Please do not create a normal issue in the GitHub repository for security-related errors, but rather create a Security Advisory.

You can create a Security Advisory by clicking on the link above or by clicking on the “Report a vulnerability” button when creating a new issue.

Where can all other issues be reported?

Issues that are not security-related can be reported via GitHub Issue.

Before opening the ticket, please read the frequently asked questions on this page in full to avoid unnecessary effort on both sides.

Where can feature requests be submitted?

In terms of expectation management, it should first be clarified that this app is a free time project and there is only a very limited amount of time available for adjustments. For this reason, on GitHub the issue templates have been limited to “Bug Report” and “Report a security vulnerability”.

If you have a feature request that you are convinced others would also benefit from, please send me an email at

remigius42-github.dcds7@aleeas.com

While I may not be able to respond to every message, I appreciate and prioritize all feature suggestions.

Which Fitbit devices are supported?

Currently supported are:

  • Versa 3
  • Sense

At least for

  • Versa 4
  • Sense 2

there will likely be no support, because no third-party app support is planned for these devices1.

For devices such as

  • Ionic
  • Versa
  • Versa 2
  • Versa Lite

Authenticator, for example, provides an alternative.

What types of tokens are supported?

Currently, only Time-based One-Time Passwords (TOTP)2 are supported. However, these are supported with the hash algorithms SHA-1, SHA-256, and SHA-512, and the validity period can be freely selected. Both 6 and 8 characters are supported for the password.

Counter-based tokens as well as Steam are currently not supported.

Why does it sometimes take a few seconds for changes to tokens to be transmitted to the smartwatch?

Unfortunately, the connection between the smartwatch and the smartphone is neither particularly fast nor does it guarantee the order in which messages are received. When making adjustments to tokens (such as display names, order, adding or deleting), all tokens are always transmitted so that consistency between the configuration in the companion app and the display on the smartwatch can be better ensured. However, this also means that adjustments, especially with many configured tokens, take longer, and it can rarely happen that adjustments are ignored if the connection is unstable and messages are lost. To fix this problem, you can restart the app on the smartwatch, which will resynchronize the data at the beginning.

Why does it sometimes happen that the progress indicator jumps shortly after the app starts?

This behavior can occur when both the “Compensate clock drift” and “Store tokens on smartwatch” settings are enabled:

The real-time clocks in smartwatches are sometimes inaccurate3, which is why the app supports compensating for clock errors based on the time of the connected smartphone. At the same time, not all smartwatches and smartphones have stable Bluetooth connections, which can lead to connection interruptions. To still display the tokens, the app allows storing the tokens on the smartwatch. However, this must be explicitly enabled for security reasons (see Why aren’t the tokens stored on the smartwatch by default?).

Once the app starts and tokens are stored on the smartwatch, they are loaded and displayed, partly because the app cannot predict whether and when a connection to the smartphone can be established. When the connection is established, the companion app on the smartphone sends the current token configurations and settings, as these may have changed in the meantime. If the “compensate clock errors” setting is activated, the clock error will also be compensated from that point on, which can be noticeable in a jump in the progress indicator or, in the worst case, a change of the token. To signal that this is not an error in the app, a message is displayed in the app during a clock synchronization.

Why does the token information sometimes jump when scrolling through tokens?

In order to save resources on the smartwatch, only the visible tokens and a few outside the visible area, which act as a buffer, are updated. If this buffer is skipped due to fast scrolling, it may cause the displayed information to jump when tokens have not been updated for a while. However, from the next second, all tokens in the visible area should be up to date again.

Why are QR codes sometimes not recognized?

The resolution of the images that can be processed by the companion app is very limited for technical reasons. Please try to shift and scale the QR tag capture so that the QR tag fills the selection frame with a small border as best as possible.

Screenshot of the QR code import

Please do not open a GitHub issue to report problems with QR codes. The recognition rate is already relatively close to what is technically feasible for this platform. GitHub issues related to the QR code recognition rate may be closed without comment.

Why aren’t the tokens stored on the smartwatch by default?

For security reasons, the tokens are only stored on the smartwatch when the setting is manually activated, as any person with physical access to the smartwatch would then be able to access the tokens.

Why does each token have its own progress indicator?

The TOTP standard2 recommends time steps of 30 seconds, but other intervals are also possible. Since the tokens can have different validity periods, individual progress indicators are necessary.

Why build another app for two-factor authentication?

There are similar apps available for most devices, but at the time of the project’s launch, Authenticator was the only alternative that had disclosed its source code. It should be noted that due to the release process, it is not guaranteed that the app corresponds exactly to the source code, but its open-source nature inspires more confidence than closed-source alternatives.

In addition, with some of the alternative apps, scanning QR codes requires an additional app for Android or iOS. This is problematic because with Fitbit apps, permissions must be interactively granted by default, which may not necessarily be the case with the additional app. It is therefore more difficult to exclude the possibility that the scanned QR codes may be forwarded to third parties by the additional Android or iOS app.