A Password Manager With Built-in 2FA (TOTP) — Why It Belongs in One App
Keeping your passwords in one app and your 2FA codes in another is common — and clumsy. Here's the case for storing TOTP alongside logins, and how Pyalm Vault does it without weakening zero-knowledge.
Most people keep passwords in a manager and their two-factor codes in a separate authenticator app. It works, but it's clumsy: you copy the password from one app, then alt-tab to another to read a six-digit code before it rolls over. Pyalm Vault puts both in one place — and it's worth understanding why that's convenient without being reckless.
What TOTP actually is
TOTP (Time-based One-Time Password) is the standard behind those rotating six-digit codes. When you enable 2FA and scan a QR code, the site hands you a shared secret. Your authenticator combines that secret with the current time to derive a code that changes every 30 seconds — no internet required, because both sides just do the maths.
Storing the code next to the login
Pyalm Vault lets you attach a TOTP secret (or a full otpauth:// URI) to any entry, then shows live 6-digit codes with a countdown — in both the web app and the Chrome extension. Sign in and get your second factor from the same unlock, without juggling a phone.
"Isn't that putting all your eggs in one basket?"
It's a fair question, and the honest answer is: it's a trade-off you get to make. Keeping factors in separate apps is marginally stronger if an attacker gets one app but not the other. But in practice, the biggest real-world risk for most people is reused and weak passwords, not a compromised vault — and the convenience of having codes inline means people actually use 2FA everywhere instead of skipping it. For a vault protected by a strong master passphrase (and optionally a passkey), storing TOTP inline is a sensible default for most, with the option to keep high-value accounts separate.
Zero-knowledge still holds
The key point: the TOTP secret is just another encrypted field. It's sealed client-side with AES-256-GCM like everything else, so the server never sees it — the same zero-knowledge model that protects your passwords protects your 2FA seeds.
One unlock, everything you need
Explore Pyalm Vault | Introducing Pyalm Vault | How to create a strong password