MFA Sidecar – Yunohost MFA

Install MFA Sidecar

MFA SIdecar logo

MFA Sidecar is packaged for YunoHost and is designed to run on a dedicated portal domain such as:

auth.example.org

It adds a browser-first MFA perimeter in front of selected YunoHost apps and paths, with a dedicated authentication portal, operator controls, and an explicit break-glass recovery model.

Recommended rollout

  1. Install MFA Sidecar on its own dedicated domain
  2. Verify the portal and admin UI
  3. Start with one low-risk target
  4. Test in a private/incognito browser window
  5. Expand protection only after the flow is proven

Important install notes

  • The portal should use a dedicated domain
  • The portal path should remain /
  • Do not use admin as the sidecar username
  • Use a distinct operator username such as mfaadmin
  • Treat unknown targets as Bypass until tested

What to test first

Good first targets:

  • a simple app on its own subdomain
  • a low-risk internal service
  • one app you can test safely in private browsing

Avoid protecting these first:

  • the root domain
  • the sidecar portal domain itself
  • the one app you need in order to recover if something goes wrong

What happens after install

After install you should be able to:

  • open the sidecar portal
  • sign in as the first sidecar admin
  • access the admin UI
  • protect one target and verify the redirect → login → return-to-app flow
Source Code
Installation guide
Admin Guide
Troubleshooting