KEMLatch generates the standard 6–8 digit two-factor codes you already use — and locks the underlying secret behind NIST post-quantum cryptography, so a stolen backup can’t be opened even by a future quantum computer.
Fully RFC 6238 / RFC 4226 compatible TOTP & HOTP. Add accounts by scanning a QR code or entering a key — compatible with every service you already use.
Encrypted .kemlatch backups are AES-256-GCM sealed, ML-KEM key-wrapped, and ML-DSA-65 signed. Tamper-evident and rollback-protected.
No sign-up, no analytics, no ads, no third-party SDKs. Codes never leave your device. Works fully offline.
Secrets sit in an encrypted vault whose key lives in the Secure Enclave / Keychain, unlocked with Face ID or Touch ID.
Standard 2FA codes with a countdown, add accounts by QR or by hand, and export post-quantum encrypted backups.



The one-time codes stay classical and standard — that’s what keeps KEMLatch compatible with every service. Post-quantum cryptography (ML-KEM, ML-DSA) is applied where it matters: enrollment, storage, backup and distribution of the secret. So your codes keep working, and the seed stays locked for the long term.