Your vault. Your keys. Your device.

Passwords, TOTP, and passkeys.
Zero-knowledge.

The master password never leaves your device. Every vault item is encrypted client-side with AES-256-GCM under an Argon2id-derived key. The server stores ciphertext it cannot read.

Zero-Knowledge
AES-256-GCM
WebAuthn Passkeys
Push 2FA
AEU Pass logo
One vault. Every device.

Everything a password manager should do

Passwords, TOTP codes, passkeys, and secure notes. Cross-device sync with a server that only sees ciphertext. Native apps on iOS, Android, and Windows. Firefox extension for autofill and passkey ceremonies.

Passwords + secure notes

Unlimited items with folders, tags, and per-item reprompt. Cross-device sync via encrypted blobs. Client-side search. Strength meter + built-in generator (random or passphrase, EFF short / large wordlists).

Built-in TOTP authenticator

RFC 6238 TOTP with SHA-1 / SHA-256 / SHA-512, 6 or 8 digits, custom periods. QR + otpauth URI import. Codes live alongside their login item so autofill can drop both in one click.

Passkeys (FIDO2 / WebAuthn)

Vault-stored passkeys work on any site. The extension intercepts navigator.credentials.create / .get and completes the ceremony from your vault. Hardware keys (YubiKey) supported as a second factor on the account itself.

Push 2FA

Approve sign-ins with one tap on a trusted device. Match-number check kills MFA-fatigue attacks. Backup codes + recovery flow so a lost phone never locks you out.

Firefox extension

Autofill, save, and update credentials. Right-click to generate a strong password into any field. Passkey ceremonies without leaving the tab. Zero credentials cached in the browser.

Sharing + organizations

Share items with collections, groups, and organizational units. Per-item audit log. Owner / editor / viewer roles. Escrow-key recovery for team account continuity.

Offline access

Encrypted offline cache. Read + unlock without a network. Server sync resumes on reconnect. Platform-authenticator (Face / Touch ID / Windows Hello) can gate the cache write for defence in depth.

Password intelligence

Real-time URL reputation check against Phishing.Database + VirusTotal. HIBP breach scan across your vault. Re-use + weak + expired flags. One-click rotate via the site's `/.well-known/change-password` page.

Import / export

CSV import from Bitwarden, 1Password, LastPass, KeePass, Chrome, Firefox, Safari. Encrypted vault export as a portable .aeubak-vault file for disaster recovery.

Native iOS + Android + Windows

Flutter apps on all three platforms. Biometric unlock. System autofill on iOS + Android. Screenshot protection. Push notifications for sign-ins and vault activity.

Zero-knowledge by design

Master password derives the vault key via Argon2id (M=64 MiB, t=3). The server stores AES-256-GCM ciphertext, HMAC session tokens, and public metadata. It never sees your master password or plaintext.

Audit trail + activity feed

Every reveal, save, share, unlock, and admin action is logged with device + IP + user agent. SHA-256 hash-chained rows detect tampering. Live activity feed on every device.

Post-Quantum

Real cryptography. In plain code you can audit.

Every algorithm below is standard, published, and constant-time. No hand-rolled crypto in the hot path. WebCrypto on the browser, PointyCastle + platform APIs on mobile.

Master password KDF

  • Argon2id memory-hard KDF (M=64 MiB, t=3, p=1)
  • 32-byte random salt per account, stored server-side
  • Derived vault key never leaves the client process
  • WASM implementation in-browser; native on mobile
OWASP Zero-Knowledge

Vault ciphertext at rest

  • AES-256-GCM authenticated encryption
  • 96-bit random nonce per item
  • 128-bit auth tag; server-side tamper detection
  • Server stores ciphertext + metadata only

Extension bridge (SPA to browser)

  • HMAC-SHA256 signed, origin-bound tokens
  • Single-use, 5-30s TTL, MessageChannel private port
  • Per-origin rate limit (30 lookup, 10 reveal per min)
  • Sender URL check + non-extractable WebCrypto keys
Full feature list

What ships in the box

Every feature is live in production. No planned / coming-soon items in this list.

Vault + zero-knowledge

  • Argon2id KDF (64 MiB, 3 iterations)
  • AES-256-GCM ciphertext at rest
  • Master password never leaves device
  • Encrypted offline cache with TTL
  • Biometric unlock (Face / Touch ID)
  • Auto-lock with idle timeout
  • Lock-on-hide (iOS + Android)
  • Per-item re-authentication flag
  • Screenshot / recorder protection
  • Client-side search + tag filter
  • Encrypted vault export (.aeubak-vault)
  • Escrow-key account recovery

Credentials + authentication

  • Password + username + URL + notes
  • Built-in TOTP (RFC 6238)
  • Passkeys (FIDO2 / WebAuthn) in vault
  • Password generator (random or passphrase)
  • EFF short / large wordlists
  • Strength meter + zxcvbn score
  • Push 2FA with match-number check
  • Recovery codes (single-use)
  • WebAuthn 2FA (YubiKey + platform)
  • Custom fields (per item)
  • HIBP breach scan
  • One-click password rotate

Extension + autofill

  • Firefox extension (Chrome coming)
  • Inline credential picker
  • Auto-advance multi-step logins
  • Save + update dialog
  • Passkey ceremonies without leaving tab
  • Right-click generate strong password
  • Per-domain allow / blocklist
  • Phishing / typosquat warning
  • Native iOS + Android autofill
  • Cross-device sync of preferences
  • Full theme parity with SPA
  • Extension bridge with 4-layer defense

Sharing + teams

  • Organizations + organizational units
  • Groups with role hierarchy
  • Collections (shared vaults)
  • Owner / editor / viewer per grant
  • Per-item audit history
  • Move personal to shared / back
  • Server-generated share notifications
  • URL reputation intel (Phishing.Database + VT)
  • Admin panel (users / audit / settings)
  • Rate limits per user and per class
  • GeoIP audit + hostile-network block
  • SSO via MyAEU cross-app auth

Import + export

  • Bitwarden JSON + CSV
  • 1Password 1PIF
  • LastPass CSV
  • KeePass XML + CSV
  • Chrome / Firefox / Safari CSV
  • Advanced CSV column mapping
  • Duplicate detection on import
  • Import to personal or shared
  • Encrypted export (.aeubak-vault)
  • Passphrase-protected backup
  • AES-256-GCM at 1M PBKDF2 iterations
  • Restore into any AEU Pass install

Platforms + sync

  • iOS (iPhone + iPad, iOS 15+)
  • Android (7.0+)
  • Windows (10 + 11)
  • Web app (any modern browser)
  • Firefox extension (Chrome coming)
  • Live WebSocket sync (sub-second)
  • Encrypted offline access
  • Themes: dark, light, AMOLED, sepia, high-contrast, Cryptid
  • Push notifications (foreground)
  • Cross-device settings sync
  • Per-screen list view preference
  • Dashboard activity feed

Administration + monitoring

  • Server-wide dashboard (uptime, upstream, DB stats)
  • User management (roles, quarantine, reset password)
  • Rotate secret + disable 2FA + bulk purge
  • Devices + sessions view + revoke any session
  • Full-audit log with SHA-256 hash chain
  • Access + activity feed (per-user, per-org)
  • Rate limits per class (auth, vault, admin, notify, etc.)
  • GeoIP audit + hostile-network auto-block
  • Server settings catalog (branding, security, features)
  • Push-2FA history + fatigue lockout
  • Live event bus + WS subscribers panel
  • Hostname migration tool + broadcast notice

Password health + intelligence

  • URL reputation (Phishing.Database + VirusTotal)
  • HIBP breach scan across every stored password
  • Under-watch list per vault item
  • Weak / reused / breached / expired flags
  • zxcvbn score + strength meter
  • One-click rotate via /.well-known/change-password
  • Auto-scan interval (admin-configurable)
  • Live "flagged" push when a new verdict lands
  • Only SHA-256 hash of hostname uploaded
  • URL text stays encrypted client-side
  • Per-item watch toggle
  • Password expiry policy (per item)

Security defenses

  • 4-layer extension bridge (HMAC + port + rate + URL)
  • Single-use tokens with 5-30s TTL
  • Origin-bound token verification
  • Per-origin rate limit (30 lookup, 10 reveal per min)
  • WebCrypto keys marked non-extractable
  • Step-up re-auth on sensitive actions
  • Push-2FA match number vs MFA fatigue
  • Per-item Require re-authentication flag
  • Screenshot / screen recording protection
  • Auto-lock + lock-on-hide
  • Phishing / typosquat warning on picker open
  • Panic lockout (repeat-fail throttle)

Notifications v2

  • Per-template × per-channel matrix
  • Channels: Email / In-app / Push / Browser
  • New device sign-in alert
  • Master password changed alert
  • Recovery code used alert
  • Share notifications (org / collection)
  • Extension connect / reveal / save / enroll events
  • Live SPA + mobile in-app toast
  • Cross-device preference sync
  • Server-side gate on every send
  • Audit trail on preference changes
  • Secure-alert defaults on
Contact

Pricing on request

AEU Pass is quoted per seat and per organization. Team size, escrow requirements, and self-hosted vs cloud all shape the price. Get in touch and we'll come back with a concrete number.

Contact form

Open the form

On-premise

Self-hosted deploys available

Typical response within one business day.

Download

Get AEU Pass

Signed binaries. No third-party stores. Install and sign in with your AEU email.

iOS 15+ Android 7+ Windows 10+ Firefox 100+

Common questions

Answers before you install

Short answers to the six questions people ask before switching password managers.

Is AEU Pass zero-knowledge?

Yes. Your master password never leaves the device. AEU Pass derives the vault key locally with Argon2id and encrypts every item with AES-256-GCM before it reaches the server. The server stores ciphertext and public metadata; it cannot decrypt your vault.

Does AEU Pass work offline?

Yes. Once unlocked, the app keeps an encrypted local cache. You can read and unlock without a network connection. When the device reconnects, changes sync back to the server automatically.

Can I share credentials with my team?

Yes. AEU Pass supports organizations with organizational units, groups, and collections (shared vaults). Roles are owner, editor, and viewer per grant. Every share and reveal is written to a tamper-evident audit log.

Does the browser extension work in Chrome?

The Firefox extension is available today and covers autofill, save + update, right-click generate strong password, and full WebAuthn passkey ceremonies from your vault. A Chrome / Edge build is on the roadmap.

How is push 2FA protected against MFA fatigue?

Every push approval shows a two-digit match number on the originating device. You must type it on the phone before Approve counts. Tapping Approve alone is not enough, so accidental or spammed approvals do not sign in.

Can AEU Pass be self-hosted?

Yes. The server binary embeds the web app and can run on any Linux host under systemd. Contact us for a per-seat quote that includes self-hosted deployment.