Implement Two-Factor Authentication (2FA / TOTP) for Login

[markdudov]

Currently, LinkStack relies solely on single-factor, password-based authentication. Given the rising security threats and the fact that users manage their personal or business links/data through the dashboard, a single layer of security is often insufficient.

I would like to request the addition of native Two-Factor Authentication (2FA) support for user logins.
Ideally, this would be a Time-based One-Time Password (TOTP) implementation, allowing users to scan a QR code and use standard authenticator apps (like Google Authenticator, Authy, Aegis, Bitwarden, etc.) to generate a 6-digit code during login.

The current workaround to secure the login is to place the entire LinkStack instance behind a reverse proxy with a separate identity provider (such as Authelia, Authentik, or Cloudflare Zero Trust). However, this setup is too complex for many self-hosters and doesn't provide a native, per-user 2FA experience directly within the app dashboard.

Implementing native 2FA would greatly enhance the security of LinkStack and align it with modern security standards and self-hosting best practices. It would give users peace of mind when exposing their instance to the public internet.

[JulianPrieber]

Already implemented in the v5 prototype, v4 implementation may take a while.

We haven't been able to put this on the roadmap for v4 based releases.

Possibly towards the end of 2026 we have some air to address some much requested features.

We've allocated Q1 and Q2 to focus on the block expansion system, general performance optimization and critical security fixes.

I want to allocate the amount of development time I feel is necessary to implement this feature confidently and to the standard I want to maintain for something like this.

In the meantime, I’d recommend using a third-party social OAuth provider with proper 2FA support, since this system already supports passwordless authentication.

---

Some compatibility issues

This has been a personal key request for me as well for some time now, however the v4 build is not on a level id like it to be quite yet, and the v5 build was supposed to take it's place by now.

There I've been able to build proper authentication from the ground up, but we had difficulties finding the budget to finish that release.

---

Potential short-term solutions

In the past, we’ve been able to implement features like this on short notice through sponsored development funded by our customers.

Through our sponsorship program, I’m able to allocate dedicated development time toward features like this, which in most cases also contribute back to the public release of LinkStack.

If anyone is interested in sponsoring the development of this feature, feel free to contact us at info@linkstack.org.

I’m very interested in exploring any opportunity to accelerate the implementation of this feature.

---

It's coming soon™...

Continuing on our current roadmap, we unfortunately have to ask for a bit more patience, as most of our development time over the coming months has already been allocated to higher-priority and more demanding work.

In addition to maintaining free and open-source software, we’re also committed to providing free, public access to our application for people who are unable to host it themselves.

While this has proven to be very popular, it also presents significant logistical challenges for our small volunteer team. Right now, a large part of our focus is dedicated to planning and building a long-term hosting strategy that can sustainably provide free and open access for years to come.

At the moment, we’re investing a considerable amount of both time and money into our hosting infrastructure, which has unfortunately slowed down the regular update pace of the open-source side of the project.

[JulianPrieber]

I'll move this to discussions.

You can leave any feedback there if you'd like.

[JulianPrieber]

I’ve pinned this to the front page for visibility.

Regardless of which development branch we decide to support long term, this is a feature I’d like to implement either way.

Technically, this is definitely possible with the current v4 build. The main consideration is ensuring compatibility with the updater as well as all versions moving forward.

On the v4 build like to improve parts of our controller structure, and further refactor both the user and admin backends to align with higher development standards and best practices before changing the authentication structure.

At the moment, a significant portion of the project still relies on legacy code contributed by the community over time. For v5, we’re planning to introduce a much stricter and cleaner foundation to support features like this in a more secure and maintainable way.

I’ll update this thread as soon as I have more news regarding the feature.