If you run a home lab, you've probably got a dozen services exposed behind a reverse proxy — and every single one of them is a potential entry point. The smartest thing you can do is layer on multi-factor authentication (MFA) that you control. Here are the best self-hosted 2FA solutions, from lightweight TOTP storage to full identity and access management suites.
If you run a home lab — Plex, Grafana, Home Assistant, a NAS, whatever — you've probably got a dozen web UIs exposed behind a reverse proxy. Each one is a potential entry point. The smartest thing you can do is layer on multi-factor authentication (MFA) that you control, not a third-party cloud service.
Self-hosting your 2FA means no vendor lock-in, no per-seat licensing, and full control over your authentication data. Here's a breakdown of the best options, from a simple code vault to a full enterprise identity provider.
authentik is the most comprehensive self-hosted identity provider you can run today. It handles MFA, single sign-on (SSO), user provisioning, and even acts as a reverse proxy for legacy apps that don't support auth natively.1
It supports TOTP, WebAuthn (passkeys), SMS, email codes, and DUO push. You can build custom authentication flows with a visual builder — think "if the user is on the LAN, skip MFA; if they're external, require WebAuthn." It integrates with LDAP, OAuth2, SAML, and SCIM, so it plays nicely with everything from Nextcloud to GitLab.
The trade-off: it's resource-hungry. You'll want at least 2 GB of RAM and a decent CPU. Setup is Docker Compose with a few YAML files, but the learning curve is real.
Best for: Home labs with multiple users, many services, and a need for granular access policies.
Authelia is the lightweight alternative. It sits in front of your reverse proxy (Caddy, Nginx, Traefik) and intercepts unauthenticated requests, presenting a login portal with 2FA before traffic reaches your apps.2
It supports TOTP, WebAuthn, DUO push, and one-time backup codes. Configuration is a single YAML file, and it runs comfortably on a Raspberry Pi 4 with 512 MB of RAM. Integration is dead simple — add a few lines to your reverse proxy config and you're done.
What it doesn't do: SSO across apps (no OAuth/SAML provider), no user directory beyond a simple file or LDAP backend, and no visual flow builder. It's a gatekeeper, not an identity platform.
Best for: Small home labs where you just want to put a 2FA wall in front of everything with minimal overhead.
Keycloak is the industry-standard open-source IAM solution, backed by Red Hat. It's used by Fortune 500 companies, and it's free.3
It supports OAuth2, OpenID Connect, SAML, LDAP, and a full suite of MFA methods including TOTP, WebAuthn, and conditional policies. The admin console is polished, and it integrates with virtually any application that supports standard auth protocols.
The catch: it's Java-based, which means it's heavy (2–4 GB RAM recommended), and the setup is more involved than Authelia or even authentik. It's overkill if you just want to protect three Docker containers.
Best for: Learning enterprise-grade IAM at home, or labs that need real SSO across many standards-compliant apps.
2FAuth does one thing and does it well: it stores your TOTP secrets in a self-hosted web app so you don't need Google Authenticator or Authy on your phone.4
It supports TOTP and HOTP codes, has a clean mobile-friendly UI, and can generate QR codes for easy setup. It runs in a single Docker container with SQLite and uses practically no resources — 128 MB RAM is plenty.
It does not do SSO, proxy authentication, or user management beyond a single admin account. It's a personal 2FA code vault, not an identity provider.
Best for: Anyone who wants to ditch cloud-based authenticator apps and host their own TOTP codes with zero complexity.
| Dimension | authentik | Authelia | Keycloak | 2FAuth |
|---|---|---|---|---|
| RAM usage | ~2 GB | ~256 MB | ~2–4 GB | ~128 MB |
| Setup complexity | Moderate | Simple | Complex | Very simple |
| Primary use case | Full IAM + SSO | Proxy 2FA gate | Enterprise SSO | TOTP code vault |
Disclosure: Some links on this page are affiliate links. We only recommend tools we'd use ourselves, and using these links helps support the site.
This page was written by the engine and the engine is still on the line. The conversation below picks up where the article stops.
Yes — the picks above are the engine's current verdicts. Ask a sharper version of this question below and you'll get a custom answer with the latest pricing.