Skip to main content

Fully Managed 2FAuth
as a Service

Deploy 2FAuth as a fully managed service starting at €9/mo. Get automated backups, SSL, updates, support and monitoring included.

2FAuth is an open-source self-hosted two-factor authentication manager — TOTP, HOTP, and Steam Guard codes in one web app — combining the convenience of cloud authenticators like Authy or Google Authenticator with the security and key custody of running the vault on infrastructure you control.

Free 7-day trial  99.9% Uptime SLA  No credit card  Cancel anytime

Free 7-day trial  99.9% Uptime SLA
No credit card  Cancel anytime

2FAuth

2FAuth

STARTING AT

€9/month
Automated Backups
Monitoring
Automated Updates
Auto SSL

USAGE

Unlimited
Human Support
Custom Domains
Terminal Access
File Manager Access
Deploy in your region 21 locations worldwide
GermanyFinlandNetherlandsUKSwedenUnited StatesCanadaSingaporeJapanAustraliaBrazilSouth Africa+9 more →
2FAuth Preview Image

ABOUT THE SOFTWARE

What is 2FAuth

2FAuth is an open-source, self-hosted web app for managing two-factor authentication accounts and generating one-time passwords. It replaces cloud authenticators like Authy and Google Authenticator with a vault that lives on a server you choose, encrypted with a key you control.

2FAuth is built in PHP on the Laravel framework with a Vue.js front-end, licensed under AGPL-3.0, and maintained by Bubka and a community of 21 contributors. The project sits on 3,800+ GitHub stars and just over 2,000 commits since its first release in 2019.

The app generates RFC 6238 TOTP codes, RFC 4226 HOTP codes, and Steam Guard codes via the Spomky-Labs OTPHP library. It imports natively from Aegis, 2FAS, Google Authenticator (QR migration), and its own JSON format. It runs on SQLite for small instances and on MySQL, MariaDB, or PostgreSQL. Browser extensions for Chrome and Firefox surface codes directly from the toolbar, and the official REST API exposes the same functionality to external tooling.

FEATURES

What 2FAuth does

2FAuth handles the full lifecycle of a 2FA secret: import or QR scan, generation of the current code, organisation into groups, browser-extension or mobile-web access, hardware-key-protected login, and one-click export. Everything stays on infrastructure you control.

TOTP and HOTP generation

RFC 6238 time-based and RFC 4226 counter-based one-time passwords. Steam Guard codes supported natively. Generation via the Spomky-Labs OTPHP library.

Native import from major formats

One-click import from Aegis Auth (JSON or plain text), 2FAS Auth (JSON), Google Authenticator (QR migration), and 2FAuth's own JSON. Authy has no export — the migration there is manual but supported.

WebAuthn login

Hardware-key login with Yubikey, Titan Security Keys, SoloKeys, or any FIDO2-compliant device. The traditional password form can be disabled once a key is registered.

Multi-user instance with per-user vaults

Recent versions support multi-user mode — a single instance hosts a family, a 10-person agency, or a 30-engineer team. Each user has their own isolated vault. €9 covers the instance, not per seat.

QR code scan and decode

Scan any 2FA setup QR code through the web interface. The scanner decodes any QR code, not just 2FA — useful for grabbing the secret string from a vendor portal that does not expose it as text.

Vault-level encryption

The 2FA secrets and otpauth URIs in the database can be encrypted with the Laravel APP_KEY. The vault is useless to whoever holds a stolen database file without the matching key.

OTP obfuscation and auto-lock

Codes can be hidden until clicked, so a shoulder-surfer in a co-working office cannot read them from your screen. Auto-logout on inactivity is configurable down to one minute.

REST API and browser extensions

Official Chrome and Firefox extensions surface codes from the browser toolbar via a revocable API token. The REST API exposes the same functionality to scripts, password managers, and automation tooling.

WHAT'S ALWAYS INCLUDED

Every app. Fully managed.
Nothing extra to pay for.

Every app you deploy includes the full managed service — security, backups, updates, and support from day one.

Automatic updates and patches

Apps run the latest stable version. Security patches applied silently, with rollback if needed.

Daily off-site backups

Multiple daily backups in redundant off-site locations. One-click restore if anything goes wrong.

24/7 uptime monitoring

Continuous monitoring with instant alerting. We respond before you notice.

SSL, firewall, DDoS protection

Auto-renewing SSL, hardened firewall rules, DDoS mitigation on every deployment.

Performance and scaling

We monitor resource usage continuously. When your app needs more headroom, we flag it and upgrade with your explicit approval.

Dedicated engineering support

Real engineers on chat. DNS, SMTP & migration help. All included in €9.

WHY MANAGED

Why teams pick managed 2FAuth

Most teams arrive here after Authy's wind-down: the desktop apps shut down in March 2024, the API endpoint that leaked 33 million phone numbers in July 2024 broke trust, and Twilio publicly refocused on its enterprise Verify API while the consumer Authy mobile app drifted into maintenance mode. The migration window opened; the question became where to.

Running 2FAuth yourself sounds straightforward — a PHP app on a small VPS. The reality is sharper. The app uses Laravel's APP_KEY to encrypt the 2FA seeds in the database. If APP_KEY is lost without backup, the seeds are permanently unrecoverable. The official documentation says it plainly: there is no workaround in case of key loss. A careless re-deploy that regenerates the .env file, a disk failure that destroys the database and the key together, a backup script that snapshots the database but not the .env — any one of these turns a working 2FA vault into ciphertext that no one can read.

The second sharp edge is that database encryption is off by default. The "Protect sensitive data" option must be enabled manually in Admin > App setup. Most self-host walkthroughs skip that step. The seeds sit in plaintext in a SQLite file that a stolen backup hands over to anyone who restores it. The third is WebAuthn — 2FAuth supports hardware-key login, but the reverse-proxy and HSTS configuration has to be exact or the browser refuses the WebAuthn challenge.

We run 2FAuth in production with the boring decisions made by default. We turn database encryption on at provisioning. We rotate and back up the APP_KEY into a separate off-site bundle. We pin the PHP runtime to the upstream-supported branch and patch out-of-band when an OTPHP CVE lands. We configure the reverse-proxy headers WebAuthn needs. We run chrony against the NTP pool because TOTP fails on a drifting clock. The €9 covers all of that — not a config wizard, an operating service.

REVIEWS

Hear from customers ​like you​​​​​​​

Successful businesses and professionals around the world rely on DANIAN every day

USE CASES

Three teams who run 2FAuth on DANIAN

These are representative team types we set up most often. Each starts with the same flat €9 plan.

8-PERSON FINTECH DEVOPS TEAM

Migrating off Authy after the Twilio Verify pivot

Germany region, encrypted MySQL backend, WebAuthn enforced for vault login with two Yubikeys registered per engineer. Production-system TOTPs sit in an admin-managed group; personal codes stay in each engineer's own vault. Logs export nightly to the customer's SIEM. Total migration of about 180 entries from Authy took two and a half focused work-days because Authy never shipped an export.

12-PERSON PROFESSIONAL SERVICES FIRM

Replacing Authy desktop after the March 2024 shutdown

Brazil region for the LATAM team, SQLite backend, auto-logout set to five minutes. Migrated 200+ entries from Aegis Auth JSON exports — a one-click import that took seconds, not days. Browser extension installed in Firefox; SSO handled by Authelia in front of the 2FAuth login form. Single €9 instance for the whole firm.

SOLO DEVELOPER-CONSULTANT

Keeping client 2FA codes separated by engagement

Singapore region for low-latency access from across Asia-Pacific, single-user mode with encryption on. Each client engagement is a 2FAuth group — when an engagement ends, the group archives and the codes leave the active rotation. PWA installed on phone and laptop; Yubikey 5C NFC handles the vault-login second factor across both.

COMPARISON

Four ways to run 2FAuth

The honest comparison is between four operational paths, not between vendor brands. Proprietary cloud authenticator, self-hosted on a VPS, self-hosted on a home server, and DANIAN managed 2FAuth. The math holds at every scale.

 PATHCOST — 1 SEAT / 5 SEATS / 10 SEATSOPS TIOME / MONTHKEY CUSTODYREGION CHOICE
Proprietary SaaS
(e.g. 1Password Business at $7.99/user/month, current 2026 pricing)
$7.99 / $39.95 / $79.90 per month0 hoursVendor cloud, US-incorporatedVendor decision
Self-host on a $24/month production-class VPS
€100–280 per month (infra + ops time)1–2 hours, plus 5–10 hours setupYour APP_KEY, your problem if lostYou pick the provider
Self-host on a home server
(e.g. Synology DS923+ or HP ProLiant ML30 Gen10)
€210–667 per month (amortised hardware, electricity, business internet, off-site backup, ops time)2–4 hours, on call when home internet dropsYour APP_KEY, your problem if lostYour house
DANIAN Managed 2FAuth€9 per month — flat, regardless of seats0 hoursEncryption on by default, APP_KEY backed up separately, recovery path tested21 datacenter locations across six continents

Proprietary-SaaS price reflects 1Password Business list pricing of $7.99 per user per month with annual billing, current as of March 2026 (after the March 27, 2026 consumer-tier price increase that left Business unchanged). VPS and home-server math from DANIAN's published cost-framing reference. All numbers are illustrative reference points; verify against current vendor pricing pages before committing.

BY INDUSTRY

2FAuth for specific industries

Different sectors put different demands on a 2FA store. The regulation, the threat model, the team shape, and the audit posture all change what a good 2FAuth deployment looks like. Four configurations we see most often.

Engineering organisations under SOC 2 attestation must demonstrate multi-factor authentication on privileged access, with the relevant control being Common Criteria 6.1. Auditors want an inventory of every service account with MFA, and a way to show that the second-factor seed material is held under documented key custody — not in a personal Authy account that walks out the door when the engineer leaves.

We provision the 2FAuth instance with database encryption enabled, the APP_KEY backed into our own access-controlled key store, and an admin-managed group for shared service-account TOTPs that survives staff turnover. WebAuthn is enforced on the vault login. A typical 30-engineer organisation holds 60–100 service-account TOTP secrets in 2FAuth — GitHub Org, AWS root, CI/CD providers, registrar logins, the production DNS dashboard. Per-group permissions keep production-tier keys out of the developer pool.
Fintechs operating under PSD2 strong-customer-authentication and, in the EU, the Digital Operational Resilience Act (DORA, in force January 2025) need an authentication store with documented key custody, audit trails, and data-residency that maps to the supervising authority's jurisdiction. The DORA Article 9 ICT risk-management requirement explicitly covers identity and access controls for ICT third-party services.

We deploy 2FAuth in the Germany, France, Finland, Poland or other regions for EU-resident processing, with WebAuthn (Yubikey or Titan Security Key) enforced for vault login. The audit log records every code retrieval and exports to the customer's SIEM nightly. We pin the PHP runtime to the upstream-supported branch and patch out-of-band when an OTPHP library CVE is published — relevant because OTPHP is the cryptographic primitive 2FAuth uses for RFC 4226 and RFC 6238 generation. A typical compliance-engineering team holds 80–120 entries spanning treasury logins, payment-rail dashboards, KYC vendor portals, and AWS root accounts.
Law firms hold 2FA codes for court e-filing systems, registrar logins, client portals, matter-management software, and a long tail of vendor dashboards. ABA Model Rule 1.6 confidentiality obligations and the GDPR Article 32 "appropriate technical measures" requirement together push firms toward an authentication store under firm control rather than a vendor cloud whose subpoena posture and breach history are outside the firm's audit.

We run 2FAuth on encrypted MySQL, and set auto-logout at five minutes of inactivity by default. OTP obfuscation is on — codes stay hidden until clicked, so a co-working-office shoulder-surfer cannot read them from the screen. A typical partner holds 150–250 TOTP entries; per-group permissions let support staff hold a tightly-scoped subset without giving them the partner's entire authentication footprint.
Journalists protecting source-communication accounts and human-rights NGOs working in adversarial jurisdictions need a 2FA store that is not held by a US-incorporated authenticator vendor and not pinned to a phone number that can be SIM-swapped. The Citizen Lab's documented Pegasus and Predator targeting patterns from 2022–2025 lean heavily on phone-number-tied authentication as the compromise vector.

2FAuth runs in the DANIAN region the user chooses — Canada, US, Finland, Sweden, or others are the common picks — with no SMS dependency, no Twilio API in the path, and no phone number ever entered into the system. We enable database encryption at provisioning, set the auto-logout window to two minutes for high-risk profiles on request, and configure WebAuthn enforcement so a stolen password alone does not get past the second factor on the vault itself. A typical freelance investigative journalist holds 40–60 entries spanning encrypted-email providers, source-communication tools, financial accounts, and editor logins; the encrypted JSON export is the portable artifact if the journalist needs to move infrastructure quickly.

FAQ

Frequently asked questions

Everything teams ask before signing up — answered straight, without sales speak.

Three groups: technical setup, migration, and how DANIAN works as a service.

01

Technical and configuration

If database encryption is enabled and APP_KEY is lost without backup, the encrypted 2FA seeds in the database become permanently unrecoverable — 2FAuth's documentation states there is no workaround in case of key loss. We run every 2FAuth instance with the APP_KEY included in the daily off-site backup as a separate encrypted artifact, not co-located with the database file, so a single-disk failure does not destroy both. We also store the APP_KEY in our own access-controlled key store as a second copy.
Yes. Recent 2FAuth releases support multi-user mode — each user has their own vault inside one shared instance, with admin controls for invitations and password reset flows. We provision multi-user mode on request. A single €9/month 2FAuth instance can hold a small family, a 10-person agency, or a 30-engineer team's vaults — pricing does not scale per seat.
Yes. 2FAuth supports WebAuthn for login and can be configured to disable the traditional password form entirely once a key is registered. We have tested with YubiKey 5 series, YubiKey Bio, Titan Security Keys, and SoloKeys; any FIDO2 / WebAuthn-compliant key works. We enable WebAuthn at customer request during provisioning and walk through key registration on the shared chat — it is a five-minute setup, and we always recommend registering at least two keys for redundancy.
Almost always, yes. TOTP relies on the server clock being within 30 seconds of the upstream service's clock. We run chrony against the pool.ntp.org servers on every 2FAuth host, with monitoring that pages us if clock drift exceeds 200 milliseconds. If you ever see a code rejected, ping us on chat — we will check the host's clock skew and the upstream service's TOTP window before you debug your end.
Yes, and we configure the reverse proxy correctly out of the box. The common failure mode for self-hosters is the Laravel APP_URL and the proxy's X-Forwarded-Proto headers disagreeing, which breaks WebAuthn challenges (WebAuthn binds to the origin). We deploy each 2FAuth instance on a clean subdomain such as 2fa.yourdomain.com with the right APP_URL, headers, and TLS posture set before we hand it over.
Not in vanilla 2FAuth — the "Protect sensitive data" option is off by default and must be enabled in Admin > App setup. We enable it on every instance at provisioning and verify the encryption flag against the database before handover. Without it, the TOTP seeds sit in plaintext in the database file; with it, a stolen database backup is useless to whoever holds it unless they also hold the APP_KEY, which is stored separately.
The official 2FAuth extension for Chrome and Firefox connects to a running 2FAuth instance via an API token issued from your account settings. The extension itself stores no secrets — it pulls codes from your instance over TLS on demand. We walk customers through the token issue and the browser extension install during the trial; the token can be revoked from the 2FAuth admin panel at any time.
Yes, any time. 2FAuth supports encrypted JSON export of the entire vault, protected by a passphrase you set at export time. The export is portable to any 2FAuth instance you self-host, so the exit path is real — not a contractual fiction. We have written the same export to off-site backup for our own customers' instances too, as part of every daily backup run.

02

Migration and onboarding

We can activate your app on your own custom domain/subdomain. Examples: mydomain.com, anyword.mydomain.com.
Or, on our randomized free subdomain. Example: 963.apps.danian.cloud
If you wish to use a custom domain/subdomain, select that option when ordering your app (or notify us later). We will send you the required DNS records and if needed, our tech team will modify them for you.
21 datacenter locations across six continents. You choose the region at provisioning. Application data sits in the region you choose; pick whichever is closest to your users or matches your data-residency preference.
Yes. Request a region migration from the dashboard and we run the move in the background. The system emails you when the migration completes; total transfer time depends on data volume but typical instances finish in a few hours. There is no extra charge for a region change.
Yes. Full data export is available at any time, in a portable format you can bring to any infrastructure.
Yes — 2FAuth imports natively from 2FAS Auth JSON, Aegis JSON, Aegis plain text, Google Authenticator QR codes, and its own JSON format. Authy is the harder case: Authy never shipped an export feature, so the practical path is to disable Authy on each protected service one at a time and re-enable MFA pointing at 2FAuth.
From Aegis or 2FAS, the JSON import is one click and finishes in seconds. From Google Authenticator, you scan the migration QR code(s) the Google app generates and 2FAuth ingests all entries at once. From Authy, plan on three to five hours of focused work for 200 accounts because each service has to be re-enrolled individually — there is no shortcut anyone can offer here, since Authy itself blocks export.
Not natively — 2FAuth is an authenticator, not an identity provider, so it does not consume SAML or OIDC for vault login. The realistic SSO pattern is to put 2FAuth behind a reverse-proxy authenticator like Authelia or oauth2-proxy that does the SSO check first, then 2FAuth's own login layer after. We can deploy that pattern alongside the 2FAuth instance on request.
2FAuth sends a password-reset email via the SMTP server configured on the instance — we set that up against DANIAN's transactional mail provider at provisioning, so the reset flow works out of the box. If the email never arrives (a common self-host failure mode when SMTP is not configured), reply to the welcome email and we will reset the password manually from the server side after identity confirmation.

03

Billing, support, and platform

€9 covers everything we do for that app: hardware in the region you choose, daily off-site backups with one-click restore, automatic security patches and version upgrades, 24/7 monitoring, SSL and firewall, and engineering support on Email/LiveChat. There are no setup fees or hidden line items. For more info see our Pricing page.
If you decide to continue, we charge €9/app/month from day 8. If you don't, the trial ends and you can export your data. No card is required for the trial, and we never auto-charge you without explicit consent.
No. The €9/month is flat regardless of how many users log into your app. Add 5 users or 50; the price doesn't change.
24/7 Live chat and email support, both staffed by engineers who run the systems. We handle DNS configuration, SMTP setup, app integrations, performance tuning, troubleshooting, and migration help. Response time is typically under an hour. There is no tier system — every customer gets the same support.
Yes. Cancel from the dashboard. We don't charge a cancellation fee, we don't lock data, and we will export your data to you on request before deletion. data to you on request before deletion.
Every customer instance is backed up daily to a separate region from the primary. We test restores. You can request a restore at any backup point within the retention window — usually 7 days for daily backups.
Your application data sits in the region you choose at provisioning — 21 datacenter locations across six continents. Account-level data (billing, account email, support ticket history) is processed centrally. Application data region is picked by you, per app.
99.9% uptime SLA on every app, every tenant. Service credits are documented at danian.co/service-level-agreement. The status page is located at status.danian.co.
When your tenant approaches the resource ceiling — the base tier holds 1 vCPU/RAM, 30 GB storage — we notify you. Resource upgrades happen with your explicit consent; we will not upgrade your tenant or charge you without it.
We wait. We don't suspend the app or delete your data on the first failed charge. We email you, you fix the card on file, and we continue.
Invoices can be downloaded from the billing dashboard in PDF the day each charge succeeds. EU VAT is added where applicable and the VAT-reverse-charge regime applies for VAT-registered businesses with a valid number.
150+ open-source apps across automation, team chat, file sync, analytics, AI, password management, email marketing, dev tools, project management, smart home, CMS, and federated social. See the full catalog →
Yes. Every instance comes with a web-based terminal and a file manager in your DANIAN management dashboard. Useful for managing your data and customizations.
Resources scale with your usage. If your app needs more vCPU, RAM, or storage, we add it — and we ask first before any change to your plan. €9 is the floor; resource-heavy workloads may price higher, but you'll always know in advance.
Yes. We have both a Partner program and an Affiliate program available. Anybody can sign up.
No contract. No minimum commitment. Cancel anytime from the dashboard with one click. The 7-day free trial requires no credit card. After the trial converts to paid, you can still cancel at any month without notice or penalty.

DEPLOY IN YOUR REGION

21 datacenter locations on six continents

Pick the region closest to your users.

United States, Germany, Finland, Singapore, Australia, Brazil, Canada, Netherlands, UK, Spain, Italy, France, Sweden, Malaysia, India, Japan, Mexico, Poland, South Korea, Chile, South Africa and more coming soon

Global Reach Map

Try managed 2FAuth for 7 days

No card. Cancel from the dashboard.