{"id":44342002,"url":"https://github.com/koditoriet/fenris-authenticator","last_synced_at":"2026-04-12T23:32:14.988Z","repository":{"id":332529498,"uuid":"1129057050","full_name":"koditoriet/fenris-authenticator","owner":"koditoriet","description":"Really secure passkey provider and TOTP authenticator","archived":false,"fork":false,"pushed_at":"2026-02-05T23:25:03.000Z","size":949,"stargazers_count":0,"open_issues_count":7,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-02-06T08:22:51.380Z","etag":null,"topics":["android-application","authenticator","kotlin","passkeys","totp"],"latest_commit_sha":null,"homepage":"","language":"Kotlin","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koditoriet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-06T14:44:22.000Z","updated_at":"2026-02-05T23:23:14.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/koditoriet/fenris-authenticator","commit_stats":null,"previous_names":["koditoriet/snout-authenticator","koditoriet/fenris-authenticator"],"tags_count":8,"template":false,"template_full_name":null,"purl":"pkg:github/koditoriet/fenris-authenticator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koditoriet%2Ffenris-authenticator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koditoriet%2Ffenris-authenticator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koditoriet%2Ffenris-authenticator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koditoriet%2Ffenris-authenticator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koditoriet","download_url":"https://codeload.github.com/koditoriet/fenris-authenticator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koditoriet%2Ffenris-authenticator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29333155,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-11T12:42:24.625Z","status":"ssl_error","status_checked_at":"2026-02-11T12:41:23.344Z","response_time":97,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android-application","authenticator","kotlin","passkeys","totp"],"created_at":"2026-02-11T13:05:53.556Z","updated_at":"2026-02-11T13:05:54.315Z","avatar_url":"https://github.com/koditoriet.png","language":"Kotlin","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fenris\nFenris is a security-focused passkey and TOTP authenticator.\n\n*Fenris is currently pre-release — expect bugs and breaking changes!*\n\n### Certificate fingerprint\nThis is the SHA256 hash of the Fenris signing certificate. Use it to verify the app's authenticity.\n\n```\nd88a60b9b362391306dd8386ff1f7c995184664e8bf49bc181126cdb435264d3\n```\n\n\n## Features\n* **Passkeys:** get rid of usernames and passwords entirely, or use a stronger second factor.\n* **One-time codes:** for the services that don't support passkeys, Fenris acts as an OTP authenticator.\n* **Hardware-backed security:** passkeys and OTP secrets are stored in secure hardware, and are\n    literally impossible to steal from your device.\n* **Strong encrypted backups:** backups — if enabled — are protected by a random seed, stored\n    offline as a QR code or a BIP-39 seed phrase.\n* **Degoogled:** Fenris does not depend on Google Play Services, and is developed and tested\n    on [GrapheneOS](https://grapheneos.org).\n* **Offline:** Fenris does not collect any metrics or user data, or depend on proprietary servers —\n    it doesn't even require a network connection. *You* are in control of *your* data.\n\n\n## Why (or why not) Fenris?\nFenris aims to be the most secure authenticator. To that end, it sacrifices some conveniences\nprovided by many other authenticators.\n\n### Compared to your password manager\nSecond factor credentials, such as OTP secrets or passkeys used as a second factor, do not belong\nin your password manager. By storing them side by side with the passwords they are intended to act\nas a second factor for, you are effectively *removing* the second factor.\n\nFurthermore, most password managers are designed to store things for later retrieval.\nThis is a natural consequence of being a *password* manager: if you can't read or copy your password,\nyou can't use it.\n\nThis is not how passkeys or OTP secrets work.\nWhen using either to authenticate, you provide a *proof* that you are in possession of the credential,\nwithout ever revealing the credential itself.\nAllowing such credentials to be retrieved at all is a security problem, not a feature!\n\n### Compared to Aegis, Google Authenticator, etc.\nMost other authenticators put a higher premium on convenience than Fenris does, allowing credentials\nto be read and transferred to other devices at will, store your credentials with cloud providers,\netc.\n\nFenris instead stores your credentials in the secure element of your device, from which there is no\nescape — ever. Even with backups enabled — which is optional — recovery is only possible using\nyour offline backup seed to ensure that even the device that creates your backups can't access them. \n\n\n## Security design\nThis section briefly describes the steps taken by Fenris to keep your secrets safe.\n\n### Credential storage\nFenris keeps its account database in an SQLite database encrypted with a 256 bit random\ndata encryption key (DEK) using SQLCipher.\nThe DEK is encrypted with a 256 bit AES key encryption key (KEK) stored in the device's\nsecure element (SE) or TEE through Android KeyStore, depending on available hardware.\nBy default, user authentication is required to access the KEK for unlocking the database.\n\nThe DEK is only kept in memory while the database is unlocked.\nThe database can be locked for the following reasons:\n\n* The user explicitly locks it.\n* The screen lock was engaged.\n* Fenris has been in the background for too long (30 seconds by default).\n\nWhen either of these conditions are met, the database is closed and the DEK is wiped from memory.\n\nThe account database only contains account metadata. It does *not* contain any credentials (unless\nbackups are enabled — see [Backups](#Backups) for more information).\nCredentials are instead stored in SE/TEE, and always require user authentication to access.\n\n### Backups\nIf backups are enabled, Fenris stores a copy of each credential in the account database.\nThis copy is encrypted using a 256 bit AES key derived from a 256 bit backup seed.\nThe key is stored in SE/TEE, and only approved for encryption use — crucially *not* for decryption.\n\nThe backup seed is randomly generated on first start, and displayed to the user in the form of\neither a BIP-39 seed phrase or a QR code for printing. The user is strongly encouraged to\nstore their seed phrase offline, and advised that storing it on the same device where Fenris is\ninstalled is a terrible idea.\n\nAs the backup secrets are protected by both the backup key and the database encryption keys,\nthe user's credentials are at least as well protected as with any other authenticator even if the user\nwere to store their backup seed in plain text on the same device.\n\nTo keep this level of protection intact, backups are never created automatically but only by\nexplicit user request.\n\n### Authentication\nFenris requires user authentication using either class 3 biometrics (e.g. fingerprint) or device\ncredential (e.g. PIN/password) to use any credential and to unlock the account database.\n\nFor symmetric credentials (i.e. OTP secrets and the database KEK), the key remains unlocked\nfor five seconds following authentication, whereas asymmetric credentials (i.e. passkeys)\nonly can be used for a single operation without having to authenticate the user again.\n\n### Credential creation\nCredentials are generated in device memory, then immediately stored in SE/TEE hardware and (if enabled)\nencrypted for backup, and finally wiped from memory.\nThis means that there is a small risk of the credential persisting in device memory for some time\nafter creation.\n\nThis small time window could theoretically be exploited either by a compromised operating system\nor through a cold boot attack.\nTo mitigate this risk, it is strongly recommended to run Fenris on a device without root permissions\nand with a locked bootloader.\n\n### Snooping mitigations\nTo prevent shoulder surfers, malware or \"well-meaning\" but integrity-challenged AI scrapers from\nreading one-time codes, Fenris takes the following precautions:\n\n* One-time codes are not displayed or generated until the user selects a specific account and\n  authenticates.\n* Screenshots and screen recording are disabled for Fenris.\n* Secrets can be configured to be hidden from screen readers, but default to visible to avoid\n  excluding visually impaired users.\n\n\n## Contributing\nUnfortunately, we are unable to accept external contributions at this point.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoditoriet%2Ffenris-authenticator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoditoriet%2Ffenris-authenticator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoditoriet%2Ffenris-authenticator/lists"}