OTPilot

Detects 2FA setup pages and saves accounts in one click. Auto-fills TOTP codes on login pages — no phone needed.

OTPilot makes two-factor authentication invisible, both when logging in and when setting it up. **Adding an account takes one click.** When you enable 2FA on any site, OTPilot detects the setup page automatically and shows a floating prompt: "Save [ServiceName] to OTPilot?" Click Add account, and you're done. No QR scanner app, no base32 secrets, no manual entry. OTPilot reads the account details directly from the page — including your email address when the site provides it. **Logging in takes zero clicks.** Navigate to a page OTPilot knows about, and it finds the OTP field, fills in the current code, and submits the form — automatically, before you've reached for your phone. **If OTPilot is locked**, it shows an inline unlock prompt right on the page. Type your master password and press Enter. It unlocks and fills in one step, without opening the pop-up. **Multiple accounts on the same site.** Running work and personal GitHub? Two Google accounts? OTPilot detects all matching accounts and shows a quick picker overlay — tap **Fill** to inject the right code directly into the page, or **Copy** to grab it for a different device. Single-account sites continue to fill automatically with no extra step. **Smart backup and restore.** Export only the accounts you choose — uncheck anything you'd rather leave out before setting the backup password. When restoring, OTPilot shows every account in the file: accounts already in your vault appear dimmed with an "already in vault" badge and can't be selected, so existing entries are never overwritten. Only the new accounts you check are added. **Privacy first — everything stays on your device.** - Secrets stored in chrome.storage.local — sandboxed to this extension - Master password lock with 24-hour or 30-day sessions - Encrypted backup and restore (AES-GCM 256-bit, PBKDF2 with 200,000 iterations) - No accounts, no cloud sync, no telemetry, no external servers - No third-party dependencies — plain JavaScript and the Web Crypto API --- **Supports any TOTP-based 2FA.** Works with Google, GitHub, Dropbox, and any other service that uses standard TOTP codes (RFC 6238) — the same codes Google Authenticator generates.