KEMLatch
Lock the seed. Keep the time.

Post-quantum protected TOTP

KEMLatch generates the standard 6–8 digit two-factor codes you already use — and locks the underlying secret behind NIST post-quantum cryptography, so a stolen backup can’t be opened even by a future quantum computer.

iOS 26+ · Coming to the App Store

Works everywhere

Fully RFC 6238 / RFC 4226 compatible TOTP & HOTP. Add accounts by scanning a QR code or entering a key — compatible with every service you already use.

Post-quantum backups

Encrypted .kemlatch backups are AES-256-GCM sealed, ML-KEM key-wrapped, and ML-DSA-65 signed. Tamper-evident and rollback-protected.

No accounts, no tracking

No sign-up, no analytics, no ads, no third-party SDKs. Codes never leave your device. Works fully offline.

Hardware-backed vault

Secrets sit in an encrypted vault whose key lives in the Secure Enclave / Keychain, unlocked with Face ID or Touch ID.

See what it looks like

Standard 2FA codes with a countdown, add accounts by QR or by hand, and export post-quantum encrypted backups.

KEMLatch account list showing live two-factor codes with countdown rings
Live codes at a glance
Add an account by scanning a QR code or entering a key
Scan a QR or add manually
Create an encrypted, post-quantum signed backup
Encrypted, signed backups

Why “post-quantum TOTP”?

The one-time codes stay classical and standard — that’s what keeps KEMLatch compatible with every service. Post-quantum cryptography (ML-KEM, ML-DSA) is applied where it matters: enrollment, storage, backup and distribution of the secret. So your codes keep working, and the seed stays locked for the long term.