Fixed

• issue #533 Try my luck” feature is currently grayed out
• Some minor UI glitches

Fixed

• Unwanted toolbar in the Group selector when moving accounts

Fixed

• issue #532 Unable to create new entries via the Advanced Form

Added

• PR #526 Chinese Traditional translation, thanks to @olivertzeng
• PR #527 Allow pasting on upload page to add QR codes easily, thanks to @moritzuehlingo

New env vars

• BLOCK_OPTAUTH_IMAGELINK_FETCHING: Enable or disable fetching of resources linked in the imagelink parameter of OTPauth URIs encoded in QR codes (doc).
• THROTTLE_API_DURING_IMPORT: Specific rate limite for API calls made by the Import feature to prevent 429 error during large import (doc, #522).

Security fix

• Mitigate blind SSRF by adding URL validation before imagelink resources are fetched (thx @DenizParlak). This comes with the new BLOCK_OPTAUTH_IMAGELINK_FETCHING env var, which is set to true by default.
• Installation fails due to CVE-2025-45769 in transitive dependency firebase/php-jwt < 7.0.0 (via laravel/passport) (thx @MickLesk)

Fixed

• issue #509 manifest.json cannot be accessed through a reverse proxy
• issue #516 Local iconsPack is greyout - cant be selected for item
• issue #517 Typo: "recommanded" instead of "recommended"
• issue #519 Docker Container keeps crashing on boot
• issue #522 Test email missed text
• Bad groupSwitch button label on group change

2FAuth’s (not so) Major Update is Here!

The project keeps moving forward gently but surely, as it always has. This major version introduces a lot of changes under the hood, and although the change log isn't that ridiculous (with a nice addition over icon packs, see below), there isn’t much to get excited about (Sorry folks, sharing is not yet available).

I wish I could have released this version earlier, but work has also kept me pretty busy. I hope the next version will come out faster.

A Unified Foundation for Web and Browser Extension

One of the biggest changes in this release is the complete restructuring of the codebase for both the web app and browser extension. Both frontends now share a common set of Vue.js components, making them more consistent and much easier to maintain and evolve. This architectural shift is why I’ve bumped the version number—it’s a major step forward.

I’ve done my best to avoid regressions, but with changes this extensive and despite all my tests, there’s always a risk some features might not behave as expected, even if they were stable before. If you notice anything amiss, please let me know by opening an issue.

If you are participating in translating 2FAuth, you have probably received notification about a significant number of new translations. This is because I changed how translations are organized through files, there is now only one file per locale. I apologize for the additional workload this entails, but I couldn't avoid it. Hopefully, thanks to Crowdin's history feature, restoring your previous translations will be relatively quick. This is by the way a good opportunity to correct or complete them.

A Fresh Look with Lucide Icons

You’ll notice a subtle refresh to the web app’s interface. Just like the ones in the browser extension, all icons now come from the lucide.dev collection. This brings a touch of freshness and modernity to the application without changing it too much, as the Lucide collection is quite similar to FontAwesome, which was previously used.

Important notices

And last but not least:

Added

• 2FAuth can now fetch icons from offline icon packs. Visit the new Icon documentation page to learn how to set them up (#203).
• The sort order of 2FA accounts is saved to user preferences when changed from the Manage mode. This allows the account list to be reordered automatically after a new account is registered. (#377).
• Groups can be reordered (manually, from the Group management view) (#419).
• A new filter is available to only show 2FA accounts that do not belong to any group (#430).
• The Import feature now supports Bitwarden export (#501).

New env vars

• APP_KEY_FILE: Suffixed version of the APP_KEY environment variable to be used in conjunction with a docker secret (doc).
• APP_PREVIOUS_KEYS: Lists all application's former encryption keys to ensure data decryption after a key rotation (doc).

Changed

• PR #366 Separate env variables to a separate env file for docker compose, thanks to @sinipelto
• Group names now accept single quote (#465).
• Upon logging out, users are now redirected to the last login form they used: Password, SSO or Webauthn. (#478).
• Catchable errors that occur during the sending of a test email are now displayed in the UI to help you understand what's going on.

Fixed

• issue #447 Unable to import Google Authenticator.
• issue #464 Import error not correctly reported in the GUI.
• issue #481 HASH_DRIVER not working with argon with OID.
• issue #495 2FA.directory polluted by selfho.st call.
• issue #508 OpenID from new browser doesn't work - Email address already exists.
• Remaining loader after 422 response on login request.
• Missing Group selection in the advanced form after a QR code upload.
• Disabling the Remember active group user preference could lead to always returning to the last memorized group

API [1.9.0]

• /api/v1/icons/packs GET path added (doc).
• /api/v1/groups/reorder POST path added (doc).
• Add missing orderedIds property in /api/v1/twofaccounts/reorder POST response.

Fixed

• issue #510 Composer 2.7+ blocks installation due to svg-sanitize advisory

Unless you are an icon lover, there isn't much to get excited about with 2FAuth v5.6 (see below for details). That's because I'm focused on refactoring the web app's front end and the web extension so that they are built using shared components. The process is time consuming, but it's a necessary step to optimize future developments and avoid repeating code.

The shared components are ready, as is a new version of the web extension that makes use of these components. I plan to migrate the 2FAuth web app as soon as possible so that I can start working on new features again.

Added

• The Get official icon feature now includes two new icon providers, selfh.st and dashboardicons.com, as well as the ability to select a preferred variant or to switch between providers directly from the Advanced form. (#475).

New env vars

• OPENID_HTTP_VERIFY_SSL_PEER: Enable or disable SSL peer verification during OpenID authentication process (doc).

Changed

• Personal Access Token (PAT) can be used when authentication is restricted to SSO only. This is particularly useful when you want to use the 2FAuth web extension. Check out the new Allow PAT usage setting in the Admin > Auth > SSO section (#474).

Fixed

• issue #477 Steam OTP codes don't refresh when become invalid
• PR #482 Docker entrypoint not calling the right php-fpm version, thanks to @jkoch22

API [1.8.0]

• /api/v1/icons/default POST path added (doc).

Fixed

• issue #472 QR scan reader blocked by csp

Changed

• The Show next OTP user preference is enabled by default

Fixed

• issue #472 QR scan reader blocked by csp

Announcement

Did you know that the 2FAuth official web browser extension has been released!?

The goal of this web extension is to offer an alternative way to interact with your 2FAuth server and to make 2FA account registration and OTP generation even easier and faster.

It's still in early (and beta) stage, but it's functional. For now, only OTP generation is supported, as well as the Search & Group features. Next step is to be able to capture QR codes in the browser pages. This will allow to register a 2FA account in 2FAuth during the 2FA enrollment process on the service website.

• 2FAuth web extension for Firefox
• 2FAuth web extension for Chrome
• 2FAuth web extension for Edge

Feedback and bug reports (in this repository please) are very welcome.

Added

• It is now possible to define custom defaults for user preferences as well as to lock the preferences from being changed by users. This feature requires a bit of configuration, a dedicated page has been added to the documentation site to guide you through the process. (#413)
• A user preference to enable precalculation and display of the next OTP code.
  Don't be surprised if you don't see the next code right after enabling this option, the code fades in slowly in order to maintain good readability of the current code. (#416)
• New languages: Danish, Dutch, Italian, Korean, Portuguese (Brazilian)

Changed

• The version number has been removed from the footer and from the About page for unauthenticated users. (#432)
• 2FAuth now starts searching as soon as the user starts typing, without having to explicitly give focus to the search field. (#441)

Fixed

• issue #438 Sorting not working if "Service" is null
• issue #458 The /up route no longer creates sessions
• issue #462 The check for new versions is no longer triggered whereas the Check for new version setting is disabled
• PR #455 Logo size overflow, by @BitSleek
• Multiple Race Condition in Group Management Feature. Credits to @bugdiscole

API [1.7.0]

• New 403 response for the PUT operation of path /api/v1/user/preferences/{name}
• New 409 response for the POST operation of path /api/v1/groups/{id}/assign
• New locked property in the userPreference model