Auto-Fill
FactorCat auto-fills 2FA codes in your browser after you approve on your phone. Domain matching, clipboard fallback, and the extension never holds your secrets.
After you approve a push request on your phone, the FactorCat browser extension fills the MFA code directly into the page. No copying, no typing, no switching apps.
How auto-fill works
- The extension detects an MFA input field on the current page
- It matches the field to one of your factors by domain
- After approval (or automatically, depending on your vault settings), the extension receives the TOTP code
- The code is inserted into the input field automatically
The extension handles both the current code and the next code — if the current code is about to expire, it waits and fills the next one instead, so you never submit an expired code.
Domain matching
The extension matches factors to websites using the domain stored in each factor’s metadata. When you add a factor for github.com, the extension knows to offer that code on any page at github.com.
- Exact domain matches are tried first (
github.commatchesgithub.com) - Subdomain matching also works (
accounts.google.commatches a factor stored forgoogle.com) - If multiple factors match the same domain, the extension shows all matches and lets you pick
You can edit factor domains in the mobile app or web dashboard if the automatic detection got it wrong.
Clipboard fallback
If auto-fill can’t insert the code — non-standard form implementations, iframes, shadow DOM, or dynamically injected fields — the extension falls back to displaying the code in its popup:
- The code appears in the extension popup, ready to copy
- Click the code to copy it to your clipboard
- The code stays visible after copying — you can glance back at it if needed
- When the current code expires, the display automatically rolls to the next code
You always have a way to get the code, even on sites where auto-fill can’t reach the input field.
Code visibility and rollover
Whether auto-filled or displayed in the popup, the extension handles code expiration for you:
- The current code and its expiration countdown are always visible
- When the code expires, the next code appears automatically — no need to re-trigger an approval
- The approval response includes both the current and next TOTP codes, so rollover is instant with no additional network request
Security — the extension never holds secrets
The FactorCat extension is a display and auto-fill surface. It does not store TOTP secrets, encryption keys, or master keys. Here’s what it can and can’t see:
| The extension sees | The extension never sees |
|---|---|
| The computed 6-digit TOTP code (after approval) | Your TOTP secret |
| Factor metadata (site name, domain) | Your master key (Locked Vault) |
| Which factors match the current domain | Encryption keys |
The code the extension receives is a one-time 6-digit value that expires in 30 seconds. Even if the extension were compromised, an attacker would get a single expiring code — not the secret that generates all future codes.
For more on FactorCat’s security architecture, see the security page.
If the extension isn’t detecting MFA fields on a specific site, see Troubleshooting. For how approval works before auto-fill, see Push Approval.