Blog 7 min read

What Is Zero-Knowledge Encryption? How Your 2FA Secrets Stay Yours

"Zero-knowledge" is one of the most abused phrases in security marketing. Stripped of buzzwords, it means something precise and checkable: the service that stores your data cannot read it — not won't, can't. This post explains what that requires technically, why it matters enormously for 2FA secrets in particular, and how OTPSync implements it so you can hold us to it.

The claim, precisely

In a zero-knowledge design, all encryption and decryption happen on your device, using a key derived from a secret only you know. The server receives ciphertext and nothing else. Even a subpoena, a malicious insider, or a full database breach yields only encrypted blobs — because the decryption key never existed server-side to steal.

Contrast that with ordinary "encrypted at rest": the provider encrypts your data with their keys. That protects against a stolen hard drive, but the provider (and anyone who compromises them) can still decrypt everything.

Why 2FA secrets deserve the strongest treatment

A TOTP secret isn't like a document — it's a key-generating key. Whoever holds the seed for your email's 2FA can mint valid codes forever. If a backup service can read your seeds, your second factor silently degrades into "something the provider has." A breach there doesn't leak your data — it dissolves the fence around every account you protected.

How OTPSync implements it, step by step

1. Your Master Passcode never travels

You choose a Master Passcode. It is never transmitted, never stored on a server, never written to disk in plaintext. Everything below derives from it locally in your browser.

2. PBKDF2 — 600,000 iterations

The passcode is stretched into an encryption key with PBKDF2-SHA-256 at 600,000 iterations with a random salt. Stretching makes brute-force guessing expensive: each candidate passcode costs an attacker 600,000 hash operations, turning a billion-guess attack from minutes into years.

3. AES-256-GCM — encryption that detects tampering

The vault is encrypted with AES-256-GCM, an authenticated mode: it doesn't just hide the contents, it cryptographically detects any modification. A flipped byte in transit or on the server makes decryption fail loudly rather than yield corrupted secrets.

4. Keys live in memory, and only while unlocked

The derived key is held in session memory (RAM) only while your vault is unlocked, and wiped on lock, auto-lock, or browser close. It is never written to persistent storage. Decrypted account data likewise never touches disk.

5. Only ciphertext leaves the machine

Cloud backup — whether to OTPSync Cloud or your own Google Drive — uploads the already-encrypted vault. The server's honest answer to "what do you know about my accounts?" is: an opaque blob and an integer count.

The acid test for any "zero-knowledge" product: ask what happens if you forget your password. If support can reset it and your data survives, the provider could read your data all along. A true zero-knowledge system must answer: "then it's gone."

The honest trade-off: recovery is on you

That acid test applies to OTPSync too. Forget your Master Passcode and lose your recovery phrase, and the vault is permanently unreadable — by design, for us exactly as for an attacker. Mitigate it like a professional:

  • Save your recovery phrase during setup, offline or in a password manager.
  • Keep each website's own backup codes — they're the service-side escape hatch.
  • Enable encrypted cloud backup so device loss (the common disaster) is a non-event.

Questions worth asking any 2FA provider

  1. Is key derivation done client-side, with what algorithm and work factor?
  2. Is backup encrypted before upload, or after arrival?
  3. Can support recover my data without my secret? (The only acceptable answer: no.)
  4. Is my identity tied to a phone number that can be SIM-swapped?

OTPSync's answers: PBKDF2-SHA-256 × 600,000 client-side; encrypted before upload; no; and no — accounts are email-based, and the passcode stays with you.

Get your 2FA codes in Chrome

OTPSync is a free encrypted 2FA authenticator extension — zero-knowledge vault, Google Drive backup, and right-click autofill.

Install OTPSync for Chrome — Free

Related reading