2FAuth

2FAuth is a self‑hosted, web‑based two‑factor authentication (2FA) manager built on the Laravel framework. It exposes a single‑user experience that securely stores and generates TOTP, HOTP, and Steam Guard codes. From a developer standpoint, the application is designed to be lightweight yet fully feature‑rich, making it an attractive choice for teams that require a private, auditable OTP solution. The core architecture revolves around Laravel’s MVC pattern, with an emphasis on modularity: authentication is handled via Laravel Sanctum for API tokens and a built‑in security‑key mechanism (YubiKey/Titan), while OTP generation is delegated to the well‑maintained Spomky-Labs/otphp library, guaranteeing RFC 4226 and RFC 6238 compliance.

Technical Stack

• Backend: PHP 8.3+ running Laravel 10, which provides Eloquent ORM, routing, validation, and a robust event system.
• Database: Any Laravel‑compatible DB (PostgreSQL, MySQL, SQLite). All sensitive columns are encrypted using Laravel’s Encrypted Casts when the feature is enabled.
• Frontend: Blade templates with Alpine.js for interactivity; the UI is responsive and accessible, leveraging Tailwind CSS for rapid styling.
• OTP Library: spomky-labs/otphp handles algorithmic generation, while QR decoding uses endroid/qr-code.
• Containerization: Official Docker images are available, exposing a simple docker-compose.yml that mounts the database and persists the .env file for configuration.

Core Capabilities

• Account CRUD: Create, read, update, delete 2FA accounts with support for custom fields and grouping.
• QR Import: Automatic decoding of QR codes via the endroid/qr-code library, enabling quick onboarding.
• Code Generation API: A /api/otp/{id} endpoint returns the current TOTP/HOTP code, suitable for integration with external scripts or CI pipelines.
• Security Features: Auto‑logout, session timeouts, optional database encryption, and support for FIDO2/WebAuthn keys.
• Export/Import: JSON export of all accounts and a corresponding import tool, facilitating backups or migration to other services.

Deployment & Infrastructure

2FAuth is intentionally minimalistic; it runs on any PHP‑capable web server (Apache, Nginx) or via Docker. The container image is a single layer built on top of php:8.3-fpm, with Composer dependencies pre‑installed, which reduces deployment time to under a minute on modern CI pipelines. For scalability, the stateless nature of API endpoints allows horizontal scaling behind a load balancer, while session data can be stored in Redis or the database to maintain consistency across instances.

Integration & Extensibility

Developers can extend 2FAuth by adding custom Laravel service providers or Blade components. The OTP API is open and can be consumed by mobile apps, CLI tools, or other web services. Webhooks are not natively exposed but can be implemented via Laravel’s event system; for example, emit an AccountUpdated event and listen to it with a webhook listener. The modular architecture encourages plugins: the existing Account model can be extended via traits to add new authentication methods (e.g., OATH‑HOTP with a custom algorithm).

Developer Experience

Configuration is driven by environment variables; the default .env.example contains all necessary settings, including APP_KEY, database credentials, and optional encryption flags. Documentation is comprehensive, covering installation, configuration, API usage, and contribution guidelines. The community is active on GitHub, with frequent issue triage and pull‑request reviews. Licensing under MIT ensures no commercial restrictions, making it suitable for both personal and enterprise use.

Use Cases

1. Personal Desktop Access – A developer who prefers a web interface over mobile apps can host 2FAuth locally and generate OTPs directly from the workstation.
2. Enterprise Single‑Sign‑On – A small team can deploy 2FAuth on a private server, using the API to feed OTPs into their own SSO workflow.
3. Backup & Recovery – Since accounts are stored in a relational database, admins can snapshot the DB and restore it on a new host if the original server fails.
4. Custom Automation – Scripts can pull OTPs via the API to automate login to services that require 2FA, useful in CI/CD pipelines or headless browsers.

Advantages Over Alternatives

• Full Control: Unlike cloud services, all data remains on premises; encryption at rest is optional but straightforward.
• Performance: Laravel’s caching and Eloquent make lookups fast; the OTP generation is CPU‑light.
• Flexibility: Custom groups, advanced forms, and API endpoints allow integration into bespoke workflows.
• Open Source: MIT license removes licensing headaches; the codebase is actively maintained with high test coverage (codecov badge).
• Security: Built‑in FIDO2 support, auto‑logout, and database encryption provide a hardened security posture compared to generic OTP apps.

In summary, 2FAuth offers developers a robust, self‑hosted 2FA solution that balances ease of use with