WinAuth is a portable, open-source Authenticator for Windows that provides counter or time-based RFC 6238 authenticators and common implementations, such as the Google Authenticator. WinAuth can be used with many Bitcoin trading websites as well as games, supporting (World of Warcraft, Hearthstone, Heroes of the Storm, Diablo), Guild Wars 2, Glyph (Rift and ArcheAge), WildStar, RuneScape, SWTOR and Steam.

The project is open-source and hosted at


WinAuth provides an alternative solution to combine various two-factor authenticator services in one convenient place.


Stable and Beta Downloads

Latest Stable Download – 3.5

This current version of WinAuth.

New Features in 3.5

This version adds support for Steam trading confirmations.



Support for multiple Authenticator services

WinAuth supports any service or website that uses the Google Authenticator, Microsoft Authenticator or an RFC 6283 based authenticator. It also supports games such as Battle.Net (World of Warcraft, Hearthstone, Diablo III), GuildWars 2, Glyph, WildStar, Runescape, SWTOR and Steam.


WinAuth requires no installation and is a single executable file, and so can be run from a USB drive or stored and run from cloud files services such as DropBox, Google Drive, or SkyDrive.

If your configuration file (winauth.xml, normally stored in your Windows roaming profile) is in the same folder as the WinAuth program, it will use that instead and switch into “portable” mode, not saving any other information to the computer.

Microsoft .NET Framework 4.5 is required.

Multiple Authenticators

An unlimited number of authenticators can be stored, each with their own personalized name and icon for quick reference. The WinAuth application can be sized as preferred or automatically displayed to fit.

Automatic or On-Demand

Each authenticator can be set to automatically display and refresh the current code or to only calculate and show the code when clicked.

Security and Encryption

All private authenticator data is encrypted with your own personal password, salted and enhanced with key strengthening to reduce the ability for brute force attacks. The data can also be protected using Windows in-built Data Protection API, which will “lock” the data to a single computer or account, making it completely unusable if copied to another computer.

A YubiKey can be used to further enchance the protection by providing a secret key stored only on the YubiKey itself, and must be physically plugged into the computer before WinAuth can be opened.

Each authenticator can also additionally have its own secondary password that is required before any codes are decrypted, calculated and displayed.

Finally, all codes are drawn directly onto the screen to prevent any malware from “windows spying”.


Each authenticator can be assigned a hot-key to notify, display, clipboard copy or inject the current code into another application. An advanced injection script can also be created to automate username, password and code entry. Scripts are part of the private data and also fully encrypted along with the authenticator data.