Sesame

In the iOS Keychain, hardware-encrypted by your device’s Secure Enclave. Account metadata is stored locally in the app. Nothing touches a server.

Yes. Sesame supports Face ID, Touch ID, and device passcode. You can set it to lock immediately when you leave the app, or after a delay.

Sesame supports encrypted backups to iCloud Drive or as a .sesame file you can store wherever you like. There’s also a command-line tool in the source code to decrypt backups on any Mac, so long as you still have the encryption password.

With a password you choose. Without the password, the backup is unreadable. Your password is stored in the iOS Keychain and never leaves your device.

For the spec hunters: AES-256-GCM with Argon2id key derivation (3 iterations, 64 MB memory, 4 lanes).

If you enable iCloud backup, your secrets are encrypted with your chosen password before they leave your device. The encrypted file is stored on iCloud Drive, with iCloud’s own encryption at rest on top.

If you use Sesame for your iCloud account’s 2FA, make sure you have recovery codes saved somewhere safe. Without them, losing access to Sesame means losing access to iCloud.

Enable it in Sesame settings and Sesame registers your accounts with the iOS credential system. When a login screen appears on a website or an app, iOS offers to fill the code directly without needing to open the app.

Enable Siri & Shortcuts in Sesame settings to ask Siri for a verification code by account name. It copies straight to your clipboard. You also get Shortcuts actions for automations, and Spotlight search for your accounts.