The 2FA app that lives in your terminal — and your menu bar.
Import your phone's authenticator once. Stay in flow.
Website · Docs · Install · Releases · Discussions
Same vault. Terminal or menu bar. One passphrase away from every code.
📺 Watch the full tour — fullscreen view, secret reveal, in-terminal QR, file-picker import, QR export, and CLI commands (~30 s)
📷 Scan from screen or webcam — tofa scan grabs every QR on every display, tofa cam opens your laptop webcam (~37 s)
# Shell installer (macOS or Linux — no Rust required)
curl -fsSL https://tofa.stratif.io/install.sh | sh
# Homebrew (macOS or Linux)
brew tap stratif-io/tofa
brew install tofa
# Cargo (any platform with Rust)
cargo install tofa
tofa # open the TUI
tofa --help # CLI referencebrew tap stratif-io/tofa
brew install --cask tofa
Same vault as the CLI — menu-bar UI alongside the terminal.
First launch: TOFA isn't notarized yet, so macOS quarantines it. After install, run once:
xattr -dr com.apple.quarantine /Applications/tofa.appOr right-click the app in Finder and choose Open, then confirm. See why.
- Phone stays in your pocket. Import your authenticator once and add new TOTPs from your computer. Your phone keeps working — TOFA is additive, not a replacement.
- Offline by design. No account, no cloud sync, no telemetry. Your secrets live in a single AES-256-GCM file unlocked by your passphrase.
- Three faces, one vault. A
tofaCLI for scripts, a Ratatui TUI with click-to-copy codes, and a macOS menu bar app. All read the same vault.
Get codes in
- Click any TUI row to copy. No memorizing names, no typing. The TUI also shows live countdown bars per code.
- Import otpauth URIs. Paste a single
otpauth://totp/…URI or a newline-separated list to bulk-import —tofa add --urior the app's "Paste URI". - Import QR images. Drop a PNG/JPG into the app, or
tofa add --qr screenshot.pngfrom the CLI. - Scan your screens.
tofa scancaptures every connected display and imports every QR code it finds — handy for multi-account migration QRs and printout grids (CLI only, experimental). - Import from 9 authenticators. Aegis, andOTP, 2FAS, Bitwarden, Raivo, Ente, KeePassXC, FreeOTP, and Google Authenticator's migration QR — all parsed directly from their export formats.
Use TOFA day-to-day
- Export to QR. Re-encode any account or your whole vault as scannable QR codes — a single migration QR, one PNG per account (
tofa qr --all --multi), or the app's Save All zip with a printableprint.htmlone-pager. - Encrypted vault. AES-256-GCM with an Argon2id-derived key. Auto-locks after 10 min idle, or on demand.
- Scriptable.
tofa code github --copyputs the code on your clipboard on every platform.TOFA_PASSPHRASEenv var unlocks the vault for CI/automation. - Auto-updating macOS app. Checks for a new release on launch and every 24 h, then installs signed updates in place. No reinstall, no second trip through Gatekeeper.
- Open source, MIT. No account, no telemetry, no cloud. Audit the crypto in
tofa-core.
TOFA's job is to be the last 2FA migration you do for a while. Pull every account from your existing authenticator into your TOFA vault once, then add new ones from your computer.
| Source | How | Status |
|---|---|---|
| Aegis (Android, FOSS) | JSON export | ✓ direct |
| andOTP (Android, FOSS) | JSON export | ✓ direct |
| 2FAS (iOS / Android) | JSON backup | ✓ direct |
| Google Authenticator | Multi-account migration QR | ✓ direct |
| Bitwarden | JSON export | ✓ direct |
| Raivo OTP (iOS) | JSON / ZIP export | ✓ direct |
| Ente Auth | Plain-text export | ✓ direct |
| KeePassXC | CSV export | ✓ direct |
| FreeOTP / FreeOTP+ | TXT URI export | ✓ direct |
| Any app with QR display | Screenshot or camera | ✓ via tofa add --qr or the app |
| 1Password | TOTP fields export | ⏳ Coming soon |
| Apple Passwords | CSV export (macOS 15+) | ⏳ Coming soon |
| Authy | No user-facing export | ✗ Not possible |
| Microsoft Authenticator | Cloud-only backup, no plain export | ✗ Not possible |
Per-vendor migration guides — with screenshots and step-by-step import — are coming to the docs site. Want a vendor prioritized? Open an issue.
| TOFA | Authy | Google Auth | Microsoft Auth | 1Password | Aegis | |
|---|---|---|---|---|---|---|
| Open source | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Works without an account | ✓ | ✗ | ✓ | ✗ | ✗ | ✓ |
| Encrypted local vault | ✓ | ✗ | ✗ | ✗ | ✓ | ✓ |
| Native CLI | ✓ | ✗ | ✗ | ✗ | ✓ | ✗ |
| Native TUI | ✓ | ✗ | ✗ | ✗ | ✗ | ✗ |
| Desktop app (no phone needed) | ✓ | ✓ | ✗ | ✓ | ✓ | ✗ |
| No telemetry | ✓ | ✗ | ✗ | ✗ | ✗ | ✓ |
| Import otpauth URI / QR | ✓ | ✗ | ✓ | ✗ | ✗ | ✓ |
| Export your secrets | ✓ | ✗ | ✓ | ✗ | ✗ | ✓ |
Comparison reflects published behavior as of 2026. Corrections welcome — open a PR.
TOFA stores everything in a single file (default
~/.local/share/tofa/vault.json, configurable), encrypted with
AES-256-GCM under a key derived from your passphrase via Argon2id.
The passphrase never touches disk; it lives in memory with a 10-minute TTL
and is zeroed on lock.
No cloud means no recovery. If you lose the file, no one can restore it. If you forget the passphrase, no one can decrypt it. There is no "forgot password" link, and that's the point.
Back up the vault yourself. A few patterns that work:
- Drop the file in iCloud Drive, Dropbox, or any folder your OS syncs
- Run
tofa exportand stash the JSON in a password manager - Use
tofa qr <name>to print a paper backup of any single account - Click Save All in the macOS app for a zip with one QR PNG per account plus a printable
print.htmlone-pager
See the security model for the full threat model and crypto choices.
Bug reports, vendor migration requests, and PRs are all welcome. Start with CONTRIBUTING.md or open a discussion.
If TOFA saved you a phone-grab today, a ⭐ on GitHub helps others find it.
Rust · Tauri v2 · Ratatui · Clap · totp-rs · Argon2 · AES-GCM · rqrr · arboard
MIT © Carlo Abi Chahine