Fenko Security

Fenko Vault

An open-source passkey and 2FA vault that keeps your credentials on your own devices.

Fenko Vault stores WebAuthn passkeys and TOTP codes locally on your own devices. No account, no Fenko server holding your credentials, no cloud you have to trust. It runs as a browser extension for Chrome, Edge, Brave, and Opera, as a Firefox add-on, and as a native Android passkey provider, all from one codebase.

The whole thing is open source under the MIT license. The code lives at FenkoHQ/passkey-vault, so you can see for yourself where your passkeys are kept and what does and doesn’t leave your device.

View the source on GitHub →

Why we built it

Most password managers now hold your passwords, your 2FA codes, and your passkeys in the same vault. That’s convenient, and we’re not here to talk anyone out of their password manager. But it puts every factor of your authentication in one basket. If that vault is breached, the password and the second factor that was meant to back it up fall together. A second factor is only worth having if it lives somewhere the first one doesn’t.

That’s the gap Fenko Vault fills. It’s a free, open way to keep your passkeys and 2FA codes apart from wherever your passwords live, so one breach doesn’t hand over everything. It isn’t a password manager and won’t replace one. It does a single job: it separates out your factors of authentication.

There’s a second reason. Passkeys are great for users and almost impossible to look inside. The browser and your operating system handle the whole flow behind UI you can’t see into, and most passkey managers sync everything through a vendor cloud tied to an account. That works for a lot of people. It doesn’t work if you’d rather your credentials never sat on someone else’s server.

Fenko Vault keeps your passkeys on your own device. You can search them, back them up, and move them between devices yourself. When a site needs a passkey you don’t have stored, the vault steps aside and lets the browser and OS handle it as usual.

It doubles as an authenticator app, so your passkeys and your 2FA codes live in one searchable list instead of two separate apps. Adding a 2FA code works the usual ways: paste the setup link, paste a screenshot of the QR code, or upload the image. Everything is read on your device.

Sync without a server

This is the part we care about most. Cross-device sync is optional and off by default, and when you turn it on, there’s still no Fenko account and no server holding your vault.

Sync runs over Nostr, an open protocol built around small signed messages passed through independent relay servers. We picked it because it’s a simple, public transport that nobody owns. Your devices encrypt your vault, hand the encrypted blob to a few relays, and any other device of yours picks it up. The relays only ever see scrambled data, never your passkeys.

Pairing devices is just a recovery phrase. Turning on sync gives you a short list of words. Type the same words into your other devices and they’re linked. That phrase is the only thing that ties your devices together, and it never leaves them, so there’s nothing for us, or a relay operator, to read or hand over.

By default your devices talk to a relay we run plus a few public ones, and you can add your own or remove ours in the settings. Share one working relay and two devices stay in sync.

Open and emerging tech

Fenko Vault is built on open standards the whole way down, and the sync layer leans on Nostr, which is still young and mostly known for social apps. Using it as a personal, encrypted sync backbone is a bit off the beaten path, and that’s the point: no token, no platform, no company sitting in the middle. Just encrypted messages on relays that anyone can run, including you.

A note on what it is

Fenko Vault is built for people who want hands-on control of their credentials. Your passkeys, your 2FA secrets, and any backup you export are real credential material, so treat them like passwords. A master PIN locks the vault, but the recovery phrase is the keys to everything: anyone who has it can join your sync and receive your vault, so guard it the way you’d guard the vault itself.

Get it