2FAuth
2FAuth is a self-hosted web application for managing Two-Factor Authentication (2FA) accounts and generating OTP security codes. It serves as a desktop/web alternative to mobile authenticator apps like Google Authenticator, with centralized storage, backup capabilities, and optional database encryption.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | Bubka/2FAuth |
| Owner | Bubka |
| Primary language | PHP |
| License | AGPL-3.0 — OSI-approved |
| Stars | 4k |
| Forks | 294 |
| Open issues | 19 |
| Latest release | v8.0.1 (2026-07-05) |
| Last updated | 2026-07-05 |
| Source | https://github.com/Bubka/2FAuth |
What 2FAuth is
PHP-based Laravel web app implementing RFC 4226 (HOTP) and RFC 6238 (TOTP) standards via Spomky-Labs/OTPHP library. Supports single-user authentication with optional WebAuthn security keys, automatic session timeouts, optional AES encryption of sensitive database fields, and imports from multiple formats (Google Auth QR, Aegis JSON, 2FAS JSON).
Get the 2FAuth source
Clone the repository and explore it locally.
git clone https://github.com/Bubka/2FAuth.gitcd 2FAuth# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires PHP 8.4+ and Laravel-compatible server environment; verify existing infrastructure supports these versions before committing.
- Optional database encryption is disabled by default; enable it and securely backup APP_KEY to prevent data loss if encryption is activated.
- Single-user model means separate 2FAuth instances required for multiple users; architect multi-tenancy or separate deployments accordingly.
- QR code scanning and account import from Google Auth, Aegis, and 2FAS are built-in; validate import workflows against your current tooling.
- Auto-logout inactivity timer is configurable; balance security vs. user friction based on deployment context.
When to avoid it — and what to weigh
- Multi-user shared authenticator requirement — 2FAuth is explicitly designed as single-user only. Team-based 2FA management or shared account scenarios are not supported.
- Closed-source or proprietary licensing mandate — AGPL-3.0 requires source disclosure and derivative works to be licensed identically. Proprietary product requirements or vendor lock-in expectations conflict with this copyleft model.
- Minimal operational complexity or zero DevOps tolerance — Requires PHP 8.4+, Laravel stack, database setup, and Docker/server administration. Not suitable for organizations seeking fully managed SaaS without infrastructure responsibility.
- High-assurance security certification needs — No mention of security audits, penetration testing, or compliance certifications (FIPS, SOC2, etc.). If regulatory audit trails are mandatory, assess gaps independently.
License & commercial use
2FAuth is licensed under AGPL-3.0 (GNU Affero General Public License v3.0), a strong copyleft license. AGPL-3.0 is an OSI-approved open-source license requiring that any modifications or derivative works (including network-accessed versions) must be released under the same license and source code must be disclosed to users.
AGPL-3.0 permits commercial use, but with material obligations: (1) any modifications must be distributed under AGPL-3.0, (2) source code must be made available to all users (including network users), and (3) derivative works cannot be proprietary. If you plan to modify 2FAuth for a commercial product, resell it, or use it in a SaaS offering, consult legal counsel to ensure compliance. Unmodified deployment as an internal tool is typically permissible, but network-facing modifications may trigger disclosure requirements.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
2FAuth implements several built-in security controls: single-user model reduces attack surface, optional database encryption for sensitive fields, WebAuthn support for phishing-resistant authentication, RFC-compliant OTP generation via vetted library (Spomky-Labs), and configurable auto-logout. However, no third-party security audit, penetration test results, or vulnerability disclosure policy are documented. Security posture depends on: (1) proper environment variable management (APP_KEY), (2) HTTPS enforcement in deployment, (3) database access controls, (4) timely patching of PHP/Laravel/dependencies, and (5) backup security. Assess whether optional encryption and WebAuthn meet your threat model; default settings favor usability over maximum security.
Alternatives to consider
Authy (Twilio SaaS)
Proprietary cloud-hosted alternative; sacrifices control/privacy for turnkey multi-device sync and vendor support. No self-hosting or open-source access.
Aegis Authenticator (Android/open-source)
Mobile-first, open-source (GPLv3), with local encryption and backup. Strong for phone-centric users but lacks rich web UI and desktop workflow integration that 2FAuth offers.
FreeOTP (RedHat/open-source)
Lightweight open-source OTP generator (Apache 2.0), mobile-focused. Minimal feature set; no self-hosted server, groups, or advanced import compared to 2FAuth.
Build on 2FAuth with DEV.co software developers
Evaluate 2FAuth for private, centralized OTP management. Our team can help assess AGPL compliance, deployment architecture, and security posture for your use case.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
2FAuth FAQ
Can I use 2FAuth for multiple users or teams?
What databases does 2FAuth support?
Is encryption mandatory?
Can I use 2FAuth with my existing SSO or LDAP?
Software development & web development with DEV.co
Adopting 2FAuth is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.
Need a self-hosted 2FA solution?
Evaluate 2FAuth for private, centralized OTP management. Our team can help assess AGPL compliance, deployment architecture, and security posture for your use case.