mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[GH-ISSUE #1225] feat: 2FA/MFA TOTP support #12402
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ghost on GitHub (Mar 20, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/1225
Is your feature request related to a problem? Please describe.
I'm running an instance of Open WebUI locally (with Ollama), however I do expose it to the internet to be able to access it on the go. Understanding the risks of making my service public, I looked through the Web UI settings looking to set up a 2FA device and realized that such setting does not exit, not even for a simple TOTP.
Describe the solution you'd like
Ability to set up a TOTP 2FA.
Describe alternatives you've considered
I've considered blocking access to the DNS subdomain where I run the app entirely at the reverse proxy level until the user authenticates with a local OIDC provider and attempts to access the Web UI again with the auth cookie it issues, however:
Attachments
Not to make a comparison, and hopefully that's not taken as unappreciation of all the hard work that you guys have done on the project, but OpenAI's web interface allows setting up MFA devices:
@mpepping commented on GitHub (Aug 3, 2024):
Adding 2FA in User/Account settings, plus an Admin setting to enforce 2FA for all users, would a valuable addition.
@Lanhild commented on GitHub (Oct 28, 2024):
#1953 should be a dependency before this gets implemented
@HeroCod commented on GitHub (Dec 4, 2024):
This would honestly be the best addition towards making open-webui more safe to access from the web or exposed interfaces, so i think it's worth a bump
Also, adding time-based 2FA should not require enormous work, so i think it'd be one of the better additions to work towards
@Lanhild commented on GitHub (Dec 4, 2024):
In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work.
@sebdanielsson commented on GitHub (Dec 17, 2024):
Disagree. Most businesses will use SSO for their employees. 2FA is mostly a benefit for self-hosters that want to secure their publicly accessible instances.
@HeroCod commented on GitHub (Dec 17, 2024):
Which would be people like me for instance: i run the OpenWebUI on a reverse proxy setup and so far the only option i have for 2FA is a complex apache 2FA system (or at least that's the best i came up with without having to use a VPN)
@sh-rn commented on GitHub (Jan 20, 2025):
Just adding my comment that this would be very useful to add for anyone wanting to deploy their own instance of this. hoping we'll see this feature added soon!
@toni-cerise commented on GitHub (Feb 15, 2025):
push
@MacJedi42 commented on GitHub (Feb 16, 2025):
This would be extremely valuable for us.
@ErenayDev commented on GitHub (Feb 25, 2025):
up
@noccommander commented on GitHub (Feb 28, 2025):
up
@0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Feb 28, 2025):
passkeys would be a great addition too! (I don't know anything about adding them, I just thought it'd be cool)
@Meticulous7 commented on GitHub (Mar 14, 2025):
Came here after discovering this functionality was missing. Please add ASAP ❤️
@exxocism commented on GitHub (Apr 5, 2025):
up
@StratosL commented on GitHub (Apr 7, 2025):
up
@toni-cerise commented on GitHub (Apr 8, 2025):
Implementation might be coming up soon, see https://github.com/open-webui/open-webui/pull/11953
@TensorTemplar commented on GitHub (Apr 9, 2025):
Oho, need to get back to this on the weekend it seems
@0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Apr 9, 2025):
up
@sitolam commented on GitHub (Apr 17, 2025):
up
@petermoser commented on GitHub (May 27, 2025):
up
@velum commented on GitHub (May 27, 2025):
Up!
@ballerbude commented on GitHub (May 29, 2025):
This is so much required!
Right now, we're using Tailscale for all the devices that have to use open webui, because exposing the interface to the internet, without at least a simple TOTP, is not an option in our day and age.
@Funald commented on GitHub (Jun 2, 2025):
up!
@CoderViki commented on GitHub (Jun 16, 2025):
up!
@drax-uk commented on GitHub (Jun 16, 2025):
UP
@silentoplayz commented on GitHub (Jun 30, 2025):
OP hasn't made any visible progress towards addressing the issues I've pointed out within the mentioned PR. With that having been said, 2FA/MFA TOTP support will likely come in the form of a community contribution in order for users to see it come to fruition in Open WebUI.
@eleaner commented on GitHub (Jul 11, 2025):
is it still open?
@jeremy-windsor commented on GitHub (Aug 4, 2025):
came here searching for this exact thing. closest i found is cloudflare tunnel with mfa and open webui web authentication turned off.
@jeremy-windsor commented on GitHub (Aug 5, 2025):
i am working on adding topt to the authentication and will update after i have a pull or merge request ready. this will be my first contribution so i'm testing it thoroughly locally.
@HeroCod commented on GitHub (Aug 5, 2025):
Can you add me to the fork so i can help out?
I was starting to work on it too
@jeremy-windsor commented on GitHub (Aug 6, 2025):
I have completed it and will be adding it today. Sorry it took awhile to get the qrcode uri to work properly. This is my first contribution.
https://github.com/open-webui/open-webui/discussions/16338
@aestheticjmack commented on GitHub (Aug 27, 2025):
This and passkeys would be amazing
@go2digit-al commented on GitHub (Nov 11, 2025):
up
@tellidis commented on GitHub (Dec 30, 2025):
up
@castinformatica commented on GitHub (Jan 13, 2026):
up
@exxocism commented on GitHub (Feb 13, 2026):
up up
@klys commented on GitHub (Feb 19, 2026):
I would recommend instead of relying on local authentication use centralized authentication like keycloak, so we can let openwebui actually focus on what really matters: AI handling.