Web-based two-factor authentication management, honestly reviewed. For founders who’ve been locked out after a phone died.

TL;DR

What it is: A self-hosted web app that manages your TOTP/HOTP 2FA accounts and generates OTP codes — think Google Authenticator, but running on your server and accessible from any browser [README].
Who it’s for: Solo founders, developers, and small teams who want their 2FA secrets under their own control, not baked into a phone that can be lost, stolen, or wiped [1][README].
Cost savings: The software is free (AGPL-3.0). If you’re currently paying for a password manager’s TOTP tier (e.g., Bitwarden Premium at $10/year or 1Password at $36/year), self-hosted 2FAuth on your existing VPS costs $0 in licensing.
Key strength: Works from any browser on any device — no phone required. One locked-out Google Authenticator horror story is the reason the developer built this [README].
Key weakness: Single-user by design with multi-user available but limited; AGPL-3.0 license means embedding in commercial products requires caution; no native mobile app — it’s a PWA.

What is 2FAuth

2FAuth is a web application you deploy on your own server (or homelab) that replaces phone-based TOTP apps. You scan your service’s QR code once, it stores the secret, and from then on you get your one-time passwords through a browser tab instead of a phone screen.

The creator is explicit about why this exists. From the README: “I hate taking out my smartphone to get an OTP when I use a desktop computer” and “Did you already encountered a smartphone loss with all your 2FA accounts in Google Auth? I did…” [README]. That is a real problem. Google Authenticator historically had no cloud backup (it added one eventually, with its own trust concerns), and a lost or factory-reset phone has left countless people locked out of critical accounts with no recovery path. 2FAuth’s answer is: put the secrets in a database you control, on a server that doesn’t die when your phone battery hits zero.

As of this review, the project sits at 3,820 GitHub stars under AGPL-3.0 [merged profile]. It is a solo-developer project (Bubka) with community contributions, not a VC-backed company — which is relevant to how you should think about long-term support.

The interface is a clean web app, accessible as a pinned browser tab, PWA install, or through companion browser extensions for Chrome and Firefox that surface OTP codes directly from the toolbar without opening a tab [1]. There’s also a full REST API if you want to pull codes programmatically [1].

Why people choose it

There are no meaningful third-party review sites covering 2FAuth the way n8n or Activepieces get covered. It doesn’t have a Trustpilot page. It doesn’t get comparison articles in TechRadar. What it does have is a focused GitHub issue tracker, a Crowdin localization project with contributions in many languages, and a live demo at https://demo.2fauth.app that you can test without installing anything.

That tells you something about the user: they found it through self-hosted community channels (r/selfhosted, Awesome-Selfhosted lists), not through Google product comparison queries. The audience isn’t “which SaaS should I subscribe to” — it’s “I want to own this.”

The core case for choosing 2FAuth over alternatives breaks down by what problem you’re actually solving:

If your problem is phone dependency: 2FAuth solves this cleanly. You’re at your laptop at 11pm, you need to log into AWS, your phone is in another room. With 2FAuth running, you open a browser tab and grab the code. No fumbling. This is the use case the README leads with, and it’s genuinely useful [README].

If your problem is backup and recovery: A Google Authenticator user who loses their phone and didn’t set up recovery codes is in serious trouble. 2FAuth’s 2FA secrets live in a SQLite or PostgreSQL database you control. Backup is cp database.sqlite backup/ or a standard database dump [1]. The import/export story is also solid: it can import from Google Authenticator (via QR code), Aegis (JSON and plain text), and 2FAS JSON [README].

If your problem is trust: Authy syncs your secrets to Twilio’s servers. Google Authenticator may sync to your Google account depending on settings. If you don’t trust those companies with the seeds for your accounts, self-hosting is the only real alternative. 2FAuth, combined with database encryption (optional, requires backing up your APP_KEY), keeps those secrets on hardware you manage [README].

If your problem is cost: This is the weakest argument for 2FAuth specifically, because most 2FA apps are free. Bitwarden’s free tier doesn’t include TOTP. Bitwarden Premium does, at $10/year. If you’re already running a VPS for other self-hosted tools, adding 2FAuth costs you zero marginal dollars. If you’d have to spin up a VPS just for this, the $5–6/month VPS cost exceeds the $10/year Bitwarden Premium price — so the “cost savings” argument only holds if you’re consolidating onto existing infrastructure.

Features

Core OTP generation:

TOTP (time-based, the standard kind used by Google, GitHub, etc.) and HOTP (counter-based, less common) — both implemented against RFC 4226 and RFC 6238 via a PHP library [README]
Steam Guard codes (the TOTP variant Steam uses) [README]
QR code scanning to add accounts — from camera or image file [README][1]
Manual account entry without QR code via an advanced form [README]
Group organization for accounts [README]
Edit any account including imported ones [README]

Security layer:

WebAuthn authentication: you can sign in with a Yubikey or Titan key and disable the traditional login form entirely [README]
Optional database encryption for stored secrets. Off by default; when enabled, requires you to back up your APP_KEY [README]
Auto-logout after inactivity period. Configurable, or can trigger when a code is copied [README]
OTP obfuscation option [1]

Access patterns:

REST API covering most functions [1]
Browser extensions for Chrome and Firefox (require a running 2FAuth instance — they’re not standalone) [1]
PWA installable on mobile and desktop [1]
Works on any device with a browser — including someone else’s computer if needed [1]

Multi-user:

The README says “it is not possible to create more than one user account, the app is thought for personal use” — but the website docs reference multi-user and family/friends sharing [README][1]. The single-user restriction appears to be the original design intent; a multi-user mode exists but isn’t the primary use case.

Import/Export:

Import from: 2FAuth JSON, Google Auth (QR code), Aegis Auth (JSON + plain text), 2FAS Auth (JSON) [README]
Export available for migration out [1]

Pricing: SaaS vs self-hosted math

2FAuth has no commercial tier, no cloud offering, and no paid features. The software is free [README].

The pricing comparison is therefore not “2FAuth Cloud vs self-hosted” — it’s “2FAuth vs the alternatives you might otherwise pay for.”

Alternatives with costs:

Bitwarden Free: Does not include TOTP code generation
Bitwarden Premium: $10/year — includes TOTP, cloud-synced, trusted third party
1Password: ~$36/year (individual) — includes TOTP as part of full password manager
Authy: Free — but stores secrets on Twilio’s servers, no export function, discontinued desktop app
Google Authenticator: Free — cloud backup tied to your Google account

2FAuth self-hosted:

Software: $0 (AGPL-3.0)
Hosting: $0 if you already run a VPS. $5–6/month on Hetzner or Contabo if you don’t
Storage: SQLite for personal use needs roughly nothing. Even PostgreSQL at small scale is sub-1GB

Honest math:

If you’re already paying Bitwarden Premium for TOTP: self-hosting 2FAuth on existing infrastructure saves $10/year — negligible, but the data-sovereignty argument may matter more to you than the money.

If you’d spin up a new VPS just for 2FAuth: you’d spend $60–72/year for something Bitwarden charges $10/year for. That’s backwards. The case for a dedicated 2FAuth VPS only makes sense if you’re also hosting other self-hosted tools on the same box.

If you’re already running a homelab or a general-purpose VPS: add 2FAuth to it, costs nothing, gain full ownership of your 2FA secrets. This is the sweet spot.

Deployment reality check

2FAuth can be deployed two ways: directly on a server with PHP and a web server, or via Docker/Docker Compose [1][README].

Docker path (recommended): The README links to official Docker and Docker Compose guides. If you’ve deployed any PHP app in Docker before, this is standard: pull the image, set environment variables for your database and APP_KEY, attach a volume for storage, put Caddy or nginx in front for HTTPS.

Direct server path: Requires PHP >= 8.4 with a specific set of extensions (BCMath, Ctype, DOM, Fileinfo, GD, JSON, Mbstring, OpenSSL, PDO, Tokenizer, XML), Composer, and a supported database [1]. The official docs provide complete nginx and Apache2 configurations including custom base-URL (subdirectory) setups [1]. The database recommendations are sensible: SQLite for personal use, server-based SQL for multi-user [1].

Database choices: SQLite, MySQL 5.7+, MariaDB 10.3+, PostgreSQL 10.0+, SQL Server 2017+ [1]. For a single user, SQLite is genuinely the right call here — the app has minimal concurrent access and SQLite backup is trivially simple.

What can go wrong:

PHP 8.4 is a recent requirement. If you’re on shared hosting or an older VPS image with PHP 8.1, you’ll need to upgrade. Most current Docker images handle this transparently.
The encryption feature requires you to save your APP_KEY before enabling it. If you lose that key and encrypted the database, your 2FA secrets are unrecoverable [README]. This is a real footgun for non-technical users.
If you forget your 2FAuth password and haven’t set up WebAuthn recovery, you’re locked out. The app doesn’t send recovery emails unless you configure SMTP.
No native mobile app. The PWA works, but PWA camera access for QR scanning can be inconsistent across browsers.

Realistic time for a technical user with an existing VPS: 20–30 minutes to a working instance with Docker Compose. For a non-technical user following a guide for the first time: 2–4 hours including domain and HTTPS setup.

Pros and Cons

Pros

Browser-accessible from anywhere. You can grab a 2FA code from your laptop, a shared machine, or a tablet without touching your phone. This is the core use case and it works exactly as advertised [README].
Owns its backup story. Your 2FA secrets are in a database file you can copy to S3, Backblaze, or a USB stick. No “pray your phone backup worked” situations [README].
Import from the major apps. Google Authenticator, Aegis, and 2FAS imports mean migration isn’t a painful manual process [README].
WebAuthn hardware key login. You can configure it so only a physical Yubikey logs into 2FAuth itself — a strong secondary authentication layer for the tool that holds your other authentication secrets [README].
REST API. If you want to pull codes from scripts, automation, or other apps, there’s an API [1].
Actively maintained. The project has been running for years, has a live demo, Crowdin translations in progress, and browser extensions — signs of genuine ongoing development.
Zero licensing cost. AGPL-3.0, free to self-host forever.

Cons

AGPL-3.0 license. If you want to embed 2FAuth into a commercial product or SaaS, AGPL-3.0 requires your product to also be open source. This is a real constraint, not a technicality. MIT or Apache-2.0 it is not.
Single-developer project. Bubka maintains this. No company, no team, no commercial backing. If the developer stops, the project stops. There’s no organizational continuity guarantee.
Password recovery is manual. No email-based password reset unless you configure SMTP yourself. Forget the master password + no recovery options = locked out [README + deployment experience].
The encryption footgun. Optional database encryption is a great feature but requires the user to understand and retain the APP_KEY. The docs flag this but non-technical users often miss it until something goes wrong [README].
No native mobile app. PWA is functional but not identical to a native app experience. Camera access for QR scanning via PWA can be unreliable on some browsers.
Multi-user is secondary. The original design is single-user personal use. Multi-user mode exists but isn’t the primary UX focus — team use at any real scale would feel like a workaround [README].
Limited community review coverage. Because the tool doesn’t have a SaaS tier, it doesn’t get reviewed on G2, Capterra, or Trustpilot. The practical effect is that it’s harder to assess real-world edge cases and bugs from community feedback.

Who should use this / who shouldn’t

Use 2FAuth if:

You already run a VPS or homelab with spare capacity and want your 2FA secrets on hardware you control.
You’ve experienced or fear the “lost phone, lost all 2FA” scenario.
You spend most of your day on a desktop or laptop and resent unlocking your phone dozens of times a day for OTP codes.
You want WebAuthn hardware key authentication as your primary login method.
You’re migrating from Google Authenticator or Aegis and want something with a decent import path.

Think carefully before using 2FAuth if:

You’re deploying it as your only 2FA solution with no backup strategy. The tool that protects your other accounts must itself be resilient — set up proper backups and recovery before you migrate your most critical accounts.
You’re not comfortable with the AGPL-3.0 implications for commercial use.

Skip it if:

You need a standalone mobile app. 2FAuth is a web app. If offline access to your codes with no network is a requirement, Aegis (Android) or Raivo (iOS) are better fits.
You have no server to run it on and don’t want one. Bitwarden Premium at $10/year handles TOTP fine if you’re okay with a trusted third party.
You need a team-oriented 2FA management solution with RBAC and audit logs. 2FAuth isn’t that tool.
You want the tool to manage company-wide 2FA for dozens of employees. Look at a proper secrets manager instead.

Alternatives worth considering

Aegis Authenticator — Android-only, open source (MIT), excellent backup story, encrypted vault. No web access, no desktop access, no REST API. Better if phone-centric is fine.
Raivo OTP — iOS-only, open source. Similar positioning to Aegis for Apple users.
Ente Auth — Open source, cross-platform (iOS, Android, desktop, web). Cloud sync with end-to-end encryption, or fully self-hostable. Newer project, growing fast, arguably the most direct competitor to 2FAuth as a web-accessible solution.
Vaultwarden + Bitwarden clients — Self-hosted Bitwarden server (unofficial, Rust rewrite). If you already manage passwords in Bitwarden and want TOTP in the same place, Vaultwarden handles both. More complex to deploy, more powerful.
KeePassXC — Desktop password manager with TOTP support. Local-only, no web interface, no mobile sync without additional setup.
Bitwarden (managed cloud) — $10/year, handles both passwords and TOTP, trusted company, no self-hosting required. The right call if ownership isn’t a priority.
Authy — Free, multi-device sync, but closed-source, no export, no self-host option, and Twilio holds your secrets. Only mention this as a baseline to escape from.

For the self-hosted path specifically: 2FAuth vs Ente Auth self-hosted is the realistic comparison if cross-platform access matters. 2FAuth is more mature; Ente Auth is more polished on mobile and has end-to-end encryption built in as a first-class feature.

Bottom line

2FAuth solves one problem: it moves your 2FA secrets off your phone and onto a server you control, accessible from any browser. That’s a narrow problem, but it’s a real one. If you’ve been bitten by a lost phone wiping out your Google Authenticator accounts, or if you just want to stop unlocking your phone 30 times a day while working on a laptop, the value is immediate. The setup is reasonable for anyone already comfortable with Docker. The security model is sound — WebAuthn support, optional encryption, auto-logout, RFC-compliant OTP generation.

The caveats are genuine: this is a solo-developer AGPL-3.0 project, not a commercial product with an SLA. The encryption feature has a footgun (lose your APP_KEY and your database is gone). And if you’re spinning up a new VPS just for this, you’ll spend more than Bitwarden Premium costs. The right audience is someone already running self-hosted infrastructure who wants one more piece of sensitive data off third-party servers. For them, it’s a clean, focused tool that does exactly what it says.

Sources

2FAuth Docs — Self-hosted server installation guide. https://docs.2fauth.app/getting-started/installation/self-hosted-server/

Primary sources:

2FAuth GitHub README — https://github.com/bubka/2fauth (3,820 stars, AGPL-3.0 license)
2FAuth official documentation — https://docs.2fauth.app
2FAuth live demo — https://demo.2fauth.app

Features

Authentication & Access

Two-Factor Authentication

Replaces

Related Security & Authentication Tools

View all 159 →

Ghidra

66K

A free, open-source software reverse engineering framework created by the NSA — disassemble, decompile, and analyze compiled code on any platform.

security Apache-2.0

PocketBase

58K

Open-source backend in a single 12 MB binary — realtime database, auth, file storage, and admin dashboard. No Docker, no Postgres, just run it.

security MIT Easy to deploy

Vaultwarden

57K

Lightweight, self-hosted Bitwarden-compatible password manager written in Rust. Uses 10x less RAM than the official server and works with all Bitwarden clients.

security AGPL-3.0

Zen Browser

41K

Zen Browser is a privacy-focused, beautifully designed Firefox fork with a unique sidebar tab layout, split views, and built-in content blocking — no telemetry, no tracking.

security MPL-2.0