OneAuth

OneAuth: A Secure Authenticator App for Two-Factor and Passwordless Logins

OneAuth is a comprehensive authenticator application developed by Zoho that provides robust two-factor authentication (2FA) and passwordless sign-in capabilities. This app is designed to secure both your Zoho and non-Zoho accounts, moving beyond vulnerable password-only protection. Users adopt OneAuth to centralize their multi-factor authentication needs, safeguarding their digital identities from unauthorized access with a streamlined and reliable security tool.

Adding Online Accounts via QR or Manual Entry

Users begin securing an account by opening OneAuth and selecting the option to add a new entry. The primary method involves scanning a QR code presented on the website's 2FA setup screen using the device's camera. For services that provide a secret key instead of a QR code, users can manually enter the account name and the key into the corresponding fields within the OneAuth app. This process links the external account, and OneAuth immediately begins generating time-based one-time passwords (TOTPs) for it.

Generating Time-Based One-Time Passwords (TOTPs)

Once an account is added, OneAuth automatically generates a six-digit TOTP that refreshes every 30 seconds. To authenticate, users simply open the OneAuth app, locate the desired account, and type the currently displayed code into the login field on the website or service. These codes are generated locally on the device, allowing OneAuth to function entirely offline. This ensures access to accounts even without an internet connection, providing constant security.

Encrypted Cloud Backup and Recovery with a Passphrase

To prevent lockout, OneAuth offers an encrypted cloud backup solution. During setup, users are prompted to create a unique, strong passphrase that serves as the encryption key. This passphrase is required to restore a backup. All 2FA account secrets are encrypted on the user’s device using this passphrase before being securely uploaded to the cloud. If a user gets a new device, they install OneAuth, select the restore option, and enter their passphrase to recover all their accounts seamlessly.

Synchronizing OTP Secrets Across Multiple Devices

For users with multiple devices, OneAuth keeps TOTP secrets synchronized. After enabling sync in the settings, any account added on one device, like a phone, will automatically appear on other linked devices, such as a tablet or computer. This synchronization relies on the same encrypted cloud backup, ensuring the secrets remain secure during transfer. The OneAuth experience remains consistent, allowing users to generate codes from any device they own.

Organizing Accounts with Custom Folders and Logos

To manage a large number of accounts, OneAuth provides organizational tools. Users can create custom-named folders, such as "Work" and "Personal," directly within the app's interface. Accounts can be dragged and dropped into these folders for better categorization. Furthermore, OneAuth automatically fetches and displays brand logos for most services, making accounts visually identifiable at a glance. This organization simplifies navigation and speeds up the process of finding the right code.

Passwordless and Biometric Login for Zoho Accounts

For Zoho accounts, OneAuth enables a superior passwordless login experience. Users configure this within their Zoho security settings, choosing OneAuth as their primary method. To sign in, they select the passwordless option on Zoho's login page, which sends a push notification to their OneAuth app. They then approve the login with a tap, often combined with biometric verification like a fingerprint. This eliminates the need to type a password while enhancing security.

Monitoring Trusted Devices and Active Sessions

OneAuth includes a security dashboard for Zoho accounts where users can review and manage trusted devices. After logging into the Zoho account portal, users can view a list of all devices that have authenticated via OneAuth. Each entry shows the device type, location, and last access time. From this interface, users can manually revoke access for any unfamiliar or lost devices, ensuring that only their current devices retain login privileges, thus maintaining account integrity.