Is it secure?

Flipper Authenticator is considered to be a safe app.

Flipper Authenticator stores token secrets in config file in encrypted form. Encryption is done using standard Flipper Zero API, which states that it is using AES encryption.

Secret key for AES encryption is getting stored and used from Flipper Zero built-in key vault. At any point of time user is allowed to pick another key vault slot, generate another secret key there and start using it.

Initialization vector (IV) for AES encryption is getting built at runtime by using PBKDF2 algorithm using a combination of Flipper Zero device UID and user's PIN (if PIN is set by user) as a password, and randomly generated sequence of bytes stored in config file as a salt.

So in theory to get plain token secret it is necessary to have original Flipper Zero device where config file was generated and know user's PIN (if user setup PIN).

If user provides plain token secret manually straight to a config file, once app will be launched it will detect plain token, will encrypt it and will replace plain token secret with encrypted copy.

Overall, Flipper Authenticator tries to stay as good and safe as it is possible, however as any other application it should also be used while keeping its limitations in mind.

If you have an ideas how we can make Flipper Authenticator even more secure, please let me know.