Sesame

On your device, and only your device. They never leave your phone unless you choose to back them up.

Under the hood: codes are stored in the iOS Keychain, hardware-encrypted by the Secure Enclave. Account metadata like names and issuers lives in local storage. Nothing touches a server.

Yes. Sesame supports Face ID, Touch ID, and device passcode. You can set it to lock as soon as you leave the app, or after a delay.

If you’ve enabled backups, you can restore everything to a new device. Sesame backs up to iCloud Drive or as a file you can store wherever you like, like an external drive or a cloud storage folder.

Backups are encrypted with a password you choose before anything leaves your device. Without the password, the file is completely unreadable.

For the spec hunters: AES-256-GCM with Argon2id key derivation (3 iterations, 64 MB memory, 4 lanes). Your backup password is stored in the iOS Keychain and never leaves your device.

Everything is encrypted on your device before it reaches iCloud. What’s stored on iCloud Drive is already unreadable without your password, with iCloud’s own encryption on top.

Heads up: if you use Sesame for your iCloud account’s 2FA, make sure you have recovery codes saved somewhere safe. Without them, losing access to Sesame means losing access to iCloud.

Turn it on in Sesame settings and iOS will offer to fill in codes when you’re logging into a website or app. You don’t need to open Sesame.

Sesame registers your accounts with the iOS credential system, so codes appear inline wherever iOS supports AutoFill.

Ask Siri for a code by account name and it copies straight to your clipboard. You also get Spotlight search for your accounts and Shortcuts actions for automations.