Your vault. Your keys. Your device.
Passwords, TOTP, and passkeys.
Zero-knowledge.
The master password never leaves your device. Every vault item is encrypted client-side with AES-256-GCM under an Argon2id-derived key. The server stores ciphertext it cannot read.
Everything a password manager should do
Passwords, TOTP codes, passkeys, and secure notes. Cross-device sync with a server that only sees ciphertext. Native apps on iOS, Android, and Windows. Firefox extension for autofill and passkey ceremonies.
Passwords + secure notes
Unlimited items with folders, tags, and per-item reprompt. Cross-device sync via encrypted blobs. Client-side search. Strength meter + built-in generator (random or passphrase, EFF short / large wordlists).
Built-in TOTP authenticator
RFC 6238 TOTP with SHA-1 / SHA-256 / SHA-512, 6 or 8 digits, custom periods. QR + otpauth URI import. Codes live alongside their login item so autofill can drop both in one click.
Passkeys (FIDO2 / WebAuthn)
Vault-stored passkeys work on any site. The extension intercepts navigator.credentials.create / .get and completes the ceremony from your vault. Hardware keys (YubiKey) supported as a second factor on the account itself.
Push 2FA
Approve sign-ins with one tap on a trusted device. Match-number check kills MFA-fatigue attacks. Backup codes + recovery flow so a lost phone never locks you out.
Firefox extension
Autofill, save, and update credentials. Right-click to generate a strong password into any field. Passkey ceremonies without leaving the tab. Zero credentials cached in the browser.
Sharing + organizations
Share items with collections, groups, and organizational units. Per-item audit log. Owner / editor / viewer roles. Escrow-key recovery for team account continuity.
Offline access
Encrypted offline cache. Read + unlock without a network. Server sync resumes on reconnect. Platform-authenticator (Face / Touch ID / Windows Hello) can gate the cache write for defence in depth.
Password intelligence
Real-time URL reputation check against Phishing.Database + VirusTotal. HIBP breach scan across your vault. Re-use + weak + expired flags. One-click rotate via the site's `/.well-known/change-password` page.
Import / export
CSV import from Bitwarden, 1Password, LastPass, KeePass, Chrome, Firefox, Safari. Encrypted vault export as a portable .aeubak-vault file for disaster recovery.
Native iOS + Android + Windows
Flutter apps on all three platforms. Biometric unlock. System autofill on iOS + Android. Screenshot protection. Push notifications for sign-ins and vault activity.
Zero-knowledge by design
Master password derives the vault key via Argon2id (M=64 MiB, t=3). The server stores AES-256-GCM ciphertext, HMAC session tokens, and public metadata. It never sees your master password or plaintext.
Audit trail + activity feed
Every reveal, save, share, unlock, and admin action is logged with device + IP + user agent. SHA-256 hash-chained rows detect tampering. Live activity feed on every device.
Real cryptography. In plain code you can audit.
Every algorithm below is standard, published, and constant-time. No hand-rolled crypto in the hot path. WebCrypto on the browser, PointyCastle + platform APIs on mobile.
Master password KDF
- Argon2id memory-hard KDF (M=64 MiB, t=3, p=1)
- 32-byte random salt per account, stored server-side
- Derived vault key never leaves the client process
- WASM implementation in-browser; native on mobile
Vault ciphertext at rest
- AES-256-GCM authenticated encryption
- 96-bit random nonce per item
- 128-bit auth tag; server-side tamper detection
- Server stores ciphertext + metadata only
Extension bridge (SPA to browser)
- HMAC-SHA256 signed, origin-bound tokens
- Single-use, 5-30s TTL, MessageChannel private port
- Per-origin rate limit (30 lookup, 10 reveal per min)
- Sender URL check + non-extractable WebCrypto keys
What ships in the box
Every feature is live in production. No planned / coming-soon items in this list.
Vault + zero-knowledge
- Argon2id KDF (64 MiB, 3 iterations)
- AES-256-GCM ciphertext at rest
- Master password never leaves device
- Encrypted offline cache with TTL
- Biometric unlock (Face / Touch ID)
- Auto-lock with idle timeout
- Lock-on-hide (iOS + Android)
- Per-item re-authentication flag
- Screenshot / recorder protection
- Client-side search + tag filter
- Encrypted vault export (.aeubak-vault)
- Escrow-key account recovery
Credentials + authentication
- Password + username + URL + notes
- Built-in TOTP (RFC 6238)
- Passkeys (FIDO2 / WebAuthn) in vault
- Password generator (random or passphrase)
- EFF short / large wordlists
- Strength meter + zxcvbn score
- Push 2FA with match-number check
- Recovery codes (single-use)
- WebAuthn 2FA (YubiKey + platform)
- Custom fields (per item)
- HIBP breach scan
- One-click password rotate
Extension + autofill
- Firefox extension (Chrome coming)
- Inline credential picker
- Auto-advance multi-step logins
- Save + update dialog
- Passkey ceremonies without leaving tab
- Right-click generate strong password
- Per-domain allow / blocklist
- Phishing / typosquat warning
- Native iOS + Android autofill
- Cross-device sync of preferences
- Full theme parity with SPA
- Extension bridge with 4-layer defense
Sharing + teams
- Organizations + organizational units
- Groups with role hierarchy
- Collections (shared vaults)
- Owner / editor / viewer per grant
- Per-item audit history
- Move personal to shared / back
- Server-generated share notifications
- URL reputation intel (Phishing.Database + VT)
- Admin panel (users / audit / settings)
- Rate limits per user and per class
- GeoIP audit + hostile-network block
- SSO via MyAEU cross-app auth
Import + export
- Bitwarden JSON + CSV
- 1Password 1PIF
- LastPass CSV
- KeePass XML + CSV
- Chrome / Firefox / Safari CSV
- Advanced CSV column mapping
- Duplicate detection on import
- Import to personal or shared
- Encrypted export (.aeubak-vault)
- Passphrase-protected backup
- AES-256-GCM at 1M PBKDF2 iterations
- Restore into any AEU Pass install
Platforms + sync
- iOS (iPhone + iPad, iOS 15+)
- Android (7.0+)
- Windows (10 + 11)
- Web app (any modern browser)
- Firefox extension (Chrome coming)
- Live WebSocket sync (sub-second)
- Encrypted offline access
- Themes: dark, light, AMOLED, sepia, high-contrast, Cryptid
- Push notifications (foreground)
- Cross-device settings sync
- Per-screen list view preference
- Dashboard activity feed
Administration + monitoring
- Server-wide dashboard (uptime, upstream, DB stats)
- User management (roles, quarantine, reset password)
- Rotate secret + disable 2FA + bulk purge
- Devices + sessions view + revoke any session
- Full-audit log with SHA-256 hash chain
- Access + activity feed (per-user, per-org)
- Rate limits per class (auth, vault, admin, notify, etc.)
- GeoIP audit + hostile-network auto-block
- Server settings catalog (branding, security, features)
- Push-2FA history + fatigue lockout
- Live event bus + WS subscribers panel
- Hostname migration tool + broadcast notice
Password health + intelligence
- URL reputation (Phishing.Database + VirusTotal)
- HIBP breach scan across every stored password
- Under-watch list per vault item
- Weak / reused / breached / expired flags
- zxcvbn score + strength meter
- One-click rotate via /.well-known/change-password
- Auto-scan interval (admin-configurable)
- Live "flagged" push when a new verdict lands
- Only SHA-256 hash of hostname uploaded
- URL text stays encrypted client-side
- Per-item watch toggle
- Password expiry policy (per item)
Security defenses
- 4-layer extension bridge (HMAC + port + rate + URL)
- Single-use tokens with 5-30s TTL
- Origin-bound token verification
- Per-origin rate limit (30 lookup, 10 reveal per min)
- WebCrypto keys marked non-extractable
- Step-up re-auth on sensitive actions
- Push-2FA match number vs MFA fatigue
- Per-item Require re-authentication flag
- Screenshot / screen recording protection
- Auto-lock + lock-on-hide
- Phishing / typosquat warning on picker open
- Panic lockout (repeat-fail throttle)
Notifications v2
- Per-template × per-channel matrix
- Channels: Email / In-app / Push / Browser
- New device sign-in alert
- Master password changed alert
- Recovery code used alert
- Share notifications (org / collection)
- Extension connect / reveal / save / enroll events
- Live SPA + mobile in-app toast
- Cross-device preference sync
- Server-side gate on every send
- Audit trail on preference changes
- Secure-alert defaults on
Pricing on request
AEU Pass is quoted per seat and per organization. Team size, escrow requirements, and self-hosted vs cloud all shape the price. Get in touch and we'll come back with a concrete number.
On-premise
Self-hosted deploys availableTypical response within one business day.
Get AEU Pass
Signed binaries. No third-party stores. Install and sign in with your AEU email.
iOS 15+ Android 7+ Windows 10+ Firefox 100+
Answers before you install
Short answers to the six questions people ask before switching password managers.
Is AEU Pass zero-knowledge?
Yes. Your master password never leaves the device. AEU Pass derives the vault key locally with Argon2id and encrypts every item with AES-256-GCM before it reaches the server. The server stores ciphertext and public metadata; it cannot decrypt your vault.
Does AEU Pass work offline?
Yes. Once unlocked, the app keeps an encrypted local cache. You can read and unlock without a network connection. When the device reconnects, changes sync back to the server automatically.
Can I share credentials with my team?
Yes. AEU Pass supports organizations with organizational units, groups, and collections (shared vaults). Roles are owner, editor, and viewer per grant. Every share and reveal is written to a tamper-evident audit log.
Does the browser extension work in Chrome?
The Firefox extension is available today and covers autofill, save + update, right-click generate strong password, and full WebAuthn passkey ceremonies from your vault. A Chrome / Edge build is on the roadmap.
How is push 2FA protected against MFA fatigue?
Every push approval shows a two-digit match number on the originating device. You must type it on the phone before Approve counts. Tapping Approve alone is not enough, so accidental or spammed approvals do not sign in.
Can AEU Pass be self-hosted?
Yes. The server binary embeds the web app and can run on any Linux host under systemd. Contact us for a per-seat quote that includes self-hosted deployment.