Yubikey. It supports TOTP as well as passkeys. Plus is a physical device separate from my phone. Recommend getting 2 to have 1 as backup
this post was submitted on 13 Oct 2025
128 points (97.8% liked)
Selfhosted
57238 readers
468 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Yubikeys. I think everyone should get a couple (need 2 in case 1 lost)
I personally use Ente Auth and quite like it, don't use syncing and save an encrypted copy to my PC. I really like that you can see what the next code will be.
Adding to the Aegis chorus.
I also use Proton Pass for some sites that aren't as critical for me / don't have a bunch of PII. It's easy.
What you mean syncing with Gnome app?
I use bitwaarden and stratum since it has a wearos app as well and it's nice to use that for 2fa codes
Started testing out stratum recently...
load more comments
(1 replies)
I used aegis for a long time, switched to protons after they introduced it. Ideally I'd be using something physical though like a yubikey
Stratum
I primarily use GNOME Authenticator, but after an inopportune crash, I now also run 2FAuth on my home server as a backup, and now just hope that I remember to do the export/import dance going forward.
Ente Auth
I use pass for my passwords, and it has an otp extension that I've been using more and more. I used to use aegis but I have needed to switch phones one too many times without having access to the previous phone to be comfortable with phones for 2fa.
Of course, this isn't as secure as a truly separate OTP solution, but it's still better than no OTP/2FA. And I can easily enough back up and restore my 2fa access over the internet, even on a new computer (albeit I need to also backup a PGP key that can decrypt the password store to truly be portable).
This is what I do. If someone can figure out pass with my password protected gpg, plus my passwords are partials (I salt them), and otp then they can have my access
plus my passwords are partials (I salt them)
I'm curious how you make that work - do you just remember the salts, store them separately, or what? I have like 50-70 passwords in my store currently, there's no way I'm remembering a (true random) salt for each one.
My salt is just a memorized password I put in addition to the one stored in pass
I use freeotp+, but it looks like it could be dead now. But I does have an export to file.
since no one mentioned andotp i might have to move away from it…
Woahhh defo not enough love for Ente Auth in tgese comments. Highly recommend! Its got a beautiful and intuitive UI, completely open-source and is back by super active devs and community 💚
A combination of Yubikey and Enpass (I got Enpass back when it was $15 for perpetual).