TOTP Support in ZZPass

🔐 What is TOTP?

Definition
TOTP (Time-based One-Time Password) is a two-factor authentication method that generates a unique 6-digit code that changes every 30 seconds. These codes are generated using a secret key shared between you and the service you're logging into.

How It Works:
When you enable 2FA on a website or app, it provides you with a secret key (usually as a QR code). ZZPass stores this secret key and uses it to generate the same time-based codes that the service expects.

Example:
1. You enter your username and password to log in
2. The site asks for your 2FA code
3. You open ZZPass, which shows a 6-digit code (e.g., "847291")
4. You enter this code to complete the login
5. In 30 seconds, a new code is generated

🛡️ Why Use Two-Factor Authentication?

Protection Against Password Theft
Even if someone steals your password through phishing, data breaches, or keylogging, they still can't access your account without the current TOTP code from your device.

Critical for Important Accounts
Always enable 2FA for:
• Email accounts (the keys to your digital kingdom)
• Banking and financial accounts
• Work and business accounts
• Cloud storage (iCloud, Google Drive, Dropbox)
• Social media accounts
• Cryptocurrency exchanges

Industry Standard
TOTP is widely supported by major services including Google, Microsoft, GitHub, Amazon, Twitter/X, Facebook, Dropbox, and thousands of other sites.

⚡ ZZPass Advantage

No Separate Authenticator App Needed
Instead of switching between your password manager and a separate authenticator app (like Google Authenticator or Authy), ZZPass stores both your passwords and TOTP codes in one place.

Seamless Integration
When using AutoFill:
1. ZZPass fills your username and password
2. TOTP code is automatically copied to your clipboard
3. Simply paste it into the 2FA field
4. (Or it may appear as a suggestion on iOS 17+)

Syncs Across Devices
Your TOTP secrets sync securely via iCloud, so you can generate codes on your iPhone, iPad, or Mac.

📱 On iPhone or iPad

Method 1: Scan QR Code (Recommended)

1. Open the password entry in ZZPass for the account
2. Tap Edit
3. Scroll to the Verification Code section
4. Tap Set Up Verification Code
5. Tap QR Code
6. Point your camera at the QR code on the website
7. ZZPass automatically captures and saves it
8. Tap Save

Method 2: Enter Setup Key Manually

1. Follow steps 1-4 above
2. Tap key
3. Type or paste the secret key from the website
4. Tap Add
4. Tap Save

The setup key is usually a long string like:
JBSWY3DPEHPK3PXP

💻 On Mac

If you are using Safari as your browser:

1. Right-click on the TOTP QR code image and select Set Up Verification Code
2. Select credential for adding verification code Save
3. Click Save

Method 2: Use Continuity Camera (Easiest)

If you have an iPhone nearby:
1. Open the password entry in ZZPass for Mac
2. Click Edit
3. In the Verification Code section, click Set Up Verification Code
4. Choose your iPhone from the Continuity Camera menu
5. Point your iPhone at the QR code
6. The code is automatically captured and saved
7. Click Save

Method 2: Enter Setup Key Manually

1. Open the password entry and click Edit
2. Click Set Up Verification Code
3. Choose Key
4. Type or paste the secret key from the website
5. Click Add
5. Click Save

🌐 Typical Website Setup Flow

General Steps (Most Websites):

1. Log in to the website
2. Go to Account Settings or Security Settings
3. Find Two-Factor Authentication or 2FA
4. Choose Authenticator App (not SMS)
5. The website shows a QR code
6. Scan the QR code with ZZPass (see methods above)
7. Enter the first 6-digit code from ZZPass to verify
8. Save backup codes (if provided) in the note field in ZZPass

Important: Always save backup codes! If you lose access to your TOTP codes, backup codes are the only way to regain access to your account.

📱 On iPhone or iPad

Method 1: With AutoFill (Easiest)

1. Navigate to the login page in Safari or an app
2. Use ZZPass AutoFill to fill username and password
3. ZZPass automatically copies the TOTP code to your clipboard
4. On iOS 17+, the code may appear as an AutoFill suggestion above the keyboard
5. Tap to paste or select the suggestion

Method 2: Copy Manually

1. Open ZZPass app
2. Find and tap the password entry
3. The current TOTP code is displayed prominently
4. Tap the code to copy it to clipboard
5. Switch back to the website/app and paste the code

Time Remaining: A circular timer shows how much time remains before the code changes (30 seconds).

💻 On Mac

Method 1: With AutoFill

1. Navigate to the login page in Safari
2. Use ZZPass AutoFill for username and password
3. The TOTP code is automatically copied to clipboard
4. Press ⌘V to paste it into the 2FA field

Method 2: From ZZPass App

1. Open ZZPass for Mac
2. Select the password entry
3. The TOTP code is displayed in the detail view
4. Click the code to copy it
5. Paste into the website's 2FA field

Quick Copy Shortcut: With the password selected, press ⇧⌘C to copy the TOTP code without clicking.

⏱️ Understanding Code Timing

30-Second Window
Each TOTP code is valid for 30 seconds. After that, a new code is generated. The timer resets at the top of every 30-second interval.

What If Time Runs Out?
If the code expires while you're entering it:
• Wait a few seconds for the new code to appear
• Copy the new code and try again
• Most services accept codes for a short grace period (30-60 seconds) to account for clock drift

Tip: If you see the timer is at 5 seconds or less, wait for the new code instead of rushing to enter the current one.

✏️ Editing or Removing TOTP

To Remove TOTP from an Entry:

1. Open the password entry
2. Tap/click Edit
3. In the Two-Factor Authentication section, tap/click Remove Verification Code
4. Confirm removal
5. Tap/click Save

Important: Removing TOTP from ZZPass does NOT disable 2FA on the website. You must disable 2FA in the website's settings separately.

To Change TOTP Setup:
Remove the existing TOTP and set it up again with a new QR code from the website.

🔄 Syncing TOTP Across Devices

Automatic iCloud Sync
TOTP secrets sync automatically via iCloud (if enabled), just like your passwords. Once you set up TOTP on one device, the codes will be available on all your Apple devices.

Security Note:
TOTP secrets are encrypted end-to-end before syncing, using the same AES-256 encryption as your passwords. Even Apple cannot read your TOTP secrets.

Verify Sync:
1. Set up TOTP on one device
2. Wait a few seconds for sync
3. Open ZZPass on another device
4. Verify the password entry now shows TOTP codes

💾 Backup Codes

What Are Backup Codes?
When you enable 2FA on most websites, they provide a set of one-time-use backup codes (usually 8-10 codes). These can be used if you lose access to your TOTP generator.

Store Them in ZZPass:
1. When setting up 2FA on a website, copy the backup codes
2. In ZZPass, edit the password entry
3. Add a new Notes field or use the existing notes section
4. Paste the backup codes
5. Label them clearly (e.g., "2FA Backup Codes")

Example Format:
2FA Backup Codes:
1. 12345-67890
2. 09876-54321
...

❌ "Invalid Code" Errors

Check Device Time:
TOTP codes depend on accurate time. If your device clock is wrong by even a minute, codes won't work.

Fix on iOS:
1. Go to Settings → General → Date & Time
2. Enable Set Automatically
3. Restart your device

Fix on macOS:
1. Go to System Settings → General → Date & Time
2. Enable Set time and date automatically
3. Click the lock icon to save changes

Wait for New Code:
If you entered an expired code, wait for the next code to generate (up to 30 seconds) and try again.

🔄 TOTP Not Syncing Between Devices

Check iCloud Sync:

iOS/iPadOS:
1. Settings → [Your Name] → iCloud
2. Verify iCloud Drive is enabled
3. Scroll down to ZZPass and ensure it's enabled

macOS:
1. System Settings → [Your Name] → iCloud
2. Verify iCloud Drive is checked
3. Click Options next to iCloud Drive
4. Ensure ZZPass is checked in the list

Force Sync:
1. Close ZZPass on all devices
2. Open ZZPass on the device where TOTP was added
3. Wait 30 seconds
4. Open ZZPass on other devices

🆘 Lost Access to TOTP

If You Can't Generate Codes:

1. Use Backup Codes
Check your password entry in ZZPass for saved backup codes. Each backup code can be used once.

2. Contact the Service
Most websites have an account recovery process for 2FA. Look for:
• "Can't access your 2FA device?" link on the login page
• Account recovery through email or phone verification
• Support contact form

3. Prevention for Future:
• Always save backup codes when setting up 2FA
• Keep a printed copy of critical TOTP secrets in a safe
• Enable iCloud sync so codes are available on multiple devices

✅ Do This

Enable 2FA for All Critical Accounts
Email, banking, work accounts, and cloud storage should always have 2FA enabled. These accounts can be used to reset passwords for other services.

Choose TOTP Over SMS
SMS-based 2FA (codes sent via text) is less secure than TOTP because:
• SMS can be intercepted
• SIM swapping attacks can redirect your texts
• Phone numbers can be ported without your knowledge

Always choose "Authenticator App" when given the option.

Save Backup Codes Immediately
When a website provides backup codes during 2FA setup, save them in ZZPass right away. Don't skip this step.

Keep Your Device Time Accurate
Enable automatic time setting on all devices where you use ZZPass.

⚠️ Security Considerations

Same Device = Single Point of Failure
Storing both passwords and TOTP codes on the same device means an attacker with access to your unlocked device could access both factors.

Mitigation Strategies:
• Use biometric unlock (Face ID/Touch ID) so your device auto-locks quickly
• Enable "Require authentication" in ZZPass settings
• For ultra-sensitive accounts, use a hardware security key instead of TOTP
• Keep your device encrypted and up-to-date

Trade-off: The convenience of having everything in ZZPass vs. the slight security reduction of not using a separate device. For most users, the improved security from actually using 2FA (because it's convenient) outweighs this concern.

🔑 Hardware Keys (Alternative to TOTP)

Even More Secure
For maximum security, consider hardware security keys (like YubiKey) for your most critical accounts.

Advantages:
• Physical device required to log in
• Immune to phishing (keys only work on legitimate domains)
• Cannot be stolen remotely
• No codes to type or copy

When to Use Hardware Keys:
• Work accounts with access to sensitive data
• Accounts with financial consequences (banking, crypto)
• High-profile or targeted individuals

Combined Approach: Use hardware keys for critical accounts and TOTP in ZZPass for everything else.

Google Account

1. Go to myaccount.google.com
2. Click Security
3. Under "Signing in to Google," click 2-Step Verification
4. Click Get Started
5. Choose Authenticator app
6. Scan the QR code with ZZPass
7. Enter the code from ZZPass to verify
8. Save backup codes in ZZPass

Apple ID

Note: Apple uses its own 2FA system tied to trusted devices. However, you can add TOTP as an additional option:

1. Go to appleid.apple.com
2. Sign in and go to Security
3. Click Two-Factor Authentication
4. Follow prompts to enable if not already on

Apple's built-in 2FA is already very secure and doesn't require TOTP.

Microsoft Account

1. Go to account.microsoft.com/security
2. Click Advanced security options
3. Under "Two-step verification," click Turn on
4. Choose Use an app
5. Click Set up a different Authenticator app
6. Scan QR code with ZZPass
7. Enter code to verify

GitHub

1. Go to github.com/settings/security
2. Click Enable two-factor authentication
3. Choose Set up using an app
4. Scan QR code with ZZPass
5. Enter code to verify
6. Download recovery codes and save in ZZPass

Dropbox

1. Go to dropbox.com/account/security
2. Under "Two-step verification," click Enable
3. Choose Use a mobile app
4. Click Can't scan the barcode? or scan the QR code
5. Set up in ZZPass
6. Enter code to verify

Amazon

1. Go to amazon.com/a/settings/approval
2. Click Get Started under Two-Step Verification
3. Choose Authenticator App
4. Click Can't scan the barcode? or scan QR code
5. Set up in ZZPass
6. Enter codes to verify

What happens if I lose my device?

If You Have iCloud Sync Enabled:
Your TOTP secrets will sync to your other Apple devices. You can generate codes from any device signed into your iCloud account with ZZPass installed.

If You Don't Have Another Device:
Use the backup codes you saved when setting up 2FA. Each backup code works once to log in, after which you can disable 2FA or set it up again.

If You Don't Have Backup Codes:
Contact the service's support team for account recovery. This usually involves verifying your identity through email, phone, or other means.

Can I use ZZPass TOTP on multiple devices?

Yes! If iCloud sync is enabled, your TOTP secrets will be available on all devices signed into your iCloud account with ZZPass installed.

All devices will generate the same codes at the same time, so you can use any device to get a 2FA code for logging in.

Is storing TOTP and passwords together secure?

It's a trade-off between convenience and maximum security. Storing both factors on the same device means:

Pros:
• Much more convenient, so you're more likely to use 2FA
• Still protected by your ZZPass primary password and biometrics
• TOTP codes change every 30 seconds, limiting exposure
• Better than not using 2FA at all

Cons:
• Someone with your unlocked device has both factors

For most users, the security improvement from using 2FA (because it's convenient) far outweighs the slight reduction from keeping both factors together.