Show HN: AuthWeb – open-source TOTP and Password Generator (auth.web.id)

6 points by riipandi ↗ HN
AuthWeb is a minimalist web-based tool for generating secure TOTP tokens and passwords. Built with privacy and security in mind, all computations are performed client-side with no data storage.

Key features:

- Generate TOTP tokens with QR code support - Configurable password generator (single/batch mode) - Zero data collection or storage - Clean, responsive UI built with Tailwind CSS - Self-hostable and open source under MIT license

The project aims to provide a reliable alternative to proprietary authenticator apps while maintaining simplicity and user privacy. QR codes are generated on Cloudflare's edge network for enhanced security.

Try it out: https://auth.web.id Source code: https://github.com/riipandi/authweb

Looking forward to feedback from the HN community! Let me know what you think about the implementation and security aspects.

#security #opensource #authentication #privacy

3 comments

[ 0.38 ms ] story [ 18.7 ms ] thread
I think you missed the whole concept of “secret”. Asking people to give you their secret key is not safe. “I promise it’s all client side” is not enough.
Your /qrcode requests sends everything to backend

        GET
 https://auth.web.id/qrcode?chl=otpauth://totp/Example%20Inc.sdf:johsn%40example.com?issuer=Example%20Inc.sdf&secret=SA&algorithm=SHA1&digits=6&period=30
> all computations are performed client-side with no data storage

so this isn't true.

I am sure you can generate the qr code on the client as well

Why? Just why?

There are literally dozens of existing, free tools for both TOTP token management and secure password generation, that run 100% on-device, as a native app. At least one major OS family has it built in, out of the box.

With a native tool, there's no requirement to "trust me bro" about where the logic is executed, there's no need to worry about whether it uses browser storage which ends up being compromised somehow.