overview

Lockat is a privacy-first two-factor authentication app for iOS, born out of a challenge at the Apple Developer Academy: take an idea from zero and ship it as a real product on the App Store. We landed on 2FA after a round of competitor research that turned up something surprising: most of the existing apps felt half-finished, missing simple quality-of-life touches like A–Z sorting or folder organization. That gap looked like a good place to plant a flag.

The product strategy followed from there. We kept everything that matters for staying safe, including code generation, importing, and exporting, completely free and fully functional. We reserved the more advanced organization and customization features for a subscription tier. The reasoning was straightforward: nobody should have to pay to protect their accounts, but people who wanted a more considered tool would have something worth paying for.

Under the hood, secrets live on-device in the iOS Keychain, guarded by Apple's hardware-level encryption, while non-sensitive metadata syncs through iCloud so codes follow you across iPhone, iPad, and Mac. The Mac version ships through 'Designed for iPad' mode, which let a small team cover three platforms from a single SwiftUI codebase without losing the native feel. Face ID, Touch ID, and passcode locking are wired in through LocalAuthentication, and the TOTP generator itself is a clean, RFC 6238–compliant implementation on top of CryptoKit. There's also a one-tap migration path from Google Authenticator, which turned out to be the single feature that mattered most during onboarding.

Commercially, Lockat didn't take off. The 2FA category is dominated by free apps that users already trust. Breaking through that is hard, and it proved more difficult than we originally planned. What I take away from the project, though, is real: a hands-on understanding of Apple's security stack, the discipline of scoping a product down to what a small team can actually finish and ship, and a much sharper sense of the gap between a good idea on paper and something people will install over the app they already have. Those lessons are quietly running in the background of everything I've built since, and I think that's worth more than the launch numbers.

tech stack

code snippets

static func generateCode(
    secret: Data,
    algorithm: TOTPAlgorithm,
    digits: Int,
    period: Int,
    date: Date = .now
) -> String {
    let safePeriod = max(1, period)
    let safeDigits = max(1, min(9, digits))
    let timestamp = max(0, date.timeIntervalSince1970)
    let counter = UInt64(timestamp) / UInt64(safePeriod)
    var bigEndianCounter = counter.bigEndian
    let counterData = withUnsafeBytes(of: &bigEndianCounter) { Data($0) }
    let key = SymmetricKey(data: secret)

    let hmacBytes: [UInt8]
    switch algorithm {
    case .sha1:
        hmacBytes = Array(HMAC<Insecure.SHA1>.authenticationCode(for: counterData, using: key))
    case .sha256:
        hmacBytes = Array(HMAC<SHA256>.authenticationCode(for: counterData, using: key))
    case .sha512:
        hmacBytes = Array(HMAC<SHA512>.authenticationCode(for: counterData, using: key))
    }

    guard hmacBytes.count >= 4, let last = hmacBytes.last else {
        return String(repeating: "0", count: safeDigits)
    }

    let offset = Int(last & 0x0F)
    guard offset + 3 < hmacBytes.count else {
        return String(repeating: "0", count: safeDigits)
    }

    let truncated: UInt32 =
        (UInt32(hmacBytes[offset] & 0x7F) << 24)
        | (UInt32(hmacBytes[offset + 1]) << 16)
        | (UInt32(hmacBytes[offset + 2]) << 8)
        | UInt32(hmacBytes[offset + 3])

    var modulo: UInt32 = 1
    for _ in 0..<safeDigits {
        modulo *= 10
    }

    let code = truncated % modulo
    return String(format: "%0\(safeDigits)d", code)
}

design choices

palette

typography

some fonts used in this project are proprietary and may not display correctly if they are not installed on your system.

rationale

credits