Moat iconMoat2FA Authenticator
Moat

Your two-factor codes, behind a moat.

Moat keeps your 2FA codes and passwords encrypted on your device — and end-to-end encrypted in the cloud. No tracking. No ads. We can't read your data, and neither can anyone else.

Download on the App Store How it protects you
End-to-end encrypted No account required No tracking, ever

◷ Launching soon on the App Store

On-deviceiOS Keychain encryption
Zero-knowledgeWe can't read your data
TOTP & HOTPOpen standards
No trackingNo analytics or ads

Everything you need

One calm, secure home for every login

Built for people who take their security seriously — without making it complicated.

Two-factor codes

Time- and counter-based one-time codes (TOTP & HOTP). Scan a QR code, import, or enter a key by hand.

Encrypted backup & sync

Optional end-to-end encrypted backup keeps your accounts safe across devices. The cloud only ever stores ciphertext.

Password vault

Optional encrypted storage for logins — kept in the Keychain, revealed only after Face ID. Includes a strong password generator.

Import in seconds

Move over from Google Authenticator export QR codes, otpauth:// links, photos, or an encrypted backup file.

Face ID lock

Lock the app behind Face ID, hide codes until you tap, and blur the screen in the App Switcher.

Folders & search

Organize dozens of accounts into folders and find any code instantly with fast search.

Security, in plain terms

Strong encryption — and we mean it

No vague promises. Here's exactly how your data is protected, and why even we can't read it.

Encrypted on your device

Your 2FA secrets and passwords live in the iOS Keychain, protected by device encryption and excluded from unencrypted backups. They never leave your device in readable form.

End-to-end encrypted sync

If you turn on backup, everything is encrypted on your device before upload. Our servers only ever store ciphertext — using AES-256-GCM.

Keys derived from your recovery key

Your encryption key is derived with PBKDF2-SHA256 at 210,000 iterations (current OWASP guidance) with random salts. Your keys and recovery key stay on your device — never sent to us.

Zero-knowledge by design

We have no ability to read your secrets or passwords. If you lose your recovery key, not even we can restore them — that's the point.

No tracking, no ads

No analytics SDKs, no advertising, no web beacons, no third-party logo fetches. We don't sell or share your data — there's nothing to sell.

Open, audited standards

Codes follow the published TOTP (RFC 6238) and HOTP (RFC 4226) standards, so they work with thousands of services — Google, Apple, Microsoft, GitHub, and more.

We collect nothing.
Your data is yours alone.

No sign-up is required to use Moat. There are no analytics, no trackers, and no ads. The only data that ever leaves your device is end-to-end encrypted — and we can't read it. Read our privacy policy →

Protect every account in minutes

Free to start. Upgrade anytime for unlimited accounts, encrypted backup, and sync across your devices.

Download on the App Store

◷ Launching soon