clear All Data, or by uninstalling the Extension. Uninstalling the Extension removes all locally stored data.

Changes to This Policy

If this privacy policy is updated, the changes will be reflected on this page with an updated "Last updated" date. Continued use of the Extension after changes constitutes acceptance of the updated policy.

Contact

If you have questions about this privacy policy or the Extension's data practices, please open an issue on the Extension's support page or contact the developer through the Chrome Web Store listing.