Stop trusting Google Authenticator or Authy with your 2FA secrets. Here are the best self-hosted 2FA apps — from simple OTP generators (2FAuth) to full identity providers (Authentik) — so you control your own security, backups, and recovery.
if you're still using google authenticator or authy, you're trusting someone else's server with your 2fa secrets. self-hosting means you control the encryption keys, the backups, and the recovery process — no vendor lock-in, no surprise sunset announcements, and no "lost phone" disaster that requires weeks of account recovery.
here are the best self-hosted 2fa apps, from a simple otp generator to a full identity provider.
before we get into the picks, it helps to think about what you actually need:
the picks below cover all three scenarios.
2fauth is a web-based, self-hosted alternative to google authenticator that runs on both mobile and desktop via a browser.1 it stores your otp secrets on your own server, supports totp and hotp, and includes a backup/restore feature so you never lose access if your phone dies.
best for: anyone who wants a simple, dedicated 2fa code generator that they can access from any device without vendor lock-in.
deployment: docker or manual php setup. lightweight — runs on a raspberry pi.
authelia is an open-source authentication and authorization server that provides 2fa and sso for web applications via a reverse proxy.2 it sits in front of your services (nginx, traefik, caddy) and enforces authentication before users reach the app.
best for: self-hosters running multiple web services behind a reverse proxy who want a unified login + 2fa layer.
deployment: docker, kubernetes, or bare metal. requires a reverse proxy.
authentik is a flexible, self-hosted identity provider that handles mfa, sso, and can enforce authentication in front of legacy apps.3 it's more feature-rich than authelia — think keycloak-level capabilities without the java overhead.
best for: advanced self-hosters or small organizations that need ldap integration, saml, oauth2 providers, and detailed access policies alongside 2fa.
deployment: docker-compose or kubernetes. moderate complexity.
bitwarden is primarily a password manager, but its self-hosted version includes a built-in authenticator (totp) that syncs across all your devices. you get password management and 2fa codes in one self-hosted stack.
best for: users who already self-host bitwarden (or want to) and prefer a single dashboard for passwords and 2fa codes.
deployment: docker via the official bitwarden unified image. heavier than 2fauth but still manageable.
| feature | 2fauth | authelia | authentik | bitwarden |
|---|---|---|---|---|
| deployment | docker / php | docker + reverse proxy | docker-compose / k8s | docker |
| primary use case | otp codes | sso + 2fa proxy | identity provider | password mgr + otp |
| complexity | low | medium | high | medium |
all four are open-source, actively maintained, and respect your privacy. pick the one that matches the complexity you're comfortable with.
disclosure: some links on this page are affiliate links. we only recommend tools we've researched and verified. you're never charged extra, and it helps keep the site running.
This page was written by the engine and the engine is still on the line. The conversation below picks up where the article stops.
Yes — the picks above are the engine's current verdicts. Ask a sharper version of this question below and you'll get a custom answer with the latest pricing.