DEV.co
Open-Source DevOps · Bubka

2FAuth

2FAuth is a self-hosted web application for managing Two-Factor Authentication (2FA) accounts and generating OTP security codes. It serves as a desktop/web alternative to mobile authenticator apps like Google Authenticator, with centralized storage, backup capabilities, and optional database encryption.

Source: GitHub — github.com/Bubka/2FAuth
4k
GitHub stars
294
Forks
PHP
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryBubka/2FAuth
OwnerBubka
Primary languagePHP
LicenseAGPL-3.0 — OSI-approved
Stars4k
Forks294
Open issues19
Latest releasev8.0.1 (2026-07-05)
Last updated2026-07-05
Sourcehttps://github.com/Bubka/2FAuth

What 2FAuth is

PHP-based Laravel web app implementing RFC 4226 (HOTP) and RFC 6238 (TOTP) standards via Spomky-Labs/OTPHP library. Supports single-user authentication with optional WebAuthn security keys, automatic session timeouts, optional AES encryption of sensitive database fields, and imports from multiple formats (Google Auth QR, Aegis JSON, 2FAS JSON).

Quickstart

Get the 2FAuth source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/Bubka/2FAuth.gitcd 2FAuth# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Self-hosted 2FA consolidation for privacy-conscious users

Organizations or individuals who want OTP generation under their control rather than trusting third-party mobile apps. Centralized backup/restore eliminates smartphone loss risk.

Enterprise desktop workflow integration

Teams working primarily on desktop who need rapid OTP access without context-switching to mobile. Single-user model suits personal or role-specific deployments.

Multi-device OTP access with unified database

Users who need the same 2FA accounts accessible from laptop, desktop, and mobile browsers, with synchronized state and centralized audit/backup.

Implementation considerations

  • Requires PHP 8.4+ and Laravel-compatible server environment; verify existing infrastructure supports these versions before committing.
  • Optional database encryption is disabled by default; enable it and securely backup APP_KEY to prevent data loss if encryption is activated.
  • Single-user model means separate 2FAuth instances required for multiple users; architect multi-tenancy or separate deployments accordingly.
  • QR code scanning and account import from Google Auth, Aegis, and 2FAS are built-in; validate import workflows against your current tooling.
  • Auto-logout inactivity timer is configurable; balance security vs. user friction based on deployment context.

When to avoid it — and what to weigh

  • Multi-user shared authenticator requirement — 2FAuth is explicitly designed as single-user only. Team-based 2FA management or shared account scenarios are not supported.
  • Closed-source or proprietary licensing mandate — AGPL-3.0 requires source disclosure and derivative works to be licensed identically. Proprietary product requirements or vendor lock-in expectations conflict with this copyleft model.
  • Minimal operational complexity or zero DevOps tolerance — Requires PHP 8.4+, Laravel stack, database setup, and Docker/server administration. Not suitable for organizations seeking fully managed SaaS without infrastructure responsibility.
  • High-assurance security certification needs — No mention of security audits, penetration testing, or compliance certifications (FIPS, SOC2, etc.). If regulatory audit trails are mandatory, assess gaps independently.

License & commercial use

2FAuth is licensed under AGPL-3.0 (GNU Affero General Public License v3.0), a strong copyleft license. AGPL-3.0 is an OSI-approved open-source license requiring that any modifications or derivative works (including network-accessed versions) must be released under the same license and source code must be disclosed to users.

AGPL-3.0 permits commercial use, but with material obligations: (1) any modifications must be distributed under AGPL-3.0, (2) source code must be made available to all users (including network users), and (3) derivative works cannot be proprietary. If you plan to modify 2FAuth for a commercial product, resell it, or use it in a SaaS offering, consult legal counsel to ensure compliance. Unmodified deployment as an internal tool is typically permissible, but network-facing modifications may trigger disclosure requirements.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

2FAuth implements several built-in security controls: single-user model reduces attack surface, optional database encryption for sensitive fields, WebAuthn support for phishing-resistant authentication, RFC-compliant OTP generation via vetted library (Spomky-Labs), and configurable auto-logout. However, no third-party security audit, penetration test results, or vulnerability disclosure policy are documented. Security posture depends on: (1) proper environment variable management (APP_KEY), (2) HTTPS enforcement in deployment, (3) database access controls, (4) timely patching of PHP/Laravel/dependencies, and (5) backup security. Assess whether optional encryption and WebAuthn meet your threat model; default settings favor usability over maximum security.

Alternatives to consider

Authy (Twilio SaaS)

Proprietary cloud-hosted alternative; sacrifices control/privacy for turnkey multi-device sync and vendor support. No self-hosting or open-source access.

Aegis Authenticator (Android/open-source)

Mobile-first, open-source (GPLv3), with local encryption and backup. Strong for phone-centric users but lacks rich web UI and desktop workflow integration that 2FAuth offers.

FreeOTP (RedHat/open-source)

Lightweight open-source OTP generator (Apache 2.0), mobile-focused. Minimal feature set; no self-hosted server, groups, or advanced import compared to 2FAuth.

Software development agency

Build on 2FAuth with DEV.co software developers

Evaluate 2FAuth for private, centralized OTP management. Our team can help assess AGPL compliance, deployment architecture, and security posture for your use case.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

2FAuth FAQ

Can I use 2FAuth for multiple users or teams?
No. 2FAuth is explicitly designed for single-user personal use. Separate instances would be needed per user; there is no built-in multi-tenancy or team management.
What databases does 2FAuth support?
Any database supported by Laravel (MySQL, PostgreSQL, SQLite, SQL Server, etc.). Check Laravel documentation for detailed support matrix and version requirements.
Is encryption mandatory?
No, encryption of sensitive database fields is optional and disabled by default. If enabled, ensure APP_KEY is securely backed up to prevent data loss.
Can I use 2FAuth with my existing SSO or LDAP?
Not documented. 2FAuth uses internal authentication and optional WebAuthn; OIDC, SAML, LDAP integration is not mentioned. Custom integration would require development.

Software development & web development with DEV.co

Adopting 2FAuth is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source devops software in production.

Need a self-hosted 2FA solution?

Evaluate 2FAuth for private, centralized OTP management. Our team can help assess AGPL compliance, deployment architecture, and security posture for your use case.