Open-source hardware security device featuring TOTP Authenticator and Password Manager with BLE Keyboard
Video Demo • Features • Installation • Documentation • Security • Support
TOTP Mode (Dark Theme) Real-time authentication codes |
TOTP Mode (Light Theme) Customizable display themes |
HOTP Mode (Light Theme) Counter-based authentication |
Password Manager Mode Secure offline password vault |
BLE Security Mode Encrypted wireless transmission |
QR Code Export Export keys directly from display |
Boot Mode Selection WiFi / AP / Offline at startup |
Battery & Status Real-time monitoring |
Hardware Overview Compact open-source design |
Factory Reset Secure data wiping |
Dashboard Secure web access |
TOTP Management QR code scanning & bulk import |
Password Vault Encrypted storage & search |
Security Settings PIN & authentication config |
Device Configuration Network & display settings |
Password Generator Advanced generation & statistics |
Watch the full demonstration — TOTP generation, password management, BLE keyboard, and web interface.
- Compatible with Google Authenticator, Microsoft Authenticator, Authy, and all RFC 6238 / RFC 4226 services
- SHA1 / SHA256 / SHA512, 6 and 8 digit codes, 30s and 60s periods
- HOTP counter-based codes with automatic counter increment
- Add keys via QR code scan (camera or file), manual entry, or bulk import
- Export any key as QR code — displayed on the device screen and in the web interface
- Encrypted storage with unique per-device key
- Offline encrypted vault — works without any network connection
- BLE HID keyboard: types passwords directly into any device, no clipboard
- PIN protection for BLE transmission
- Encrypted export/import for backup and migration
- Runs on the device itself — no cloud, no external servers
- Full TOTP and password management from any browser
- Password generator with complexity settings
- Three network modes: WiFi client, AP hotspot, or fully offline
- Multilingual interface — English, Russian, German, Chinese (Simplified), and Spanish
- Light and dark themes, switchable from the web interface
- Custom splash screens on boot
- Battery indicator and WiFi status always visible
- LILYGO® TTGO T-Display ESP32 — dual-core 240MHz, 1.14" TFT display
- Battery monitoring with real-time voltage and percentage
- Deep sleep and light sleep power saving
- DS3231 RTC module support — accurate offline timekeeping without WiFi; enables TOTP in AP and Offline modes
All sensitive data is encrypted with AES-256 using a unique per-device key derived from your PIN via PBKDF2-HMAC-SHA256. The web interface runs over an HTTPS-like encrypted channel (ECDH P-256 key exchange + AES-256-GCM) — works even in AP mode without certificates.
8 layers of web protection: key exchange → session encryption → URL obfuscation → header obfuscation → decoy traffic → method tunneling → timing protection → honeypot endpoints.
Device security: PIN with persistent lockout (5 attempts across reboots), secure memory wipe before deep sleep, encrypted BLE pairing.
- PBKDF2 iteration count (25,000) is below OWASP 2023 recommendations due to ESP32 hardware constraints
- No hardware secure enclave or secure boot by default
- Active MITM on initial ECDH exchange is not detectable without a server certificate
→ Security Overview — full security summary
→ Security Model — technical reference for developers and auditors
| Button | Action | Function |
|---|---|---|
| Button 1 (Top) | Short press | Previous item |
| Long press 2s | Switch TOTP ↔ Password Manager | |
| Button 2 (Bottom) | Short press | Next item |
| Long press 5s | Power off (deep sleep) | |
| Both buttons | 2s in Password Mode | Activate BLE keyboard |
| 5s on PIN screen | Shutdown | |
| 5s on boot | Factory reset |
Wake from sleep: press Button 2.
- PlatformIO (VS Code extension)
- LILYGO® TTGO T-Display ESP32
- USB-C cable
→ Web Flasher — Chrome/Edge + USB, no install needed
→ User Guide
→ Decrypt Export Tool
git clone https://github.com/makepkg/SecureGen.git
cd SecureGen
# Open in VS Code with PlatformIO, then Upload- Device creates AP
ESP32-TOTP-Setup→ connect and open192.168.4.1 - Enter WiFi credentials
- Set administrator password and optional PIN
- Device syncs time via NTP and is ready
→ Complete User Manual for detailed setup and usage
| Document | Audience |
|---|---|
| User Manual | All users — setup, operation, features |
| Operating Modes | Network and display mode reference |
| Decrypt Export Tool | Offline backup decryption |
| Security Overview | Security summary |
| Security Model | Full technical security reference |
| API Endpoints | Developer API reference |
| System Design | Architecture and boot sequence |
| Logging System | Debug and log configuration |
- Quick search by account name, favorites / pinned accounts, grouping by tags (work, personal, finance)
- Adapt firmware for other ESP32 (T-Display-S3)
- Informative setting flags in web cabinet
- Flash encryption and secure boot (optional hardening)
- Migration ECDH P-256 → X25519
- Support ATECC608 Secure module
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- YouTube: Demo & Tutorials
- Dev.to: Technical Articles
- Twitter/X: @makepkg
- Hackster.io: Featured Project
- Product Hunt: Launch Page
USDT BEP-20: 0x4f85f29892b261fa8029f3cfd64211e166744733
USDT TRC-20: TDnjDg9HxySo1J2FPSrvWQejyZ4gHKiXSJ
⭐ Star this repo if you find it useful!
MIT — see LICENSE. Third-party: TFT_eSPI (FreeBSD), ESPAsyncWebServer (LGPL-3.0), AsyncTCP (LGPL-3.0), ArduinoJson (MIT), mbedTLS (Apache 2.0).
Made with ❤️ for the open-source community