mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
[GH-ISSUE #1225] feat: 2FA/MFA TOTP support #132129
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ghost on GitHub (Mar 20, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/1225
Is your feature request related to a problem? Please describe.
I'm running an instance of Open WebUI locally (with Ollama), however I do expose it to the internet to be able to access it on the go. Understanding the risks of making my service public, I looked through the Web UI settings looking to set up a 2FA device and realized that such setting does not exit, not even for a simple TOTP.
Describe the solution you'd like
Ability to set up a TOTP 2FA.
Describe alternatives you've considered
I've considered blocking access to the DNS subdomain where I run the app entirely at the reverse proxy level until the user authenticates with a local OIDC provider and attempts to access the Web UI again with the auth cookie it issues, however:
Attachments
Not to make a comparison, and hopefully that's not taken as unappreciation of all the hard work that you guys have done on the project, but OpenAI's web interface allows setting up MFA devices:
@mpepping commented on GitHub (Aug 3, 2024):
Adding 2FA in User/Account settings, plus an Admin setting to enforce 2FA for all users, would a valuable addition.
@Lanhild commented on GitHub (Oct 28, 2024):
#1953 should be a dependency before this gets implemented
@HeroCod commented on GitHub (Dec 4, 2024):
This would honestly be the best addition towards making open-webui more safe to access from the web or exposed interfaces, so i think it's worth a bump
Also, adding time-based 2FA should not require enormous work, so i think it'd be one of the better additions to work towards
@Lanhild commented on GitHub (Dec 4, 2024):
In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work.
@sebdanielsson commented on GitHub (Dec 17, 2024):
Disagree. Most businesses will use SSO for their employees. 2FA is mostly a benefit for self-hosters that want to secure their publicly accessible instances.
@HeroCod commented on GitHub (Dec 17, 2024):
Which would be people like me for instance: i run the OpenWebUI on a reverse proxy setup and so far the only option i have for 2FA is a complex apache 2FA system (or at least that's the best i came up with without having to use a VPN)
@sh-rn commented on GitHub (Jan 20, 2025):
Just adding my comment that this would be very useful to add for anyone wanting to deploy their own instance of this. hoping we'll see this feature added soon!
@toni-cerise commented on GitHub (Feb 15, 2025):
push
@MacJedi42 commented on GitHub (Feb 16, 2025):
This would be extremely valuable for us.
@ErenayDev commented on GitHub (Feb 25, 2025):
up
@noccommander commented on GitHub (Feb 28, 2025):
up
@0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Feb 28, 2025):
passkeys would be a great addition too! (I don't know anything about adding them, I just thought it'd be cool)
@Meticulous7 commented on GitHub (Mar 14, 2025):
Came here after discovering this functionality was missing. Please add ASAP ❤️
@exxocism commented on GitHub (Apr 5, 2025):
up
@StratosL commented on GitHub (Apr 7, 2025):
up
@toni-cerise commented on GitHub (Apr 8, 2025):
Implementation might be coming up soon, see https://github.com/open-webui/open-webui/pull/11953
@TensorTemplar commented on GitHub (Apr 9, 2025):
Oho, need to get back to this on the weekend it seems
@0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Apr 9, 2025):
up
@sitolam commented on GitHub (Apr 17, 2025):
up
@petermoser commented on GitHub (May 27, 2025):
up
@velum commented on GitHub (May 27, 2025):
Up!
@ballerbude commented on GitHub (May 29, 2025):
This is so much required!
Right now, we're using Tailscale for all the devices that have to use open webui, because exposing the interface to the internet, without at least a simple TOTP, is not an option in our day and age.
@Funald commented on GitHub (Jun 2, 2025):
up!
@CoderViki commented on GitHub (Jun 16, 2025):
up!
@drax-uk commented on GitHub (Jun 16, 2025):
UP
@silentoplayz commented on GitHub (Jun 30, 2025):
OP hasn't made any visible progress towards addressing the issues I've pointed out within the mentioned PR. With that having been said, 2FA/MFA TOTP support will likely come in the form of a community contribution in order for users to see it come to fruition in Open WebUI.
@eleaner commented on GitHub (Jul 11, 2025):
is it still open?
@jeremy-windsor commented on GitHub (Aug 4, 2025):
came here searching for this exact thing. closest i found is cloudflare tunnel with mfa and open webui web authentication turned off.
@jeremy-windsor commented on GitHub (Aug 5, 2025):
i am working on adding topt to the authentication and will update after i have a pull or merge request ready. this will be my first contribution so i'm testing it thoroughly locally.
@HeroCod commented on GitHub (Aug 5, 2025):
Can you add me to the fork so i can help out?
I was starting to work on it too
@jeremy-windsor commented on GitHub (Aug 6, 2025):
I have completed it and will be adding it today. Sorry it took awhile to get the qrcode uri to work properly. This is my first contribution.
https://github.com/open-webui/open-webui/discussions/16338
@aestheticjmack commented on GitHub (Aug 27, 2025):
This and passkeys would be amazing
@go2digit-al commented on GitHub (Nov 11, 2025):
up
@tellidis commented on GitHub (Dec 30, 2025):
up
@castinformatica commented on GitHub (Jan 13, 2026):
up
@exxocism commented on GitHub (Feb 13, 2026):
up up
@klys commented on GitHub (Feb 19, 2026):
I would recommend instead of relying on local authentication use centralized authentication like keycloak, so we can let openwebui actually focus on what really matters: AI handling.
@HeroCod commented on GitHub (May 4, 2026):
well, it's not like adding an internal 2fa server would have killed anyone, but at this point it almost feels like they don't want to add it out of spite or something similar... there was also a pull request integrating a basic 2fa with time-based-otp which has never been merged...
@jeremy-windsor commented on GitHub (May 18, 2026):
I've made 2 PR's for TOTP and both were rejected. It is a highly sought after minimal change the project owners don't want to add so we're stuck adding a layer on top of the already included authentication.
@Classic298 commented on GitHub (May 18, 2026):
Your first PR was rejected because you didn't sign the CLA. So I am not sure that counts because you immediately reopened it as a new PR with the signed CLA. So only one was actually rejected for other reasons than automated.
I left a very long comment on your PR for why I closed it for now.
Your PR introduces massive security vulnerabilities, introduces attack vectors, ships dead code from the get-go and is not following good-practices for the database migrations you are doing. If merged, we'd have gained 4 weeks of additional work with incoming security advisories and bug reports.
Furthermore, and more importantly: I asked several clarifying questions about your PR which you did not respond to. Why not? You did not plumb it into the main app state or redis or database at least in no way that i could see and the PR description seems faulty throughout. Claiming things that aren't there, claiming docs PRs that don't exist and claiming screenshots that you never uploaded.
Such security critical authentication features need to be properly tested and reviewed. My review is that. The PR as is, is inadequate to be merged and was therefore closed. Not because the feature is inherently not wanted.
For anyone who wants to see the review i left it here: https://github.com/open-webui/open-webui/pull/24841#issuecomment-4471525713
Before reopening please discuss here, especially with @tjbck - this was my main reason for closure
And commenting here, instead of answering my review's questions, findings, concerns and points and saying "the project owners don't want [it]" is not professional
@jeremy-windsor commented on GitHub (May 19, 2026):
It sounded to me like the project didn't want to add TOTP, if that is incorrect then I'm willing to devote time and resources to adding to and resolving your feedback, which was appreciated. I have worked on resolving all of the items in your feedback in the latest fork, but I didn't want to submit them to the rejected PR. The comment here was based on the recent posts that flagged as follow up in my github subscriptions.
@Classic298 commented on GitHub (May 19, 2026):
@jeremy-windsor
So as I said, TOTP is something that many ask for, but @tjbck first needs to clarify how it should be added.
This hasn't happened yet, so any PR will not get merged in until that happened anyways.
Feel free to open a new PR, which Tim may be able to review some day. But since this is such a security criticial auth-component PR, it will go under much more scrutiny than other PRs. So make sure to test it properly because we will review it again of course
@jpaodev commented on GitHub (May 21, 2026):
Adding 2FA and a setting that allows choosing which user groups (e.g. all admins, all users, specific groups) MUST provide a 2FA code would be very helpful. This would be also helpful in situations where the instance admins do not want to force SSO with everytime 2FA upon all users (e.g. Entra ID supports this), but still require admins to provide a 2FA everytime.
While this could be done on the SSO side, there are certain situations where it cannot be done (easily), but of course the SSO way should always be preferred by everyone (no matter if private usage or larger scale usage) I suppose
@Classic298 commented on GitHub (May 21, 2026):
SSO - WITH open webui side 2fa in combination? Hm
@jpaodev commented on GitHub (May 21, 2026):
Yes, wanted to share this, because for me as an admin, this is an important use-case. Of course ideally it shouldn't be, ideally you would use roles from SSO and configure the SSO to force 2FA onto everybody with admin role
But I also know of SSO provider situations (from personal experience), where roles are not available at all in the setup e.g. Keycloak
Then once again everybody would have to do 2FA or nobody - additionally the Entra ID SSO can be very annoying (login, decline using a smartcard, select authenticator app instead, go to your phone, unlock the Microsoft Authenticator app, swipe down / wait for prompt to enter number, enter number, press OK -> I would much rather have TOTP or Webauthn Support
@jeremy-windsor commented on GitHub (May 22, 2026):
I want to avoid opening another PR before the project direction is clear.
I rebased my TOTP branch on current dev and worked through the feedback from 24841: config/app-state toggle, QR setup, MFA challenge/session handling, async backup-code hashing/verification, one-time backup-code consumption, auth-state revocation, OAuth MFA behavior, migration cleanup, and audit events.
Should I wait for @tjbck to say whether Open WebUI wants local TOTP at all, or would it help if I post a short design note first so the scope can be agreed before code review? The design note could cover local-account-only vs SSO behavior, disabled by default config, whether group/admin enforcement belongs in the first pass, backup-code/reset behavior, and migration/security constraints.