2FAuth — Self-Hosted Two-Factor Authentication Manager

Introduction

2FAuth is a self-hosted web application for managing two-factor authentication (2FA) tokens. It serves as a privacy-focused alternative to mobile authenticator apps like Google Authenticator or Authy, letting you generate TOTP and HOTP codes from any browser while keeping your secret keys on your own server.

What 2FAuth Does

• Generates time-based (TOTP) and counter-based (HOTP) one-time passwords in the browser
• Scans QR codes via webcam or accepts manual secret key entry
• Organizes 2FA accounts into groups with custom icons and labels
• Exports and imports accounts for backup and migration between instances
• Provides a REST API for integration with password managers or scripts

Architecture Overview

2FAuth is built with Laravel (PHP) on the backend and Vue.js for the frontend. It stores encrypted 2FA secrets in an SQLite, MySQL, or PostgreSQL database. Token generation happens server-side, and codes are displayed in the browser with a countdown timer. The application supports WebAuthn for passwordless login to the 2FAuth instance itself.

Self-Hosting & Configuration

• Deploy via Docker with a single volume for persistent storage
• Access the web UI and create an admin account on first launch
• Add 2FA accounts by scanning QR codes or pasting secret keys manually
• Configure the database backend (SQLite by default, or MySQL/PostgreSQL)
• Enable WebAuthn for hardware security key login to the 2FAuth dashboard

Key Features

• Browser-based TOTP/HOTP code generation accessible from any device
• QR code scanning via webcam for easy account setup
• Account grouping and search for managing dozens of 2FA entries
• WebAuthn support for securing access to the 2FAuth instance
• Import and export in standard formats for backup and portability

Comparison with Similar Tools

• Google Authenticator — mobile-only with no sync; 2FAuth is web-based and accessible from any browser
• Authy — cloud-synced but closed-source; 2FAuth is open source with full data ownership
• Bitwarden — password manager with built-in TOTP; 2FAuth is dedicated to 2FA management
• Aegis — Android-only open source; 2FAuth runs on any device with a web browser

FAQ

Q: Is it safe to host 2FA tokens on a server? A: Secrets are encrypted at rest. Secure the server with HTTPS, strong passwords, and ideally WebAuthn. The tradeoff is convenience versus the isolation of a mobile-only app.

Q: Can I use it on my phone? A: Yes. The web interface is mobile-responsive and works well as a home-screen shortcut.

Q: Does it support Steam Guard codes? A: 2FAuth supports standard TOTP and HOTP. Steam Guard uses a proprietary algorithm that is not supported.

Q: How do I migrate from Google Authenticator? A: Export your accounts from Google Authenticator as a QR code, then scan it with 2FAuth or import the URI list manually.

Sources

• https://github.com/Bubka/2FAuth
• https://docs.2fauth.app