WinAuth is a portable, open-source Authenticator for Windows that can be used as a 2FA including Bitcoin / crypto-currency websites, any service that requires the Google Authenticator, and games such as World of Warcraft, Diablo III, Guild Wars 2, Rift, ArcheAge. WildStar and Runescape.
The source code is hosted using GitHub at https://github.com/winauth/winauth.
(It was previous hosted using Google Code at https://code.google.com/p/winauth but moved following the announcement that Google code is being shut down)
With the increase in websites and services supporting two-factor authorisation, WinAuth provides an alternative or backup solution to combine all your two-factor authenticator codes in one convenient place.
Support for multiple Authenticator services
WinAuth supports any service or website that uses the Google Authenticator, Microsoft Authenticator or an RFC 6283 based authenticator. It also supports games such as World of Warcraft, Diablo III using Battle.net, GuildWars 2 and Rift.
WinAuth requires no installation and is a single executable file, and so can be run from a USB drive or stored and run from cloud files services such as DropBox, Google Drive, or SkyDrive.
If your configuration file (
winauth.xml, normally stored in your Windows roaming profile) is in the same folder as the WinAuth program, it will use that instead and switch into “portable” mode, not saving any other information to the computer.
Microsoft .NET Framework 4 is required.
An unlimited number of authenticators can be stored, each with their own personalised name and icon for quick reference. The WinAuth application can be sized as preferred or automatically displayed to fit.
Automatic or On-Demand
Each authenticator can be set to automatically display and refresh the current code or to only calculate and show the code when clicked.
Security and Encryption
All private authenticator data is encrypted with your own personal password, salted and enhanced with key strengthening to reduce the ability for brute force attacks. The data can also be protected using Windows in-built Data Protection API, which will “lock” the data to a single computer or account, making it completely unusable if copied to another computer.
Each authenticator can also additionally have its own secondary password that is required before any codes are decrypted, calculated and displayed.
Finally, all codes are drawn directly onto the screen to prevent any malware from “windows spying”.
Each authenticator can be assigned a hot-key to notify, display, clipboard copy or inject the current code into another application. An advanced injection script can also be created to automate username, password and code entry. Scripts are part of the private data and also fully encrypted along with the authenticator data.