privacyIDEA is a modular authentication server that can be used to implement 2fa with your existing applications. Can use many different back-ends, from LDAP to Active Directory to flat files. Has a self-service portal for users. Policies enforce different requirements on groups. Supports HOTP, TOTP, SafeNet, eToken Pass, Safeword, OTP cards, Google Authenticator, RADIUS, SMS one-time tokens...
Has a TokenClass which is designed for adding new authentication devices. Has a REST API. Plugins for many services available. Supports detailed audit logging. Supports multiple databases for its datastores. Database contents are AES encrypted.
Github repo: https://github.com/privacyidea/privacyidea