Encrypt QR codes
for private 2FA backups

Securely encrypt and decrypt QR codes used for two-factor authentication. Safely store encrypted QR codes as photos or print them out.

EncryptDecrypt
Star on GitHub
Encrypt UI
Secure Backups
Encrypted QR code images can be saved or printed for account recovery if your 2FA device is lost.
Privacy Focused
No data is collected about you and all QR code scanning, encryption, and decryption is done on your device.
MIT Open Source
Review the code and reuse it however you like. Self-host or run the site locally for fully offline encryption.
Advanced Security
Encryption uses AES-GCM and PBKDF2 with a salted 256-bit key. View the process in Typescript or Python.

Frequently Asked Questions

Who is this for?
Security concious people who want to backup their 2FA codes. You might already use a service like Authy but want extra redundancy and flexibility. The encrypted QR codes are just images that you can safely save in Whatsapp, a photo gallery, and even print them out.
What is a QR code?

A QR (quick-response) code is a barcode that's easy to scan and contains useful data. They are blocky, black/white, square images which you usually scan when adding two-factor auth to an account.

What is two-factor auth (2FA)?
  • Two-factor authentication (2FA) helps protect your online accounts from being accessed by someone who has access to your password.
  • You usually set up 2FA by scanning a QR code to link the service with an authenticator app on your phone. The app generates a random code every few seconds which you fill into the website when asked.
  • By knowing your password and filling in the 2FA code, you verify two factors: something you know and something you have. This makes it much harder to hack an account even if someone knows your password.
Why should I backup 2FA codes?
If you lose or break your 2FA device you could lose access to some accounts forever - even if you have the password. We often set up 2FA with our most important accounts so losing access could be a huge loss of data e.g. photos, emails, and documents. You should absolutely backup 2FA codes and in multiple places.
What's wrong with Authy?
  • Authy is a great authenticator app that can double as a backup by saving your 2FA codes for you. However, this is opt-in and you must now rely on a private service. If you lose access to Authy, you lose all of your 2FA codes.
  • One problem is that Authy is linked to your mobile phone number and you must receive an sms to gain access to your account. If you lose your phone & SIM then it's up to your phone provider to give you that number again, and that could take weeks.
  • So definitely use a service like Authy, but it's a good idea to have extra backups. Encrypted QR codes are just images that you can safely save in Whatsapp, a photo gallery, and even print them out.
What's wrong with 1Password?
  • 1Password is a great password manager that can double as a backup by saving your 2FA codes for you. This is convenient but in the (unlikely) event that your vault is compromised then your 2FA codes won't protect those accounts.
  • They claim that most hacks made are not by compromising your vault, but by guessing your password or finding it in a data breach. This is true but a vault is a high value target and even a breach on LastPass was made by hacking the corporate vault.
  • So if you want to separate your 2FA codes from your password manager then encrypting and backing up your 2FA codes is a good solution.
Can I rely on this website?
Yes but the great thing is, you don't have to! This website is fully open source so you can control how you use it. Fork the code and reuse it however you like, self-host it, or run the site locally for fully offline use. Decryption is language agnostic so you can always recover an encrypted QR code in future. Here are examples in both Typescript and Python.
How are codes encrypted?
  • Note: Encryption/decryption is done on your device and no data is collected about you.
  • A QR Code is scanned to decode its plaintext content.
  • The plaintext is encrypted into ciphertext as follows:
    • PBKDF2 derives a 256 bit key from the password and random salt.
    • AES-GCM with random init values (IV) encrypts the data.
    • Cryptographically strong random data is provided by Crypto.

  • The ciphertext, salt, and IV are encoded into a text format and saved as a JSON object. The data is encoded into a new encrypted QR code. View the process here.

    { "iv":"5a7e0a...", "salt":"74c98...", "cipherText":"0e50b...", "hint":"Google Account", "date":"2024-01-01" }

How do I encrypt a 2FA code?
  • Log into an account and follow their instructions to set up 2FA. Stop when they present you with a QR code.
  • Before you scan the QR code with your auth app, first encrypt a copy of the QR code with this website.
  • Either screenshot, copy/paste, or scan the QR code with a camera and encrypt it. The following Q&A has more details.
  • Download the encrypted QR code and save or print the image in multiple places as a backup.
  • Continue setting up 2FA with the original QR code as normal with your authenticator app.
How do I encrypt a QR code?
  • Scan a QR code by selecting a file, copy & paste, drag & drop, or scanning it via camera. E.g:
    • Scan a QR code on your phone via your laptop webcam.
    • Scan a printed QR code with your mobile camera.
    • Screenshot the QR code, save, then select the image file.
    • Right click and copy the QR code, then 'Ctrl+V' to paste here.
  • Type an unencrypted hint to remember what the QR code is for.
  • Type a secure password to encrypt the QR code with. You MUST remember the password to unlock it again - this is unrecoverable if you forget it. Ideally use a unique password for each QR code.
  • Download the encrypted QR code and save or print the image in multiple places as a backup.
How do I choose and store a password?
  • 1Password has good tips here and here for choosing a password:
    • Make it long (16+ characters). Each character makes it exponentially harder to crack.
    • Make it random. We're not as random as we think so you should use a password generator (turn the 'memorable' option on).
    • Make it memorable: 5 random words is much easier to remember but still harder to crack than 16+ random characters.
  • The solution? Generate 5 random words like this `passion-ken-omit-verso-tortoise` - it's long, random, and memorable. Write it down and practice it regularly until you commit it to memory.
  • If you plan to keep your 2FA codes separate from your password manager then create a new password (not your master password) and commit it to memory - don't store it in your vault.
  • Ideally use a unique password for each QR code. Using the same one for all codes should be fine if they're accessed rarely and stored safely in the same place - akin to a using password manager.
How do I decrypt a QR code?
  • Note: Encryption/decryption is done on your device and no data is collected about you.
  • Select/paste/drop/scan an encrypted QR code into the decrypt page. You can use your phone camera to scan a printed code for example.
  • Type in the original password to unlock the code. There is no way to recover a password if you have lost or forgotten it.
  • You can scan the decrypted code as a normal 2FA QR code.
  • Advanced users can decrypt codes using Typescript or Python.