[GH-ISSUE #24650] feat: Add Two-Factor Authentication (2FA) with Google Authenticator (TOTP) #91111

New Issue

Open

opened 2026-05-15 16:23:16 -05:00 by GiteaMirror · 1 comment

GiteaMirror commented 2026-05-15 16:23:16 -05:00

Owner

Copy Link

Originally created by @sharyuke on GitHub (May 13, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24650

Summary

First of all, thank you for building such an excellent self-hosted AI platform. Open WebUI is incredibly feature-rich and a joy to use. I truly appreciate all the work that goes into this project.

Motivation

While Open WebUI offers robust security features like RBAC, LDAP integration, and SSO via OAuth/OIDC, one critical layer of account protection is currently missing: Two-Factor Authentication (2FA).

Currently, an account is protected solely by a password. In a self-hosted environment exposed to the internet (even behind a reverse proxy), account credentials can be vulnerable to brute-force or credential-stuffing attacks. If a password is compromised or leaked, there is no second layer of defense to prevent unauthorized access.

Proposed Solution

Implement Time-based One-Time Password (TOTP) 2FA, compatible with Google Authenticator and similar authenticator apps (Authy, 1Password, Bitwarden, etc.).

Suggested Implementation Details

• Per-user opt-in 2FA: Users can enable 2FA from their profile/settings page
• TOTP standard: Use the standard TOTP algorithm (RFC 6238), compatible with Google Authenticator
• Setup flow: Display a QR code during 2FA setup that users scan with their authenticator app
• Recovery codes: Provide one-time recovery codes when 2FA is first enabled
• Admin enforcement option: Allow administrators to mandate 2FA for all users or specific user groups
• Backup verification: Graceful fallback handling if 2FA device is temporarily unavailable

Alternatives Considered

• SMS-based 2FA: Not recommended due to SIM-swapping vulnerabilities
• Hardware keys (WebAuthn/U2F): Excellent security but adds hardware cost and complexity for users
• OAuth/SSO delegation: Already supported (Discussion #340), but requires an external identity provider

TOTP strikes the best balance between security and accessibility — users only need a free authenticator app on their phone.

Use Cases

• Self-hosted deployments exposed to the public internet
• Team environments where multiple users share an instance
• Compliance requirements for organizations with security policies mandating 2FA
• Anyone who wants an extra layer of protection beyond a strong password

Priority

This would be a significant security improvement for production deployments. Even a basic implementation (per-user opt-in TOTP) would greatly enhance account security without requiring major architectural changes.

---

Thank you again for this amazing project. I look forward to seeing how it continues to evolve.

Originally created by @sharyuke on GitHub (May 13, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24650 ## Summary First of all, thank you for building such an excellent self-hosted AI platform. Open WebUI is incredibly feature-rich and a joy to use. I truly appreciate all the work that goes into this project. ## Motivation While Open WebUI offers robust security features like RBAC, LDAP integration, and SSO via OAuth/OIDC, one critical layer of account protection is currently missing: **Two-Factor Authentication (2FA)**. Currently, an account is protected solely by a password. In a self-hosted environment exposed to the internet (even behind a reverse proxy), account credentials can be vulnerable to brute-force or credential-stuffing attacks. If a password is compromised or leaked, there is no second layer of defense to prevent unauthorized access. ## Proposed Solution Implement Time-based One-Time Password (TOTP) 2FA, compatible with Google Authenticator and similar authenticator apps (Authy, 1Password, Bitwarden, etc.). ### Suggested Implementation Details - **Per-user opt-in 2FA**: Users can enable 2FA from their profile/settings page - **TOTP standard**: Use the standard TOTP algorithm (RFC 6238), compatible with Google Authenticator - **Setup flow**: Display a QR code during 2FA setup that users scan with their authenticator app - **Recovery codes**: Provide one-time recovery codes when 2FA is first enabled - **Admin enforcement option**: Allow administrators to mandate 2FA for all users or specific user groups - **Backup verification**: Graceful fallback handling if 2FA device is temporarily unavailable ## Alternatives Considered - **SMS-based 2FA**: Not recommended due to SIM-swapping vulnerabilities - **Hardware keys (WebAuthn/U2F)**: Excellent security but adds hardware cost and complexity for users - **OAuth/SSO delegation**: Already supported (Discussion #340), but requires an external identity provider TOTP strikes the best balance between security and accessibility — users only need a free authenticator app on their phone. ## Use Cases - Self-hosted deployments exposed to the public internet - Team environments where multiple users share an instance - Compliance requirements for organizations with security policies mandating 2FA - Anyone who wants an extra layer of protection beyond a strong password ## Priority This would be a significant security improvement for production deployments. Even a basic implementation (per-user opt-in TOTP) would greatly enhance account security without requiring major architectural changes. --- Thank you again for this amazing project. I look forward to seeing how it continues to evolve.

GiteaMirror commented 2026-05-15 16:23:18 -05:00

Author

Owner

Copy Link

@owui-terminator[bot] commented on GitHub (May 13, 2026):

🔍 Related Issues Found

I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions:

1. 🟢 #1225 feat: 2FA/MFA TOTP support
   This is essentially the same request: adding TOTP-based 2FA/MFA for Open WebUI accounts, with the same motivation of protecting internet-exposed self-hosted instances. It even mentions the lack of a TOTP setting and asks for authenticator-app support.
   by ghost

---

💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead.

This comment was generated automatically. React with 👍 if helpful, 👎 if not.

<!-- gh-comment-id:4439183208 --> @owui-terminator[bot] commented on GitHub (May 13, 2026): <!-- terminator-bot:related-issues-reply --> 🔍 **Related Issues Found** I found some existing issues that might be related. Please check if any of these are duplicates or contain helpful solutions: 1. 🟢 [#1225](https://github.com/open-webui/open-webui/issues/1225) **feat: 2FA/MFA TOTP support** *This is essentially the same request: adding TOTP-based 2FA/MFA for Open WebUI accounts, with the same motivation of protecting internet-exposed self-hosted instances. It even mentions the lack of a TOTP setting and asks for authenticator-app support.* *by ghost* --- 💡 If your issue is a duplicate, please close it and add any additional details to the existing issue instead. *This comment was generated automatically.* React with 👍 if helpful, 👎 if not.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dev

v0.9.6

v0.9.5

v0.9.4

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.12

v0.8.11

v0.8.10

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.43

v0.6.42

v0.6.41

v0.6.40

v0.6.39

v0.6.38

v0.6.37

v0.6.36

v0.6.35

v0.6.34

v0.6.33

v0.6.32

v0.6.31

v0.6.30

v0.6.29

v0.6.28

v0.6.27

v0.6.26

v0.6.25

v0.6.24

v0.6.23

v0.6.22

v0.6.21

v0.6.20

v0.6.19

v0.6.18

v0.6.17

v0.6.16

v0.6.15

v0.6.14

v0.6.13

v0.6.12

v0.6.11

v0.6.10

v0.6.9

v0.6.8

v0.6.7

v0.6.6

v0.6.5

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.20

v0.5.19

v0.5.18

v0.5.17

v0.5.16

v0.5.15

v0.5.14

v0.5.13

v0.5.12

v0.5.11

v0.5.10

v0.5.9

v0.5.8

v0.5.7

v0.5.6

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.8

v0.4.7

v0.4.6

v0.4.5

v0.4.4

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.35

v0.3.34

v0.3.33

v0.3.32

v0.3.31

v0.3.30

v0.3.29

v0.3.28

v0.3.27

v0.3.26

v0.3.25

v0.3.24

v0.3.23

v0.3.22

v0.3.21

v0.3.20

v0.3.19

v0.3.18

v0.3.17

v0.3.16

v0.3.15

v0.3.14

v0.3.13

v0.3.12

v0.3.11

v0.3.10

v0.3.9

v0.3.8

v0.3.7

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.5

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.125

v0.1.124

v0.1.123

v0.1.122

v0.1.121

v0.1.120

v0.1.119

v0.1.118

v0.1.117

v0.1.116

v0.1.115

v0.1.114

v0.1.113

v0.1.112

v0.1.111

v0.1.110

v0.1.109

v0.1.108

v0.1.107

v0.1.106

v0.1.105

v0.1.104

v0.1.103

v0.1.102

Labels

Clear labels

bug

confirmed

confirmed issue

core

documentation

enhancement

good first issue

help wanted

non-core

pull-request

Mirrored from GitHub Pull Request

python

question

testing wanted

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#91111