2FAS Authenticator

Search and copy TOTP codes from 2FAS exports with a Keychain-encrypted local vault

Dustin

New

Install Extension

Overview

2FAS Authenticator

Search and copy TOTP codes from 2FAS exports directly in Raycast. No cloud, no network calls. Your secrets stay local in a Keychain-encrypted vault.

Features

Search OTP: browse all services with native Raycast filtering and live TOTP countdown
Recent OTP: quick access to pinned and recently used services
Import Vault: import encrypted .2fas export files
Setup: check vault status, re-import, or delete

Why

2FAS is a great mobile authenticator, but it has no desktop app. This extension bridges that gap by importing your 2FAS export and generating TOTP codes locally on your Mac.

Getting Started

Open 2FAS on your phone
Go to Settings > 2FAS Backup > Export and set a password
Transfer the .2fas file to your Mac (AirDrop, iCloud Drive, etc.)
In Raycast, run Import Vault and select the file
Enter your export password. Done.
Run Search OTP to find and copy codes

Commands

Command	Description
Search OTP	Search all services, copy codes with live countdown
Recent OTP	Access pinned and recently used services
Import Vault	Import a `.2fas` export file
Setup	View vault status and manage configuration

Security Model

Layer	Detail
Vault key	Random 256-bit key stored in macOS login Keychain via `/usr/bin/security`
Vault file	AES-256-GCM encrypted at `~/Library/Application Support/Raycast/extensions/.../vault.enc` with `0600` permissions
Import	Decrypts `.2fas` in memory (PBKDF2 + AES-256-GCM), re-encrypts into local vault
Secrets at rest	No plaintext secrets on disk. Secrets exist only in memory during runtime
Network	Zero network calls. Everything is offline
Clipboard	Concealed copy. OTP codes are excluded from clipboard history
Dependencies	Zero external crypto dependencies. Node.js `crypto` module only

Known Limitations

The vault key is passed as a CLI argument to /usr/bin/security (briefly visible in the process list to same-user processes). This is an inherent limitation of the macOS security CLI.
Secrets remain in the Node.js heap for the lifetime of the extension process. JavaScript has no secure memory zeroing.

Contributing

Contributions are welcome. Please open an issue first to discuss what you'd like to change.

Development Setup

# Fork and clone the repo
git clone https://github.com/<your-username>/raycast-2fas-authenticator.git
cd raycast-2fas-authenticator

# Install dependencies
npm install

# Start development mode (opens in Raycast)
npm run dev

# Build
npm run build

# Lint
npm run lint

# Fix lint issues
npm run fix-lint

Pull Request Guidelines

Fork the repository and create your branch from main
If you've added functionality, update the README if needed
Make sure npm run lint passes
Keep PRs focused. One feature or fix per PR.
Write a clear description of what your change does and why

Reporting Bugs

Open an issue with:

Steps to reproduce
Expected vs actual behavior
macOS version and Raycast version

License

MIT

Compatibility

macOS

Subscribe to our newsletter.

Get product updates and news in your inbox. No spam.

2FAS Authenticator

Search and copy TOTP codes from 2FAS exports with a Keychain-encrypted local vault

Dustin

New

Install Extension

Overview

2FAS Authenticator

Search and copy TOTP codes from 2FAS exports directly in Raycast. No cloud, no network calls. Your secrets stay local in a Keychain-encrypted vault.

Features

Search OTP: browse all services with native Raycast filtering and live TOTP countdown
Recent OTP: quick access to pinned and recently used services
Import Vault: import encrypted .2fas export files
Setup: check vault status, re-import, or delete

Why

2FAS is a great mobile authenticator, but it has no desktop app. This extension bridges that gap by importing your 2FAS export and generating TOTP codes locally on your Mac.

Getting Started

Open 2FAS on your phone
Go to Settings > 2FAS Backup > Export and set a password
Transfer the .2fas file to your Mac (AirDrop, iCloud Drive, etc.)
In Raycast, run Import Vault and select the file
Enter your export password. Done.
Run Search OTP to find and copy codes

Commands

Command	Description
Search OTP	Search all services, copy codes with live countdown
Recent OTP	Access pinned and recently used services
Import Vault	Import a `.2fas` export file
Setup	View vault status and manage configuration

Security Model

Layer	Detail
Vault key	Random 256-bit key stored in macOS login Keychain via `/usr/bin/security`
Vault file	AES-256-GCM encrypted at `~/Library/Application Support/Raycast/extensions/.../vault.enc` with `0600` permissions
Import	Decrypts `.2fas` in memory (PBKDF2 + AES-256-GCM), re-encrypts into local vault
Secrets at rest	No plaintext secrets on disk. Secrets exist only in memory during runtime
Network	Zero network calls. Everything is offline
Clipboard	Concealed copy. OTP codes are excluded from clipboard history
Dependencies	Zero external crypto dependencies. Node.js `crypto` module only

Known Limitations

The vault key is passed as a CLI argument to /usr/bin/security (briefly visible in the process list to same-user processes). This is an inherent limitation of the macOS security CLI.
Secrets remain in the Node.js heap for the lifetime of the extension process. JavaScript has no secure memory zeroing.

Contributing

Contributions are welcome. Please open an issue first to discuss what you'd like to change.

Development Setup

# Fork and clone the repo
git clone https://github.com/<your-username>/raycast-2fas-authenticator.git
cd raycast-2fas-authenticator

# Install dependencies
npm install

# Start development mode (opens in Raycast)
npm run dev

# Build
npm run build

# Lint
npm run lint

# Fix lint issues
npm run fix-lint

Pull Request Guidelines

Fork the repository and create your branch from main
If you've added functionality, update the README if needed
Make sure npm run lint passes
Keep PRs focused. One feature or fix per PR.
Write a clear description of what your change does and why

Reporting Bugs

Open an issue with:

Steps to reproduce
Expected vs actual behavior
macOS version and Raycast version

License

MIT

Compatibility

macOS