[GH-ISSUE #1225] feat: 2FA/MFA TOTP support #51067

Open
opened 2026-05-05 11:53:38 -05:00 by GiteaMirror · 38 comments
Owner

Originally created by @ghost on GitHub (Mar 20, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/1225

I'm running an instance of Open WebUI locally (with Ollama), however I do expose it to the internet to be able to access it on the go. Understanding the risks of making my service public, I looked through the Web UI settings looking to set up a 2FA device and realized that such setting does not exit, not even for a simple TOTP.

Describe the solution you'd like

Ability to set up a TOTP 2FA.

Describe alternatives you've considered

I've considered blocking access to the DNS subdomain where I run the app entirely at the reverse proxy level until the user authenticates with a local OIDC provider and attempts to access the Web UI again with the auth cookie it issues, however:

  • this will break any exsting or future ability of mobile clients to integrate with my local service completely (unless they defer JWT acquisition to a WebView),
  • and will create a very awkward authentication flow where I'd have to authenticate twice. Once to be allowed to access the subdomain where Open WebUI runs, twice to log into the Web UI.

Attachments

Not to make a comparison, and hopefully that's not taken as unappreciation of all the hard work that you guys have done on the project, but OpenAI's web interface allows setting up MFA devices:

image

Originally created by @ghost on GitHub (Mar 20, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/1225 ## Is your feature request related to a problem? Please describe. I'm running an instance of Open WebUI locally (with Ollama), however I do expose it to the internet to be able to access it on the go. Understanding the risks of making my service public, I looked through the Web UI settings looking to set up a 2FA device and realized that such setting does not exit, not even for a simple TOTP. ## Describe the solution you'd like Ability to set up a TOTP 2FA. ## Describe alternatives you've considered I've considered blocking access to the DNS subdomain where I run the app entirely at the reverse proxy level until the user authenticates with a local OIDC provider and attempts to access the Web UI again with the auth cookie it issues, however: * this will break any exsting or future ability of mobile clients to integrate with my local service completely (unless they defer JWT acquisition to a WebView), * and will create a very awkward authentication flow where I'd have to authenticate twice. Once to be allowed to access the subdomain where Open WebUI runs, twice to log into the Web UI. ## Attachments Not to make a comparison, and hopefully that's not taken as unappreciation of all the hard work that you guys have done on the project, but OpenAI's web interface allows setting up MFA devices: ![image](https://github.com/open-webui/open-webui/assets/23281304/5d68dbef-cf1e-4453-8291-d0161a32f3e4)
Author
Owner

@mpepping commented on GitHub (Aug 3, 2024):

Adding 2FA in User/Account settings, plus an Admin setting to enforce 2FA for all users, would a valuable addition.

<!-- gh-comment-id:2266570324 --> @mpepping commented on GitHub (Aug 3, 2024): Adding 2FA in User/Account settings, plus an Admin setting to enforce 2FA for all users, would a valuable addition.
Author
Owner

@Lanhild commented on GitHub (Oct 28, 2024):

#1953 should be a dependency before this gets implemented

<!-- gh-comment-id:2440258898 --> @Lanhild commented on GitHub (Oct 28, 2024): #1953 should be a dependency before this gets implemented
Author
Owner

@HeroCod commented on GitHub (Dec 4, 2024):

This would honestly be the best addition towards making open-webui more safe to access from the web or exposed interfaces, so i think it's worth a bump

Also, adding time-based 2FA should not require enormous work, so i think it'd be one of the better additions to work towards

<!-- gh-comment-id:2517767397 --> @HeroCod commented on GitHub (Dec 4, 2024): This would honestly be the best addition towards making open-webui more safe to access from the web or exposed interfaces, so i think it's worth a bump Also, adding time-based 2FA should not require enormous work, so i think it'd be one of the better additions to work towards
Author
Owner

@Lanhild commented on GitHub (Dec 4, 2024):

In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work.

<!-- gh-comment-id:2517903495 --> @Lanhild commented on GitHub (Dec 4, 2024): In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work.
Author
Owner

@sebdanielsson commented on GitHub (Dec 17, 2024):

In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work.

Disagree. Most businesses will use SSO for their employees. 2FA is mostly a benefit for self-hosters that want to secure their publicly accessible instances.

<!-- gh-comment-id:2548736851 --> @sebdanielsson commented on GitHub (Dec 17, 2024): > In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work. Disagree. Most businesses will use SSO for their employees. 2FA is mostly a benefit for self-hosters that want to secure their publicly accessible instances.
Author
Owner

@HeroCod commented on GitHub (Dec 17, 2024):

In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work.

Disagree. Most businesses will use SSO for their employees. 2FA is mostly a benefit for self-hosters that want to secure their publicly accessible instances.

Which would be people like me for instance: i run the OpenWebUI on a reverse proxy setup and so far the only option i have for 2FA is a complex apache 2FA system (or at least that's the best i came up with without having to use a VPN)

<!-- gh-comment-id:2549483659 --> @HeroCod commented on GitHub (Dec 17, 2024): > > In my opinion, people needing 2FA generally delegate authentication to an external provider, which in turn does all the MFA work. > > Disagree. Most businesses will use SSO for their employees. 2FA is mostly a benefit for self-hosters that want to secure their publicly accessible instances. Which would be people like me for instance: i run the OpenWebUI on a reverse proxy setup and so far the only option i have for 2FA is a complex apache 2FA system (or at least that's the best i came up with without having to use a VPN)
Author
Owner

@sh-rn commented on GitHub (Jan 20, 2025):

Just adding my comment that this would be very useful to add for anyone wanting to deploy their own instance of this. hoping we'll see this feature added soon!

<!-- gh-comment-id:2603109834 --> @sh-rn commented on GitHub (Jan 20, 2025): Just adding my comment that this would be very useful to add for anyone wanting to deploy their own instance of this. hoping we'll see this feature added soon!
Author
Owner

@toni-cerise commented on GitHub (Feb 15, 2025):

push

<!-- gh-comment-id:2661093800 --> @toni-cerise commented on GitHub (Feb 15, 2025): push
Author
Owner

@MacJedi42 commented on GitHub (Feb 16, 2025):

This would be extremely valuable for us.

<!-- gh-comment-id:2661615598 --> @MacJedi42 commented on GitHub (Feb 16, 2025): This would be extremely valuable for us.
Author
Owner

@ErenayDev commented on GitHub (Feb 25, 2025):

up

<!-- gh-comment-id:2682479289 --> @ErenayDev commented on GitHub (Feb 25, 2025): up
Author
Owner

@noccommander commented on GitHub (Feb 28, 2025):

up

<!-- gh-comment-id:2690643920 --> @noccommander commented on GitHub (Feb 28, 2025): up
Author
Owner

@0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Feb 28, 2025):

passkeys would be a great addition too! (I don't know anything about adding them, I just thought it'd be cool)

<!-- gh-comment-id:2690988781 --> @0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Feb 28, 2025): passkeys would be a great addition too! (I don't know anything about adding them, I just thought it'd be cool)
Author
Owner

@Meticulous7 commented on GitHub (Mar 14, 2025):

Came here after discovering this functionality was missing. Please add ASAP ❤️

<!-- gh-comment-id:2725000789 --> @Meticulous7 commented on GitHub (Mar 14, 2025): Came here after discovering this functionality was missing. Please add ASAP ❤️
Author
Owner

@exxocism commented on GitHub (Apr 5, 2025):

up

<!-- gh-comment-id:2781128690 --> @exxocism commented on GitHub (Apr 5, 2025): up
Author
Owner

@StratosL commented on GitHub (Apr 7, 2025):

up

<!-- gh-comment-id:2782935783 --> @StratosL commented on GitHub (Apr 7, 2025): up
Author
Owner

@toni-cerise commented on GitHub (Apr 8, 2025):

Implementation might be coming up soon, see https://github.com/open-webui/open-webui/pull/11953

<!-- gh-comment-id:2787539756 --> @toni-cerise commented on GitHub (Apr 8, 2025): Implementation might be coming up soon, see [https://github.com/open-webui/open-webui/pull/11953](https://github.com/open-webui/open-webui/pull/11953)
Author
Owner

@TensorTemplar commented on GitHub (Apr 9, 2025):

Oho, need to get back to this on the weekend it seems

<!-- gh-comment-id:2790063261 --> @TensorTemplar commented on GitHub (Apr 9, 2025): Oho, need to get back to this on the weekend it seems
Author
Owner

@0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Apr 9, 2025):

up

<!-- gh-comment-id:2790750602 --> @0e6df6bc5e4c7d830f2756f3b3aebfed commented on GitHub (Apr 9, 2025): up
Author
Owner

@sitolam commented on GitHub (Apr 17, 2025):

up

<!-- gh-comment-id:2813217419 --> @sitolam commented on GitHub (Apr 17, 2025): up
Author
Owner

@petermoser commented on GitHub (May 27, 2025):

up

<!-- gh-comment-id:2911844915 --> @petermoser commented on GitHub (May 27, 2025): up
Author
Owner

@velum commented on GitHub (May 27, 2025):

Up!

<!-- gh-comment-id:2912693555 --> @velum commented on GitHub (May 27, 2025): Up!
Author
Owner

@ballerbude commented on GitHub (May 29, 2025):

This is so much required!

Right now, we're using Tailscale for all the devices that have to use open webui, because exposing the interface to the internet, without at least a simple TOTP, is not an option in our day and age.

<!-- gh-comment-id:2919433230 --> @ballerbude commented on GitHub (May 29, 2025): This is so much required! Right now, we're using Tailscale for all the devices that have to use open webui, because exposing the interface to the internet, without at least a simple TOTP, is not an option in our day and age.
Author
Owner

@Funald commented on GitHub (Jun 2, 2025):

up!

<!-- gh-comment-id:2930260545 --> @Funald commented on GitHub (Jun 2, 2025): up!
Author
Owner

@CoderViki commented on GitHub (Jun 16, 2025):

up!

<!-- gh-comment-id:2976018525 --> @CoderViki commented on GitHub (Jun 16, 2025): up!
Author
Owner

@drax-uk commented on GitHub (Jun 16, 2025):

UP

<!-- gh-comment-id:2976745582 --> @drax-uk commented on GitHub (Jun 16, 2025): UP
Author
Owner

@silentoplayz commented on GitHub (Jun 30, 2025):

Implementation might be coming up soon, see https://github.com/open-webui/open-webui/pull/11953

OP hasn't made any visible progress towards addressing the issues I've pointed out within the mentioned PR. With that having been said, 2FA/MFA TOTP support will likely come in the form of a community contribution in order for users to see it come to fruition in Open WebUI.

<!-- gh-comment-id:3018490917 --> @silentoplayz commented on GitHub (Jun 30, 2025): > Implementation might be coming up soon, see [https://github.com/open-webui/open-webui/pull/11953](https://github.com/open-webui/open-webui/pull/11953) OP hasn't made any visible progress towards addressing the issues I've pointed out within the mentioned PR. With that having been said, 2FA/MFA TOTP support will likely come in the form of a community contribution in order for users to see it come to fruition in Open WebUI.
Author
Owner

@eleaner commented on GitHub (Jul 11, 2025):

is it still open?

<!-- gh-comment-id:3064067565 --> @eleaner commented on GitHub (Jul 11, 2025): is it still open?
Author
Owner

@jeremy-windsor commented on GitHub (Aug 4, 2025):

came here searching for this exact thing. closest i found is cloudflare tunnel with mfa and open webui web authentication turned off.

<!-- gh-comment-id:3152696297 --> @jeremy-windsor commented on GitHub (Aug 4, 2025): came here searching for this exact thing. closest i found is cloudflare tunnel with mfa and open webui web authentication turned off.
Author
Owner

@jeremy-windsor commented on GitHub (Aug 5, 2025):

i am working on adding topt to the authentication and will update after i have a pull or merge request ready. this will be my first contribution so i'm testing it thoroughly locally.

<!-- gh-comment-id:3156358786 --> @jeremy-windsor commented on GitHub (Aug 5, 2025): i am working on adding topt to the authentication and will update after i have a pull or merge request ready. this will be my first contribution so i'm testing it thoroughly locally.
Author
Owner

@HeroCod commented on GitHub (Aug 5, 2025):

i am working on adding topt to the authentication and will update after i have a pull or merge request ready. this will be my first contribution so i'm testing it thoroughly locally.

Can you add me to the fork so i can help out?

I was starting to work on it too

<!-- gh-comment-id:3156392169 --> @HeroCod commented on GitHub (Aug 5, 2025): > i am working on adding topt to the authentication and will update after i have a pull or merge request ready. this will be my first contribution so i'm testing it thoroughly locally. Can you add me to the fork so i can help out? I was starting to work on it too
Author
Owner

@jeremy-windsor commented on GitHub (Aug 6, 2025):

I have completed it and will be adding it today. Sorry it took awhile to get the qrcode uri to work properly. This is my first contribution.

https://github.com/open-webui/open-webui/discussions/16338

<!-- gh-comment-id:3161939235 --> @jeremy-windsor commented on GitHub (Aug 6, 2025): I have completed it and will be adding it today. Sorry it took awhile to get the qrcode uri to work properly. This is my first contribution. https://github.com/open-webui/open-webui/discussions/16338
Author
Owner

@aestheticjmack commented on GitHub (Aug 27, 2025):

This and passkeys would be amazing

<!-- gh-comment-id:3226652896 --> @aestheticjmack commented on GitHub (Aug 27, 2025): This and passkeys would be amazing
Author
Owner

@go2digit-al commented on GitHub (Nov 11, 2025):

up

<!-- gh-comment-id:3518970375 --> @go2digit-al commented on GitHub (Nov 11, 2025): up
Author
Owner

@tellidis commented on GitHub (Dec 30, 2025):

up

<!-- gh-comment-id:3698253478 --> @tellidis commented on GitHub (Dec 30, 2025): up
Author
Owner

@castinformatica commented on GitHub (Jan 13, 2026):

up

<!-- gh-comment-id:3743805430 --> @castinformatica commented on GitHub (Jan 13, 2026): up
Author
Owner

@exxocism commented on GitHub (Feb 13, 2026):

up up

<!-- gh-comment-id:3898092406 --> @exxocism commented on GitHub (Feb 13, 2026): up up
Author
Owner

@klys commented on GitHub (Feb 19, 2026):

I would recommend instead of relying on local authentication use centralized authentication like keycloak, so we can let openwebui actually focus on what really matters: AI handling.

<!-- gh-comment-id:3926880046 --> @klys commented on GitHub (Feb 19, 2026): I would recommend instead of relying on local authentication use centralized authentication like keycloak, so we can let openwebui actually focus on what really matters: AI handling.
Author
Owner

@HeroCod commented on GitHub (May 4, 2026):

well, it's not like adding an internal 2fa server would have killed anyone, but at this point it almost feels like they don't want to add it out of spite or something similar... there was also a pull request integrating a basic 2fa with time-based-otp which has never been merged...

<!-- gh-comment-id:4372591218 --> @HeroCod commented on GitHub (May 4, 2026): well, it's not like adding an internal 2fa server would have killed anyone, but at this point it almost feels like they don't want to add it out of spite or something similar... there was also a pull request integrating a basic 2fa with time-based-otp which has never been merged...
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#51067