Best Self Hosted Alternatives to Duo Security

Authelia is an open-source authentication and authorization server that provides identity and access management (IAM) for web applications. It commonly sits behind a reverse proxy to enforce single sign-on (SSO), multi-factor authentication (MFA), and fine-grained access policies.

Key Features

• OpenID Connect 1.0 provider (OpenID Certified) with OAuth 2.0 support for SSO integrations
• Reverse-proxy companion mode to allow, deny, or redirect requests based on authentication state
• Multiple MFA methods including TOTP and WebAuthn/FIDO2 security keys
• Granular authorization policies based on users, groups, domains, and resources
• Brute-force protection and login regulation/lockout controls
• Password reset flows (including LDAP or internal users) with email validation
• High availability-oriented design suitable for running multiple instances

Use Cases

• Protect internal tools and self-hosted apps behind a reverse proxy with SSO and MFA
• Provide an OIDC identity layer for applications that support OAuth2/OIDC login
• Enforce access control policies for different user groups across multiple domains

Authelia is a lightweight, security-focused IAM component that can centralize authentication and authorization for many web applications. It is particularly well-suited for homelabs and organizations that want modern SSO and MFA without adopting a full enterprise directory suite.

Tinyauth is a simple authentication middleware that sits in front of your web applications and provides a login screen or single sign-on via external identity providers. It is designed to be lightweight and easy to configure, making it well-suited for homelabs and small-to-medium self-hosted setups.

Key Features

• Adds an authentication layer in front of existing apps without modifying them
• Supports a built-in login screen with username/password
• OAuth / OIDC authentication with providers such as Google and GitHub (and others)
• LDAP authentication against a centralized directory
• Two-factor authentication support via TOTP
• Designed to integrate with popular reverse proxies such as Traefik, Nginx, and Caddy
• Ships as a single statically linked binary and is typically configured via environment variables

Use Cases

• Protect internal dashboards and admin tools behind a single login page
• Add SSO to self-hosted services that lack native authentication
• Gate access to homelab services exposed through a reverse proxy

Limitations and Considerations

• In active development; configuration and behavior may change between releases

Tinyauth provides a pragmatic way to add authentication in front of multiple services with minimal overhead. It is especially useful when you want a small, dependency-light component that works with common proxy-based deployments.

Pomerium is an identity- and context-aware access proxy that sits in front of applications to enforce Zero Trust access. It enables clientless access to internal web apps and services, applying policy to every request rather than relying on network perimeter trust.

Key Features

• Identity-aware access proxy for internal web apps and services
• Per-request authorization with continuous policy enforcement (not just session-based)
• Context-aware policies using signals like identity, time, and device context
• Works across cloud, hybrid, and on-prem environments without re-architecting apps
• Supports multiple identity types, including humans and non-human/service identities
• Audit-focused logging of access decisions to support compliance and investigations

Use Cases

• Replace or reduce reliance on traditional VPN access for internal applications
• Secure legacy apps that lack built-in authentication/authorization
• Enforce consistent, centralized access policy across mixed environments

Limitations and Considerations

• Requires integration with an identity provider and careful policy design to avoid overly-broad access
• Introducing a proxy layer may require planning for routing, certificates, and high availability in production

Pomerium is well-suited for teams that want identity-first, policy-based access controls for internal services. It provides a consistent way to secure applications and improve auditability while avoiding blanket network access typical of VPN-based approaches.

Kanidm is an identity management platform that centralizes users, groups, and authentication for your applications and infrastructure. It focuses on secure defaults, simple operations, and built-in capabilities so services can offload identity and access management to a single provider.

Key Features

• OAuth2/OIDC provider for single sign-on (SSO)
• WebAuthn passkeys support, including attested passkeys for higher assurance
• Application portal for launching and accessing linked applications
• Linux/Unix integration, including offline authentication support
• SSH public key distribution for Unix systems
• RADIUS support for network and VPN authentication
• Read-only LDAPS gateway for legacy LDAP-dependent systems
• Administration via CLI tooling plus Web UI for user self-service
• Two-node high availability using database replication

Use Cases

• Replace fragmented credentials with centralized SSO for internal web apps
• Provide strong phishing-resistant authentication using passkeys
• Manage Unix fleet access with centralized identities and SSH key delivery

Limitations and Considerations

• Administrative workflows are primarily CLI-driven, while the Web UI is focused on end-user self-service

Kanidm is a strong fit when you want a unified identity provider with modern authentication (passkeys) plus practical infrastructure integrations (Unix, SSH, RADIUS). It aims to deliver enterprise-grade capabilities with a streamlined operational model and secure-by-default design.

AuthPortal is a lightweight, Go-built authentication gateway that provides a unified login experience for Plex, Jellyfin, and Emby users. It issues signed session cookies, offers an admin console, and can act as an OAuth 2.1 / OIDC authorization server for downstream apps. (github.com)

Key Features

• Unified login flows for Plex (PIN flow), Jellyfin, and Emby with provider-specific handling.
• Signed, HTTP-only JWT session cookies and session lifecycle management.
• Optional TOTP-based multi-factor authentication with recovery codes and per-tenant enforcement.
• Built-in OAuth 2.1 / OIDC endpoints (discovery, JWKS, token, userinfo) with PKCE and refresh support.
• Admin SPA for runtime config editing (providers, security, MFA), OAuth client management, and encrypted config backups with scheduling/retention. (github.com)

Use Cases

• Provide single sign-on for a media-focused community (Plex/Jellyfin/Emby) across internal portals and apps.
• Act as a lightweight first-party OIDC authorization server for home-lab or intranet applications.
• Centralize MFA enforcement, OAuth client lifecycle, and runtime configuration for downstream services.

Limitations and Considerations

• Designed for same-origin / intranet scenarios; production use requires proper HTTPS reverse proxy and careful key management (SESSION_SECRET, DATA_KEY).
• Relies on Postgres for user/profile storage and expects you to manage DB availability, backups, and secret rotation. (github.com)

AuthPortal is intended for self-hosting in home-lab and media community environments. It emphasizes a small runtime footprint, containerized deployment, and extensible provider support while requiring operators to follow security best practices and manage secrets and backups carefully. (github.com)