WinAuth is a portable, open-source Authenticator for Windows that provides counter or time-based RFC 6238 authenticators and common implementations, such as the Google Authenticator. WinAuth can be used with many Bitcoin trading websites as well as games, supporting (World of Warcraft, Hearthstone, Heroes of the Storm, Diablo), Guild Wars 2, Glyph (Rift and ArcheAge), WildStar, RuneScape, SWTOR and Steam.

The project is open-source and hosted at


WinAuth provides an alternative solution to combine various two-factor authenticator services in one convenient place.

Latest Stable Download

WinAuth 3.3 is available from the download link below.


New Features in 3.3

Version 3.3 includes the new SteamGuard Mobile Authenticator, integration with YubiKey to enhance your authenticator security and a HOTP implementation.

Steam Guard Mobile Authenticator

WinAuth can be registered as a new mobile device to create a Steam authenticator and displays the appropriate 5 character codes.


Update 3.3.3: You MUST attach an SMS-capable phone number to your account before your activate your Steam authenticator, since the confirmation codes can no longer be sent by email, only by SMS.

Please read about the Steam Guard Mobile Authenticator for more information.


WinAuth can use a YubiKey to encrypt its data, ensuring your authenticators’ information cannot be read by anyone even when they have physical access to your computer.


Clicking the options (cog) icon, and choosing “Change Protection…”, has a new option to “Lock with a YubiKey”. Ticking this will check your system for a compatible YubiKey and walk you through setting it up. You can either use an existing slot’s configuration or have WinAuth generate a random secret to store on the YubiKey.

You must keep your YubiKey plugged in while using WinAuth. There will be no way to recover your authenticator data if your YubiKey is lost or damaged without programming another YubiKey with the same secret, or restoring from backups.

A YubiKey Standard or NEO 2.2.x or later is required.

HOTP / Counter-based Authenticator

A HOTP authenticator can be Adding a normal “Authenticator” and either pasting in a counter-based KeyUri or choosing the counter option.


Support for multiple Authenticator services

WinAuth supports any service or website that uses the Google Authenticator, Microsoft Authenticator or an RFC 6283 based authenticator. It also supports games such as Battle.Net (World of Warcraft, Hearthstone, Diablo III), GuildWars 2, Glyph, WildStar, Runescape, SWTOR and Steam.


WinAuth requires no installation and is a single executable file, and so can be run from a USB drive or stored and run from cloud files services such as DropBox, Google Drive, or SkyDrive.

If your configuration file (winauth.xml, normally stored in your Windows roaming profile) is in the same folder as the WinAuth program, it will use that instead and switch into “portable” mode, not saving any other information to the computer.

Microsoft .NET Framework 4.5 is required.

Multiple Authenticators

An unlimited number of authenticators can be stored, each with their own personalized name and icon for quick reference. The WinAuth application can be sized as preferred or automatically displayed to fit.

Automatic or On-Demand

Each authenticator can be set to automatically display and refresh the current code or to only calculate and show the code when clicked.

Security and Encryption

All private authenticator data is encrypted with your own personal password, salted and enhanced with key strengthening to reduce the ability for brute force attacks. The data can also be protected using Windows in-built Data Protection API, which will “lock” the data to a single computer or account, making it completely unusable if copied to another computer.

A YubiKey can be used to further enchance the protection by providing a secret key stored only on the YubiKey itself, and must be physically plugged into the computer before WinAuth can be opened.

Each authenticator can also additionally have its own secondary password that is required before any codes are decrypted, calculated and displayed.

Finally, all codes are drawn directly onto the screen to prevent any malware from “windows spying”.


Each authenticator can be assigned a hot-key to notify, display, clipboard copy or inject the current code into another application. An advanced injection script can also be created to automate username, password and code entry. Scripts are part of the private data and also fully encrypted along with the authenticator data.