At Energma, we build systems we trust. Citadel Auth is the product that started because we couldn't find a 2FA app that met our own standard, and we ended up with an open-source, offline-first authenticator we're proud to ship.

The mainstream 2FA market has a structural contradiction: apps designed to protect your accounts quietly introduce their own weaknesses. Through cloud sync, your secrets live on infrastructure you don't control. Account requirements link your identity permanently to your tokens. Closed-source codebases mean the security model is a promise, rather than a proof.
Authentication is load-bearing infrastructure, and most teams treat it like an afterthought. For engineers managing credentials across multiple environments, professionals handling accounts for multiple companies, or enterprises with strict data residency requirements, a cloud-synced, account-tied 2FA is a liability. Citadel Auth gives teams a 2FA solution they can actually audit, control, and trust without depending on a third party to keep it safe.
Citadel Auth uses "Profiles" — high-level containers for separate contexts like Personal, Work, or Client — with "Groups" inside each profile for granular token categorization. Tokens can be pinned, tagged, and searched across all profiles simultaneously.

Built on a Zero-Knowledge architecture, there are no external accounts, no cloud sync, and no telemetry. Your 2FA secrets live on your device, encrypted locally with AES-256-GCM, and nowhere else. The master password is never stored and is unrecoverable by design. Lose it, and the vault is sealed.
The app is RFC-compliant, supporting TOTP (RFC 6238) and HOTP (RFC 4226) with configurable SHA-1, SHA-256, and SHA-512 algorithms, custom digit counts and time periods, and native Steam Guard support. Tokens can be added by QR scan, manual entry, or URI import, fully compatible with migrations from Aegis, 2FAS, and Ente Auth. Data is encrypted at the file level via SQLCipher, protected by its built-in PBKDF2-HMAC-SHA512 key derivation, and exported backups go a step further, re-encrypted with an Argon2id-derived key before export. Biometric unlock and auto-lock are built in, with the security layer fully separated from the UI.
This is the standard we hold ourselves to, and Citadel Auth is coming soon to the App Store and Google Play. Meanwhile, explore the open-source repo on our GitHub.
Talk to one of our solution experts and start the journey.
Book the Call