OTPilot

Tracking since May 12, 2026.

Changelog

• May 24, 2026
  description

  OTPilot makes two-factor authentication invisible, both when logging in and when setting it up.
  
  **Adding an account takes one click.**
  When you enable 2FA on any site, OTPilot detects the setup page automatically and shows a floating prompt: "Save [ServiceName] to OTPilot?" Click Add account, and you're done. No QR scanner app, no base32 secrets, no manual entry. OTPilot reads the account details directly from the page — including your email address when the site provides it.
  
  **Logging in takes zero clicks.**
  Navigate to a page OTPilot knows about, and it finds the OTP field, fills in the current code, and submits the form — automatically, before you've reached for your phone.
  
  **If OTPilot is locked**, it shows an inline unlock prompt right on the page. Type your master password and press Enter. It unlocks and fills in one step, without opening the pop-up.
  
  **Multiple accounts on the same site.**
  Running work and personal GitHub? Two Google accounts? OTPilot detects all matching accounts and shows a quick picker overlay — tap **Fill** to inject the right code directly into the page, or **Copy** to grab it for a different device. Single-account sites continue to fill automatically with no extra step.
  
  **Smart backup and restore.**
  Export only the accounts you choose — uncheck anything you'd rather leave out before setting the backup password. When restoring, OTPilot shows every account in the file: accounts already in your vault appear dimmed with an "already in vault" badge and can't be selected, so existing entries are never overwritten. Only the new accounts you check are added.
  
  **Privacy first — everything stays on your device.**
  
  - Secrets stored in chrome.storage.local — sandboxed to this extension
  - Master password lock with 24-hour or 30-day sessions
  - Encrypted backup and restore (AES-GCM 256-bit, PBKDF2 with 200,000 iterations)
  - No accounts, no cloud sync, no telemetry, no external servers
  - No third-party dependencies — plain JavaScript and the Web Crypto API
  
  ---
  
  **Supports any TOTP-based 2FA.**
  Works with Google, GitHub, Dropbox, and any other service that uses standard TOTP codes (RFC 6238) — the same codes Google Authenticator generates.

  🔐 OTPilot — Two-Factor Authentication Without the Friction
  
  OTPilot makes two-factor authentication feel invisible — both when setting it up and when logging in.
  
  ⚡ One-click account setup
  
  When you enable 2FA on a website, OTPilot automatically detects the setup page and shows a simple prompt:
  
  “Save [Service] to OTPilot?”
  
  Click Add account and you’re done.
  
  ✅ No QR scanner apps
  ✅ No copying secret keys
  ✅ No manual setup
  
  OTPilot reads the TOTP configuration directly from the page and can even detect the account email when available.
  
  🚀 Zero-click logins
  
  When an OTP field appears, OTPilot automatically:
  
  Detects the verification code field
  Fills the current code instantly
  Submits the form automatically
  
  No phone switching. No copy/paste. No interruptions.
  
  🔓 Inline unlock
  
  If your vault is locked, OTPilot shows an unlock prompt directly on the page.
  
  Type your master password and press Enter — OTPilot unlocks and fills the code immediately, without opening the extension popup.
  
  👥 Multiple accounts on the same site
  
  Using multiple accounts for the same service?
  
  OTPilot automatically detects matching accounts and shows a quick picker so you can choose the right one instantly.
  
  Perfect for:
  
  Work + personal GitHub accounts
  Multiple Google accounts
  Shared admin environments
  ☁️ Optional end-to-end encrypted sync
  
  Sync your vault securely across browsers with optional cloud sync.
  
  🔒 Encrypted on your device before upload
  🔒 Server never sees your secrets in plain text
  🔒 Recovery key generated for account recovery
  
  💳 One-time payment. No subscription.
  
  🖥️ Device management
  
  Manage every connected browser from the OTPilot dashboard.
  
  View connected devices and sync history
  Remotely disconnect devices
  Wipe vault access on next sync
  Get email alerts for new device connections
  💾 Smart backup & restore
  
  Export only the accounts you choose.
  
  When restoring, OTPilot automatically detects accounts already in your vault so existing entries are never overwritten accidentally.
  
  🛡️ Privacy first
  
  Your secrets stay encrypted on your device.
  
  AES-256-GCM vault encryption
  PBKDF2 with 200,000 iterations
  End-to-end encrypted sync
  No telemetry or analytics
  Open source (MIT)
  🌍 Works everywhere
  
  OTPilot supports any standard TOTP-based two-factor authentication system (RFC 6238), including:
  
  Google
  GitHub
  Dropbox
  Microsoft
  Amazon
  And thousands more
  
  If it works with Google Authenticator, it works with OTPilot.

• May 24, 2026
  host_permissions

  *://*/*

  *://*/*, https://qulptwblkmcvsjrjnugl.supabase.co/*

• May 24, 2026
  permissions

  storage, tabs

  storage, tabs, identity, alarms

• May 17, 2026
  description

  OTPilot makes two-factor authentication invisible — both when logging in and when setting it up.
  
  **Adding an account takes one click.**
  When you enable 2FA on any site, OTPilot detects the setup page automatically and shows a floating prompt: "Save [ServiceName] to OTPilot?" Click Add account and you're done. No QR scanner app, no base32 secrets, no manual entry. OTPilot reads the account details directly from the page.
  
  **Logging in takes zero clicks.**
  Navigate to a page OTPilot knows about and it finds the OTP field, fills in the current code, and submits the form — automatically, before you've reached for your phone.
  
  **If OTPilot is locked**, it shows an inline unlock prompt right on the page. Type your master password and press Enter. It unlocks and fills in one step, without opening the popup.
  
  ---
  
  **Privacy first — everything stays on your device.**
  
  - Secrets stored in chrome.storage.local — sandboxed to this extension
  - Master password lock with 24-hour or 30-day sessions
  - Encrypted backup and restore (AES-GCM 256-bit, PBKDF2 with 200,000 iterations)
  - No accounts, no cloud sync, no telemetry, no external servers
  - No third-party dependencies — plain JavaScript and the Web Crypto API
  
  ---
  
  **Supports any TOTP-based 2FA.**
  Works with Google, GitHub, Dropbox, and any other service that uses standard TOTP codes (RFC 6238) — the same codes Google Authenticator generates.

  OTPilot makes two-factor authentication invisible, both when logging in and when setting it up.
  
  **Adding an account takes one click.**
  When you enable 2FA on any site, OTPilot detects the setup page automatically and shows a floating prompt: "Save [ServiceName] to OTPilot?" Click Add account, and you're done. No QR scanner app, no base32 secrets, no manual entry. OTPilot reads the account details directly from the page — including your email address when the site provides it.
  
  **Logging in takes zero clicks.**
  Navigate to a page OTPilot knows about, and it finds the OTP field, fills in the current code, and submits the form — automatically, before you've reached for your phone.
  
  **If OTPilot is locked**, it shows an inline unlock prompt right on the page. Type your master password and press Enter. It unlocks and fills in one step, without opening the pop-up.
  
  **Multiple accounts on the same site.**
  Running work and personal GitHub? Two Google accounts? OTPilot detects all matching accounts and shows a quick picker overlay — tap **Fill** to inject the right code directly into the page, or **Copy** to grab it for a different device. Single-account sites continue to fill automatically with no extra step.
  
  **Smart backup and restore.**
  Export only the accounts you choose — uncheck anything you'd rather leave out before setting the backup password. When restoring, OTPilot shows every account in the file: accounts already in your vault appear dimmed with an "already in vault" badge and can't be selected, so existing entries are never overwritten. Only the new accounts you check are added.
  
  **Privacy first — everything stays on your device.**
  
  - Secrets stored in chrome.storage.local — sandboxed to this extension
  - Master password lock with 24-hour or 30-day sessions
  - Encrypted backup and restore (AES-GCM 256-bit, PBKDF2 with 200,000 iterations)
  - No accounts, no cloud sync, no telemetry, no external servers
  - No third-party dependencies — plain JavaScript and the Web Crypto API
  
  ---
  
  **Supports any TOTP-based 2FA.**
  Works with Google, GitHub, Dropbox, and any other service that uses standard TOTP codes (RFC 6238) — the same codes Google Authenticator generates.

• May 17, 2026
  short_description

  Auto-fills TOTP codes on any login page you configure

  Detects 2FA setup pages and saves accounts in one click. Auto-fills TOTP codes on login pages — no phone needed.

Permissions & access

Permissions

storagetabsidentityalarms

Host access

*://*/*, https://qulptwblkmcvsjrjnugl.supabase.co/*

Screenshots