Blog

Short, practical posts on TOTP, two-factor authentication, and the tradeoffs behind client-side security tools.

• June 10, 2026

  What is TOTP and how does it actually work?

  A plain-language walkthrough of RFC 6238: the shared secret, the time step, HMAC-SHA1, and the truncation that turns a hash into 6 digits.

• May 22, 2026

  Why authenticator secrets are written in Base32

  Base32 keeps secrets human-readable, copy-paste safe, and case-insensitive — here's why TOTP picked it over hex or Base64.

• April 30, 2026

  Client-side 2FA: why your secret should never leave the browser

  A look at the privacy trade-offs between cloud-synced authenticator apps and zero-knowledge, local-only generators.