Contactless OTP manager TOPT HOTP EviCypher technology by Freemindtronic Andorra innovation

EviOTP NFC HSM Manager

Offline, contactless, and zero-trust OTP custody: TOTP/HOTP secrets stay encrypted inside the NFC HSM, while passcodes are generated RAM-only.

Proof: Core NFC HSM Architecture

EviOTP is not a writable NFC token nor a programmable OTP gadget. It is built on the EVICORE NFC HSM architecture, which physically and logically isolates OTP private keys inside a protected EEPROM and executes cryptographic operations inside a secure hardware boundary.

Secrets never transit through, persist on, or depend on the host device. The smartphone acts strictly as an untrusted display surface.→ EVICORE NFC HSM – The Technology

Offline OTP Key Vault
Encrypted TOTP/HOTP private keys stored in EEPROM inside the NFC HSM.
RAM-only Generation
One-time codes generated on demand in volatile memory—no permanent traces.
Zero-Trust Host
The phone is treated as an untrusted display surface, not a secret holder.
No USB / No Bluetooth
Reduced attack surface; fully contactless NFC operation.

Security validity conditions (must remain true)
  • No secret material persists on the host device.
  • No host-side identifiers are required to “make it work”.
  • Stop conditions are enforced when assumptions are not met.
  • “No dedicated app” is not a guarantee: claims depend on where secrets exist and when they are decrypted.
Detailed architectural assumptions and security boundaries are described in EVICORE NFC HSM – The Technology.

Up to 100 encrypted TOTP/HOTP keys
SHA-1 / SHA-256 / SHA-512 (HMAC)
< 3 seconds QR import & ready to use
Serverless / Cloudless MFA

Read the full technical description

EviOTP NFC HSM Manager is an Offline TOTP/HOTP private key manager (SHA-1, SHA-256, SHA-512) and
contactless HOTP manager designed as an NFC HSM OTP vault. It stores encrypted TOTP/HOTP private keys in EEPROM and generates one-time codes on demand in volatile (RAM-only) memory, making it ideal for serverless 2FA, air-gapped authentication, and zero-trust MFA without cloud, USB, or Bluetooth.

The EviOTP NFC HSM Manager offers a cutting-edge, contactless hardware solution to manage one-time passwords (OTP), PINs (One-Time Authorisation Codes), and OTACs with unmatched security. Each code remains valid for only one session or transaction, ideal for high-assurance two-factor authentication (2FA). OTP generation is requested via NFC, but the host phone is treated as an untrusted display surface.

Thanks to its fully offline design, it stores up to 100 encrypted TOTP and HOTP private keys directly in the NFC HSM EEPROM. Secrets remain physically isolated from any software environment, protecting them from malware and data leaks. QR imports remain seamless across common OTP ecosystems while secrets stay encrypted and isolated inside the NFC HSM.

When a user requests a TOTP or HOTP code, it is generated securely on demand in volatile memory on an NFC Android phone—and never written to permanent storage.Users can import an OTP secret in less than 3 seconds by scanning a QR code, assigning it a name, and using it immediately.

The design avoids USB and Bluetooth to reduce attack surface. However, “no dedicated app” is not a security guarantee; claims rely on where secrets exist, when they are decrypted, and how invalid conditions are handled. Ultimately, it functions as a powerful encrypted OTP key vault and offline TOTP manager for critical environments—without compromising usability or digital sovereignty.

Embedded in PassCypher NFC HSM (Lite & Master)

EviOTP is embedded directly inside the PassCypher NFC HSM line, enabling a contactless TOTP/HOTP manager
and offline OTP vault within sovereign security workflows.

Embedded OTP custody
Manage TOTP/HOTP secrets kept encrypted in NFC HSM EEPROM.
RAM-only OTP generation
Codes are generated on demand in volatile memory, minimizing persistent traces.
Serverless and cloudless
Designed to avoid third-party trust, cloud sync, and external identity dependencies.

Choose your model

What this enables
  • Hardware password manager with built-in TOTP.
  • Passwordless manager workflows with offline OTP when OTP is required.
  • Quantum-resistant security workflow that avoids third-party trust.

Real-world needs strengthened by the embedded design
Offline TOTP manager hardware, contactless 2FA token manager, NFC HSM TOTP vault, air-gapped OTP sharing, and serverless multi-factor authentication —
without exposing secrets to operating systems, cloud sync, or third-party trust.

Quantum-Resistant Passwordless Manager (Intersec Awards 2026)

PassCypher positions these capabilities inside a passwordless model emphasizing RAM-only handling of sensitive material. Intersec Awards 2026 finalist announcement

Read the full technical narrative

Moreover, Freemindtronic embeds the EviOTP NFC HSM Manager technology directly inside the PassCypher NFC HSM product line. Therefore, you can run a contactless TOTP manager and offline OTP vault inside a hardware device designed for sovereign security workflows. In other words, PassCypher integrates EviOTP so you can manage TOTP/HOTP secrets, keep them encrypted in NFC HSM EEPROM, and generate OTP codes on demand in volatile (RAM-only) memory — while staying serverless and cloudless.

Consequently, PassCypher works as a hardware password manager with built-in TOTP, a passwordless manager with offline OTP, and a quantum-resistant security workflow that avoids third-party trust. This embedded design strengthens real-world needs without exposing secrets to operating systems, cloud sync, or third-party trust.

In addition, PassCypher positions these capabilities inside a Quantum-Resistant Passwordless Manager approach, emphasizing RAM-only handling of sensitive material.

encrypt_mail_nfc_hardware_wallet_encryption_keys_manager

EviOTP NFC HSM Manager

Secure OTP wallet built into a contactless hardware token.
The EviOTP NFC HSM Manager enables encrypted generation, storage, and usage of up to 100 private TOTP and HOTP keys. This offline vault ensures full isolation and sovereignty of your 2FA secrets — with no cloud, no USB, no compromise.

encrypt_mail_end-to-end_human_to_human_whit_evicypher_technology_from_freemindtronic_andorra

Peer-to-peer trust, serverless

The EviOTP NFC HSM Manager decentralises OTP key management away from servers and IT infrastructures. It supports secure human-to-human sharing, with built-in cryptographic trust criteria, ensuring usage is restricted to verified recipients only — even remotely.

full_pictogram_evicypher

True end-to-end anonymity

This NFC HSM solution never collects or transmits any data about the user, owner, or device. OTP secrets are encrypted and stored in the module’s EEPROM. They are accessed only on demand and only in volatile memory, with no trace left behind.
evicypher_sms_mms_contactless_encryption_by_freemindtronic_made_in_andorra_grey

Encrypted OTP sharing made easy

Share OTP secrets securely via a RSA-4096 encrypted QR Code, compatible with all communication channels — including air gap transfers using a webcam. The OTP secret remains protected throughout, ensuring zero risk of interception.

NFC Hardware Wallet OTP Token

New encryption end-to-end contactless token manager

nfc_phone_asymetric_key_rsa_4096_2048_contactless_encryption_evicypher

Simple contactless use

Create, import, and use TOTP and HOTP tokens in seconds with the EviOTP NFC HSM Manager. Thanks to its patented NFC hardware integration, you can scan a QR code, store up to 100 encrypted OTP keys, and use them instantly — without cables, apps, or drivers. Tokens are generated on demand with full contactless control and no dependency on host systems.

identity_theft_protection_by_evicypher_freemindtronic_sl_andorra

Protection against key theft

Each OTP key remains encrypted inside the NFC HSM’s EEPROM.
Access requires a trusted NFC device with multi-factor authentication: PIN code, geolocation, phone ID, and more. Even if your phone is compromised, the keys stay isolated and physically inaccessible.

decrypt_email_from_qr_code_encrypted_by_evicypher_webmail_technology

Air gap sharing via encrypted QR

Easily share OTP secret keys using RSA-4096 encrypted QR codes. No network required — transfer can be performed via webcam, print, or visual scan, making it perfect for offline and high-security environments.
nfc_phone_scan_evicypher

Easy to use with any NFC Android phone

The solution is device-independent. OTP codes are generated in the volatile memory of the phone on demand and are never stored. Your EviOTP NFC HSM Manager can pair with any compatible Android NFC phone, enabling full mobility and zero trust in the host environment.

Contactless OTP Manager Application

The OTP token manager function is integrated in the EviCypher application from Freemindtronic.

Contactless OTP Manager supports both types of OTP. The time-based TOTP and the counter-based HOTP.

Below is the application version history. It does not imply any required cloud dependency for OTP secret custody or OTP generation.

1.7.0 EviCypher by Freemindtronic application NFC phone Android

First version December 25, 2022

Features

  • Added support for OTP Token (TOTP)

To learn more about the EviCypher by Freemindtronic application click HERE

TOTP/HOTP compatibility and offline OTP manager keywords

This offline TOTP authenticator and contactless OTP generator supports RFC 6238 TOTP and RFC 4226 HOTP, including SHA-1 / SHA-256 / SHA-512. It fits common needs such as hardware TOTP token without USB, air-gapped OTP vault, NFC security key for OTP, and serverless MFA for critical systems.

Contactless OTP manager NFC hardware wallet for secret keys TOTP & HOTP & password manager passwordless auto login autofill by Freemindtronic Andorra innovation 2022

New International Innovation – 2022 and Beyond

The EviOTP NFC HSM Manager breaks away from all traditional OTP and HOTP solutions. Protected by two international patents, this technology secures your one-time password secrets entirely offline, without storing them on a computer, mobile phone, or remote server.

Each secret key is stored encrypted in the NFC HSM module and used only on demand to generate OTP codes directly in the volatile memory of an NFC Android phone — never permanently stored or exposed.
The device fits in your pocket and works autonomously, giving you fast, contactless, and zero-trust 2FA authentication anywhere, anytime.

Unlike other digital or hardware tokens, EviOTP NFC HSM Manager supports advanced trust criteria for each key. You can restrict usage by PIN, geolocation, phone ID, and more.
You can even share OTP keys securely between remote devices using RSA-4096 encrypted QR codes — a true human-to-human encryption model that ensures complete control over your credentials.

mfa_trust_criteria_multi_factor_authentication_encrypt_mail_evicypher_technology

Multi-factor authentication

Access to every OTP key is protected by user-defined trust criteria: PIN codes, temporary users, phone ID, geolocation, or time-based restrictions. The system enforces strict validation: all criteria must be met, otherwise the OTP cannot be generated.

encrypt_mai_webmail_redundant_privacy_end-to-end_by_evicypher_technology_from_freemindtronic

Redundant privacy

All OTP keys remain encrypted within the device, never duplicated, and individually protected. Up to 13 distinct trust conditions can be associated with a single key, making unauthorized access physically and cryptographically impossible, even in a sharing context.

encrypt_mail_webmail_serverless_cloudless_no_server_no_cloud_with_evicypher_technology_from_freemindtronic_andorra_gray

Cloudless (Serverless)

The system operates in total isolation from the internet. No servers, no sync, no external trust infrastructure. Passcodes are self-generated offline, directly from the NFC HSM, ensuring absolute data sovereignty.

Human-to-Human Secure Key Sharing

Keys can be shared securely between NFC HSMs using RSA-4096 encrypted QR codes, including over air-gapped channels (e.g., webcam scan, printout).
Shared keys are immutable — the recipient cannot alter trust criteria imposed by the sender. This guarantees authentic, human-to-human encryption, without servers or identity exposure.

full_pictogram_evicypher

End-to-end anonymity

The solution does not collect, store, or transmit any information about the user, owner, or hardware. Even when sharing encrypted keys, the system maintains anonymity while ensuring cryptographic identity confirmation. You remain unknown to the network — but trusted by the recipient.

android_logo

NFC Android Compatible

Works instantly with any Android phone equipped with NFC. No pairing, no app permissions, no data leaks. OTP codes are displayed in under 3 seconds, fully contactless.

encrypt_mail_cards_zero_trust_zero_trust_in_the_servers_evicypher_technology_from_freemindtronic

Zero Trust in Host Devices

The NFC phone is treated as an inherently untrusted environment. OTP secrets are never written or transferred to the phone. Codes are generated only when needed, only in volatile memory, and only within the conditions defined by the user.

encrypt_mail_cards_without_trusted_third_party_evicypher_technology_from_freemindtronic

Without trusted third party

Human correspondents establish trust directly, without relying on external systems. The sender defines immutable usage conditions, and the recipient must validate each one to activate the key. As a result, the system eliminates the need for any third-party authority — since trust is fully embedded in the device and controlled by its owner.

Secure control of the entire value chain

To ensure the absolute security of the EviOTP NFC HSM Manager, Freemindtronic fully designs, develops, and manufactures every element of the solution — from software and apps to embedded systems, electronic design, and production tools. This guarantees total sovereignty over the full value chain — from concept to final product — with no dependency on third-party vendors.

Hybrid physical and digital security

The EviOTP NFC HSM Manager uses an ISO/IEC 15693 NFC component to physically secure access to stored secrets.
The system encrypts OTP keys with embedded trust criteria, which the user can partially define. Most importantly, it never stores at least one of those criteria inside the device, ensuring that even if physical protection is compromised, the OTP secret remains inaccessible — and therefore effectively resists invasive attacks.

Unique Added Values of EviOTP NFC HSM Manager

encrypt_mail_segmented_key_authentication_evicypher_technology_from_freemindtronic

Keeper of Encryption Keys

You face no risk of using the wrong OTP key. Since the system binds each OTP secret to specific trust criteria, it automatically selects and validates the correct key to generate the OTP passcode. However, if even one criterion fails, the system blocks the generation process entirely — thus making any unauthorized attempt instantly ineffective.

kisspng-mobile-pphone-accessories-near-field-communication-nfc

Mobility & Instant Use

  • Works anywhere, anytime, even in offline, high-risk, or air-gapped conditions
  • Simply tap your NFC Android phone, and the system generates your OTP in under 3 seconds — instantly ready for secure use.
  • No setup, no login, no dependency on cloud or keyboard

Simplicity & Interoperability

  • Import OTP QR codes from other apps automatically
  • Compatible with most existing OTP manager solutions
  • Setup and backup in seconds
  • Ideal for remote or emergency usage

Dual Security Architecture

  • Hardware-level protection via ISO/IEC 15693 NFC chip (see standard)
  • Logical-level protection via user-defined trust conditions
  • Resistant to physical intrusion and side-channel attacks

Patented Technology

The core mechanisms behind EviOTP NFC HSM Manager are protected by two independent patents:

Consequently, this intellectual property reinforces the architectural separation and advanced control logic that distinguish EviOTP from standard hardware OTP tokens.
mfa_trust_criteria_multi_factor_authentication_encrypt_mail_evicypher_technology

Segmented key authentication

The patented system ensures anonymous human-to-human authentication instead of relying on machines. The sender defines immutable trust conditions (e.g. location, device, time window, fingerprint), and the recipient must validate them to activate the key. This process guarantees the integrity of the sender’s security rules, which remain unchangeable — even after secure RSA-4096 sharing.

Metadata security, monitoring, and display

  • The tamper-resistant NFC HSM encrypts and isolates everything internally.
  • The system generates OTP codes only on demand, using the phone’s volatile memory.
  • It never saves, stores, or logs them — not even temporarily.
  • Once displayed, the passcode disappears instantly.

Even if a hacker steals your phone, they would also need your admin/user PINs and meet all trust criteria to attempt any attack — without success.
Your secrets never leave the NFC. They stay in your pocket.

Contactless Secret Manager

  • Automatic OTP key manager
  • Automatic login manager
  • Built-in RSA-4096 key generation for secure exchanges

Real-World Use Cases of EviOTP NFC HSM Manager

Here are real scenarios where the EviOTP NFC HSM Manager provides unmatched value:

mfa_trust_criteria_multi_factor_authentication_encrypt_mail_evicypher_technology

MFA for Remote Access – Without Infrastructure

Use the device to authenticate to critical systems over VPN, RDP, or SSH.
No server, no database, no account needed — just the user, the NFC device, and a volatile OTP display.

Offline OTP Air Gap in Sensitive Environments

Operators authenticate in military, diplomatic, or classified operations without any connected interface. They generate OTPs via NFC and use them offline, never exposing the key or needing internet access.

Shared Access to Critical Accounts – with Human-Level Traceability

Delegate one-time or time-limited access to privileged accounts (e.g. root, admin) via a segmented key with conditions: device ID, geolocation, or usage window.
Trust remains under human control — not servers.

Zero-Trust MFA in Travel or Hostile Environments

Use your Android NFC phone and your EviOTP HSM token to authenticate anywhere, without risk of compromise, even in environments hostile to mobile security (e.g. border control, cybercafés, untrusted networks).

Distribute OTPs to professionals requiring regulated access to patient/legal files. Logs remain human-readable, human-controlled, and unlinkable to the original issuer — enforcing both privacy and accountability.

Why NFC-programmable OTP tokens are not OTP key vaults

  • NFC provisioning ≠ zero-trust: most programmable tokens still trust the host or embed a single immutable secret.
  • One token = one secret: common hardware OTP tokens cannot manage dozens of independent OTP keys with policies.
  • No air-gapped sharing: programmable tokens typically lack encrypted, human-to-human secret transfer mechanisms.

EviOTP NFC HSM differs fundamentally by acting as a multi-secret NFC HSM OTP vault, with encrypted storage, policy enforcement, and RSA-4096 air-gapped sharing.

Comparative Table — OTP Key Managers (TOTP/HOTP Tokens)

This comparison is intentionally limited to solutions that store TOTP/HOTP secrets and
generate OTP codes locally as a token (hardware or software). Security keys, password managers with built-in TOTP,
and server-dependent OTP infrastructures are covered separately below to avoid scope confusion.

Feature / Solution EviOTP NFC HSM Manager Feitian c200 / c300 SmartOTP Pro (Token2) Google Authenticator Aegis Authenticator FreeOTP+
Offline operation (no server required)
 ✓ Native ✓ Native ✓ Native ✓ App-based (offline, but phone-dependent) ✓ App-based (offline, but phone-dependent) ✓ App-based (offline, but phone-dependent)
Secret storage location
 Encrypted inside NFC HSM (EEPROM) Inside hardware token (model-dependent) Inside hardware token Inside phone storage Inside phone storage (supports encrypted backups) Inside phone storage
Host device trusted?
 No (host treated as untrusted display) Partial (depends on workflow) Partial (depends on workflow) Yes (phone is the secret holder) Yes (phone is the secret holder) Yes (phone is the secret holder)
Contactless NFC usage
 ✓ Primary Model-dependent Typically no / model-dependent N/A (app) N/A (app) N/A (app)
RAM-only OTP generation/display
 ✓ RAM-only display model N/A / token-generated N/A / token-generated No (app runtime + OS persistence risks) No (app runtime + OS persistence risks) No (app runtime + OS persistence risks)
USB / Bluetooth required
 No Model-dependent No (token) No No No
Cloud sync
 No (by design) No (by default) No (by default) Possible (Google account / device backup dependent) Optional (backup/export dependent) Optional (backup/export dependent)
Secure key sharing (air-gapped)
 ✓ Encrypted QR sharing (RSA-4096) No / limited No / limited No (manual / screenshot risks) Partial (export/backup workflows) Partial (export/backup workflows)
Import via QR code
 Depends (often provisioning only) Depends (often provisioning only)
HOTP support (RFC 4226)
 Model-dependent Model-dependent Partial / app-dependent ✓ (commonly supported) ✓ (commonly supported)
TOTP support (RFC 6238)
Hash options (SHA-1 / SHA-256 / SHA-512)
 ✓ Automatic Model-dependent Model-dependent Partial / app-dependent ✓ (commonly supported) ✓ (commonly supported)
Multi-criteria access control (PIN, geo, device rules…)
 ✓ Trust-criteria model Limited Limited OS-level only OS-level + app options OS-level + app options
Open-source
 No No No No
Best fit
 Sovereign offline OTP custody + sharing Classic hardware OTP use Classic hardware OTP use Convenience OTP on phone Power users on Android Open-source OTP app users

Note: competitor capabilities vary by model/version. “Model-dependent” indicates features that are not consistently available across editions or workflows.

Not OTP Tokens — Frequently Confused Solutions

These solutions are often mentioned in the same conversations, but they do not match the same threat model.
They may handle authentication, secrets, or second factors — yet they are not equivalent to a TOTP/HOTP token that stores a secret and generates OTP codes locally.

Solution category Typical products Why it is different from a TOTP/HOTP token
Password managers with built-in TOTP 1Password, Bitwarden, LastPass class TOTP is an auxiliary feature inside a trusted software vault. Secrets and codes depend on a trusted host and often cloud sync, which is a different risk model.
Server-dependent enterprise OTP Centralized OTP infrastructures Typically requires backend enrollment, policies, and lifecycle management. This is not sovereign offline custody and not optimized for air-gapped workflows.
Push-based authenticators Approval apps (push) Uses online approval flows instead of local OTP generation from a shared secret, which changes failure modes and dependencies.

Summary OTP NFC HSM Manager

SEO long-tail: offline TOTP manager hardware, NFC HSM authenticator, contactless OTP vault, air-gapped TOTP token, serverless 2FA device, RAM-only OTP display, passwordless OTP-based MFA.

Unlike all software apps and most hardware competitors:

  • EviOTP NFC HSM belongs to a rare class of fully contactless, offline OTP key vaults.
  • No USB, no trust in the host phone or computer, no cloud dependency.
  • It uniquely combines hardware-level isolation with secure, human-to-human encrypted key sharing and multi-factor trust conditions.

As a sovereign, contactless hardware solution, the EviOTP NFC HSM Manager relies on the EVICORE NFC HSM security core. Its architecture, cryptographic boundaries, and regulatory alignment are fully documented and auditable. Security is not achieved through software trust or cloud dependency, but through hardware isolation, standard-compliant cryptography, and zero-trust host assumptions. → EVICORE NFC HSM – Security, Standards & Regulatory Alignment

GDPR-Aligned by Design

  • The system never collects, stores, or transmits personal data.
  • No user identification, account creation, or metadata tracking.
  • 100% local use with zero server dependency.
  • HMAC SHA-1, SHA-256 & SHA-512 — automatic support for TOTP/HOTP private keys

Fully aligned with the principles of the General Data Protection Regulation (GDPR), including data minimization, privacy by design, and sovereignty of use.

Standards-Compliant Implementation

The team developed the product in strict adherence to internationally recognized standards, including:

  • ISO/IEC 15693 — for contactless NFC communication
  • AES-256 — for OTP encryption and storage
  • RSA 4096 — for secure key sharing via encrypted QR code
  • RFC 6238 & RFC 4226 — for compatibility with TOTP and HOTP
  • Hash support (automatic): SHA-1, SHA-256, SHA-512 — for TOTP/HOTP private keys

Ready for Civil and Defense Applications

  • Designed to meet the needs of critical infrastructure, defense, diplomacy, and regulated sectors
  • Developed without reliance on foreign technologies or third-party infrastructures
  • Follows principles of Zero Trust, Zero Knowledge, and Air Gap capability

The EviOTP NFC HSM Manager is a trusted-by-design solution, engineered to operate in extreme conditions with no compromise on confidentiality or operational independence.

FAQ – EviOTP NFC HSM Manager

Answers about this offline, contactless TOTP/HOTP private key manager and its NFC HSM–based OTP vault architecture designed for serverless authentication.

In simple terms

In simple terms, EviOTP NFC HSM Manager acts as an offline TOTP/HOTP manager that securely encrypts and isolates OTP private keys inside an NFC Hardware Security Module. As a result, it generates one-time passcodes on demand without relying on cloud services, USB connections, or Bluetooth pairing.

Private key storage location

Yes. EviOTP actively stores encrypted TOTP and HOTP private keys inside the NFC HSM EEPROM. Therefore, it keeps secrets fully isolated from operating systems, mobile applications, and malware-prone environments.

Supported hash algorithms

EviOTP natively supports TOTP and HOTP private keys using HMAC SHA-1, SHA-256, and SHA-512. Consequently, organizations can migrate existing OTP secrets seamlessly across common authenticator ecosystems and enterprise MFA deployments.

Standards compliance

Yes. EviOTP fully complies with RFC 6238 (TOTP) and RFC 4226 (HOTP). At the same time, it preserves offline operation and HSM-grade private key isolation, even in high-risk or restricted environments.

RAM-only display model

When a user requests an OTP, EviOTP generates and displays the code exclusively in volatile memory on a compatible NFC-enabled Android phone. Therefore, the system never writes secrets or passcodes to persistent storage, logs, or caches.

Import and migration

Yes. EviOTP allows direct import of OTP secrets by scanning standard QR codes. Moreover, because it supports SHA-1, SHA-256, and SHA-512, it simplifies migration from legacy authenticators to a secure, offline OTP vault.

Offline operation

Yes. EviOTP operates entirely without internet connectivity. Consequently, it fits serverless MFA, cloudless authentication, air-gapped infrastructures, and sovereign security environments.

Air-gapped sharing

EviOTP secures OTP sharing through RSA-4096 encrypted QR codes. As a result, users can transfer secrets safely via visual channels, including webcam scanning or printed QR codes, without breaking the air gap.

Integration in PassCypher devices

Yes. Freemindtronic directly embeds EviOTP technology into PassCypher NFC HSM Lite and PassCypher NFC HSM Master. Therefore, these devices function as hardware password managers with built-in TOTP/HOTP and an offline OTP private key vault.

Relationship to passwordless strategy

PassCypher positions itself as a quantum-resistant passwordless manager with a FIDO-free and RAM-only security model. In this context, EviOTP complements passwordless workflows by securing OTP private keys offline whenever OTP-based MFA remains required.

Hardware security boundary

EviOTP relies on the EVICORE NFC HSM architecture, which physically isolates OTP private keys inside a protected EEPROM and enforces cryptographic operations within a secure hardware boundary. Unlike writable NFC tokens, secrets never leave the HSM and never persist on host devices.

Standards and cryptography

EviOTP implements ISO/IEC 15693 for contactless communication, AES-256 for encrypted OTP storage, RSA-4096 for air-gapped secret sharing, and RFC 6238 / RFC 4226 for TOTP and HOTP compatibility. This alignment is documented in the EVICORE NFC HSM security framework.

Glossary

Key terms related to offline TOTP/HOTP authentication, NFC HSM security, and serverless identity protection.

Definition

Time-based One-Time Password. This mechanism derives a unique authentication code from a shared secret and time steps, as defined by RFC 6238.

Definition

HMAC-based One-Time Password. This model generates OTPs using a counter and a shared secret, in accordance with RFC 4226.

Definition

The OTP private key serves as the cryptographic secret used to generate one-time passwords. Therefore, protecting this key remains the core security requirement of any OTP system.

Definition

These cryptographic hash algorithms secure HMAC-based OTP computation. EviOTP accepts private keys configured with SHA-1, SHA-256, or SHA-512 by default.

Definition

Near Field Communication. This short-range, contactless technology enables secure interaction with the NFC HSM without physical connectors.

Definition

A contactless hardware security module that securely stores secrets and enforces protected cryptographic operations, enabling an offline OTP key vault architecture.

Definition

Non-volatile memory that stores encrypted OTP private keys securely inside the NFC HSM.

Definition

A security model where systems process sensitive data exclusively in volatile memory, ensuring no secrets persist after execution.

Definition

An operational model that eliminates reliance on cloud services or remote servers, thereby reducing external attack surfaces.

Definition

A security strategy that physically isolates systems from networks. EviOTP supports air-gapped authentication through encrypted QR-based workflows.

Definition

A QR-based transfer mechanism secured with RSA-4096 encryption, enabling protected OTP sharing across online and offline environments.

Definition

A security model that assumes no implicit trust and enforces strict validation, isolation, and continuous verification of secrets.

Definition

Authentication approaches that eliminate reusable passwords. In this ecosystem, PassCypher promotes passwordless access, while EviOTP secures OTP private keys offline when OTP remains necessary.