diff --git a/application/controllers/AccountController.php b/application/controllers/AccountController.php
index f172cfeca7..954ecb72ab 100644
--- a/application/controllers/AccountController.php
+++ b/application/controllers/AccountController.php
@@ -3,20 +3,27 @@
 
 namespace Icinga\Controllers;
 
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Application\Config;
+use Icinga\Authentication\TwoFactorTotp;
 use Icinga\Authentication\User\UserBackend;
+use Icinga\Common\Database;
 use Icinga\Data\ConfigObject;
 use Icinga\Exception\ConfigurationError;
 use Icinga\Forms\Account\ChangePasswordForm;
+use Icinga\Forms\Account\TwoFactorConfigForm;
 use Icinga\Forms\PreferenceForm;
 use Icinga\User\Preferences\PreferencesStore;
 use Icinga\Web\Controller;
+use ipl\Html\Contract\Form;
 
 /**
  * My Account
  */
 class AccountController extends Controller
 {
+    use Database;
+
     /**
      * {@inheritdoc}
      */
@@ -67,6 +74,25 @@ public function indexAction()
             }
         }
 
+        if ($user->can('user/two-factor-authentication')) {
+            $twoFactor = TwoFactorTotp::loadFromDb($this->getDb(), $user->getUsername());
+            if ($twoFactor === null) {
+                $twoFactor = TwoFactorTotp::generate($user->getUsername());
+            }
+
+            $twoFactorForm = new TwoFactorConfigForm();
+            $twoFactorForm->setUser($user);
+            $twoFactorForm->setTwoFactor($twoFactor);
+            $twoFactorForm->on(Form::ON_SUBMIT, function (TwoFactorConfigForm $form) {
+                if ($redirectUrl = $form->getRedirectUrl()) {
+                    $this->redirectNow($redirectUrl);
+                }
+            });
+            $twoFactorForm->handleRequest(ServerRequest::fromGlobals());
+
+            $this->view->twoFactorForm = $twoFactorForm;
+        }
+
         $form = new PreferenceForm();
         $form->setPreferences($user->getPreferences());
         if (isset($config->config_resource)) {
diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php
index 752f8453c2..78d63eaaeb 100644
--- a/application/controllers/AuthenticationController.php
+++ b/application/controllers/AuthenticationController.php
@@ -3,16 +3,21 @@
 
 namespace Icinga\Controllers;
 
+use GuzzleHttp\Psr7\ServerRequest;
 use Icinga\Application\Hook\AuthenticationHook;
 use Icinga\Application\Icinga;
 use Icinga\Application\Logger;
+use Icinga\Authentication\Auth;
+use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Common\Database;
 use Icinga\Exception\AuthenticationException;
 use Icinga\Forms\Authentication\LoginForm;
 use Icinga\Web\Controller;
 use Icinga\Web\Helper\CookieHelper;
 use Icinga\Web\RememberMe;
+use Icinga\Web\Session;
 use Icinga\Web\Url;
+use ipl\Html\Contract\Form;
 use RuntimeException;
 
 /**
@@ -41,7 +46,42 @@ public function loginAction()
         if (($requiresSetup = $icinga->requiresSetup()) && $icinga->setupTokenExists()) {
             $this->redirectNow(Url::fromPath('setup'));
         }
-        $form = new LoginForm();
+
+        $form = (new LoginForm())
+            ->setAction(Url::fromRequest()->getAbsoluteUrl())
+            ->on(Form::ON_SUBMIT, function (LoginForm $form) {
+                if ($redirectUrl = $form->getRedirectUrl()) {
+                    $this->redirectNow($redirectUrl);
+                }
+            })
+            ->on(Form::ON_SENT, function (LoginForm $form) {
+                if (
+                    $form->getElement('CSRFToken')->isValid()
+                    && $form->getPressedSubmitElement()?->getName() === $form::SUBMIT_CANCEL_2FA
+                ) {
+                    Session::getSession()->purge();
+                    $this->redirectNow(Url::fromRequest());
+                }
+            })
+            ->on(Form::ON_REQUEST, function ($request, LoginForm $form) {
+                $auth = Auth::getInstance();
+                $onlyExternal = true;
+                // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal().
+                foreach ($auth->getAuthChain() as $backend) {
+                    if (! $backend instanceof ExternalBackend) {
+                        $onlyExternal = false;
+                    }
+                }
+                if ($onlyExternal) {
+                    $form->addMessage($this->translate(
+                        'You\'re currently not authenticated using any of the web server\'s authentication'
+                        . 'mechanisms. Make sure you\'ll configure such, otherwise you\'ll not be able to login.'
+                    ));
+                    $form->onError();
+                }
+            });
+
+        $skip2fa = false;
 
         if (RememberMe::hasCookie() && $this->hasDb()) {
             $authenticated = false;
@@ -52,6 +92,7 @@ public function loginAction()
                     $rememberMe = $rememberMeOld->renew();
                     $this->getResponse()->setCookie($rememberMe->getCookie());
                     $rememberMe->persist($rememberMeOld->getAesCrypt()->getIV());
+                    $skip2fa = true;
                 }
             } catch (RuntimeException $e) {
                 Logger::error("Can't authenticate user via remember me cookie: %s", $e->getMessage());
@@ -64,7 +105,7 @@ public function loginAction()
             }
         }
 
-        if ($this->Auth()->isAuthenticated()) {
+        if ($this->Auth()->isAuthenticated($skip2fa)) {
             // Call provided AuthenticationHook(s) when login action is called
             // but icinga web user is already authenticated
             AuthenticationHook::triggerLogin($this->Auth()->getUser());
@@ -76,7 +117,7 @@ public function loginAction()
                     $this->httpBadRequest('nope');
                 }
             } else {
-                $redirectUrl = $form->getRedirectUrl();
+                $redirectUrl = $form->createRedirectUrl();
             }
 
             $this->redirectNow($redirectUrl);
@@ -91,9 +132,10 @@ public function loginAction()
                     ->sendResponse();
                 exit;
             }
-            $form->handleRequest();
+            $form->handleRequest(ServerRequest::fromGlobals());
         }
         $this->view->form = $form;
+        $this->view->cancel2faForm = $cancel2faForm ?? null;
         $this->view->defaultTitle = $this->translate('Icinga Web 2 Login');
         $this->view->requiresSetup = $requiresSetup;
     }
diff --git a/application/forms/Account/TwoFactorConfigForm.php b/application/forms/Account/TwoFactorConfigForm.php
new file mode 100644
index 0000000000..9c85c3b8d2
--- /dev/null
+++ b/application/forms/Account/TwoFactorConfigForm.php
@@ -0,0 +1,192 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Forms\Account;
+
+use Icinga\Authentication\TwoFactorTotp;
+use Icinga\Common\Database;
+use Icinga\User;
+use Icinga\Web\Form\Element\FakeFormElement;
+use Icinga\Web\Form\Validator\TotpTokenValidator;
+use Icinga\Web\Notification;
+use ipl\Html\Attributes;
+use ipl\Html\HtmlElement;
+use ipl\Html\Text;
+use ipl\Web\Common\FormUid;
+use ipl\Web\Compat\CompatForm;
+use ipl\Web\Url;
+use ipl\Web\Widget\CopyToClipboard;
+
+/**
+ * Form for enabling and disabling 2FA or creating and updating the 2FA TOTP secret
+ *
+ * This form is used to manage the 2FA settings of a user account.
+ */
+class TwoFactorConfigForm extends CompatForm
+{
+    use Database;
+    use FormUid;
+
+    /** @var User|null The user to work with */
+    protected ?User $user = null;
+
+    /** @var TwoFactorTotp The TwoFactorTotp instance to work with */
+    protected TwoFactorTotp $twoFactor;
+
+    /** @var string The submit button to verify the 2FA TOTP secret */
+    protected const SUBMIT_VERIFY = 'btn_submit_verify';
+
+    /** @var string The submit button to disable 2FA */
+    protected const SUBMIT_DISABLE = 'btn_submit_disable';
+
+    public function __construct()
+    {
+        $this->setAttribute('name', 'form_config_2fa');
+    }
+
+    /**
+     * Set the user to work with
+     *
+     * @param User $user The user to work with
+     *
+     * @return $this
+     */
+    public function setUser(User $user): static
+    {
+        $this->user = $user;
+
+        return $this;
+    }
+
+    /**
+     * Set the TwoFactorTotp instance to work with
+     *
+     * @param TwoFactorTotp $twoFactor
+     *
+     * @return $this
+     */
+    public function setTwoFactor(TwoFactorTotp $twoFactor): static
+    {
+        $this->twoFactor = $twoFactor;
+
+        return $this;
+    }
+
+    protected function assemble(): void
+    {
+        $this->addElement($this->createUidElement());
+
+        if (TwoFactorTotp::hasDbSecret($this->getDb(), $this->user->getUsername())) {
+            $this->addElement(
+                'submit',
+                static::SUBMIT_DISABLE,
+                [
+                    'label'               => $this->translate('Disable 2FA'),
+                    'data-progress-label' => $this->translate('Disabling')
+                ]
+            );
+        } else {
+            $this->addElement(
+                'checkbox',
+                'enabled_2fa',
+                [
+                    'class'       => 'autosubmit',
+                    'label'       => $this->translate('Enable 2FA (TOTP)'),
+                    'description' => $this->translate(
+                        'This option allows you to enable or to disable the two factor authentication via TOTP.'
+                    ),
+                ]
+            );
+
+            if ($this->getPopulatedValue('enabled_2fa') === 'y') {
+                // Keep the secret after form submission, otherwise every form submission would generate a new secret.
+                // This would result in the following:
+                // - Users would have to scan a new QR code every time the verification fails.
+                // - Token verification would fail every time because the secret would have changed.
+                if ($secret = $this->getPopulatedValue('2fa_totp_secret')) {
+                    $this->twoFactor = TwoFactorTotp::createFromSecret($secret, $this->user->getUsername());
+                }
+
+                $this->addHtml(new FakeFormElement(
+                    HtmlElement::create('img', Attributes::create([
+                        'class' => 'two-factor-totp-qr-code',
+                        'src'   => $this->twoFactor->createQRCode()
+                    ])),
+                    $this->translate('QR Code'),
+                    $this->translate('Use your authenticator app to scan the QR code.')
+                ));
+
+                $manualAuthUrl = HtmlElement::create(
+                    'div',
+                    Attributes::create(['class' => 'two-factor-totp-auth-url']),
+                    new Text($this->twoFactor->getTotpAuthUrl()),
+                );
+                CopyToClipboard::attachTo($manualAuthUrl);
+                $this->addHtml(new FakeFormElement(
+                    $manualAuthUrl,
+                    $this->translate('Manual Auth URL'),
+                    $this->translate('If you have no camera to scan the QR code you can enter the auth URL manually.')
+                ));
+
+                $this->addElement(
+                    'text',
+                    '2fa_verification_token',
+                    [
+                        'required'    => true,
+                        'label'       => $this->translate('Verification Token'),
+                        'description' => $this->translate(
+                            'Please enter the token from your authenticator app to verify your setup.'
+                        ),
+                        'validators'  => [new TotpTokenValidator()]
+                    ]
+                );
+
+                $this->addElement(
+                    'submit',
+                    static::SUBMIT_VERIFY,
+                    [
+                        'label'               => $this->translate('Verify 2FA TOTP Secret'),
+                        'data-progress-label' => $this->translate('Verifying')
+                    ]
+                );
+            }
+        }
+
+        $this->addElement(
+            'hidden',
+            '2fa_totp_secret',
+            [
+                'value' => $this->twoFactor->getSecret()
+            ]
+        );
+    }
+
+    protected function onSuccess(): void
+    {
+        $twoFactor = TwoFactorTotp::createFromSecret($this->getValue('2fa_totp_secret'), $this->user->getUsername());
+
+        switch ($this->getPressedSubmitElement()?->getName()) {
+            case static::SUBMIT_VERIFY:
+                $token = $this->getValue('2fa_verification_token');
+                if ($token && $twoFactor->verify($token)) {
+                    $twoFactor->saveToDb();
+                    Notification::success($this->translate('2FA via TOTP has been configured successfully.'));
+                } else {
+                    Notification::error($this->translate('The verification token is invalid. Please try again.'));
+
+                    // Don't redirect in this case, as the user might want to try again.
+                    return;
+                }
+
+                break;
+            case static::SUBMIT_DISABLE:
+                $twoFactor->removeFromDb();
+                Notification::success($this->translate('2FA TOTP secret has been removed.'));
+
+                break;
+        }
+
+        $this->setRedirectUrl(Url::fromRequest());
+    }
+}
diff --git a/application/forms/Authentication/Challenge2FAForm.php b/application/forms/Authentication/Challenge2FAForm.php
new file mode 100644
index 0000000000..520a6798c2
--- /dev/null
+++ b/application/forms/Authentication/Challenge2FAForm.php
@@ -0,0 +1,133 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Forms\Authentication;
+
+use Exception;
+use Icinga\Application\Hook\AuthenticationHook;
+use Icinga\Application\Icinga;
+use Icinga\Application\Logger;
+use Icinga\Authentication\Auth;
+use Icinga\Authentication\TwoFactorTotp;
+use Icinga\Common\Database;
+use Icinga\Web\Form\Validator\TotpTokenValidator;
+use Icinga\Web\Response;
+use Icinga\Web\Session;
+use Icinga\Web\Url;
+use ipl\Html\Attributes;
+use ipl\Html\FormDecoration\RenderElementDecorator;
+use ipl\Web\Common\CsrfCounterMeasure;
+use ipl\Web\Common\FormUid;
+use ipl\Web\Compat\CompatForm;
+
+class Challenge2FAForm extends CompatForm
+{
+    use CsrfCounterMeasure;
+    use Database;
+    use FormUid;
+
+    const SUBMIT_VERIFY = 'btn_submit_verify';
+
+    const SUBMIT_CANCEL = 'btn_submit_cancel';
+
+    public function __construct()
+    {
+        $this->addAttributes(Attributes::create(['name' => '2fa_challenge_form']));
+    }
+
+    /**
+     * Return the current Response
+     *
+     * @return Response
+     */
+    protected function getResponse(): Response
+    {
+        return Icinga::app()->getFrontController()->getResponse();
+    }
+
+    protected function assemble(): void
+    {
+        $this->addCsrfCounterMeasure(Session::getSession()->getId());
+        $this->addElement($this->createUidElement());
+
+        $this->addElement(
+            'text',
+            'token',
+            [
+                'required'       => true,
+                'class'          => 'autofocus content-centered',
+                'placeholder'    => $this->translate('Please enter your 2FA token'),
+                'autocomplete'   => 'off',
+                'autocapitalize' => 'off',
+                'decorators'     => [
+                    'RenderElement' => new RenderElementDecorator(),
+                    'Errors'        => ['name' => 'Errors', 'options' => ['class' => 'errors']]
+                ],
+                'validators'     => [new TotpTokenValidator()]
+            ]
+        );
+
+        $this->addElement(
+            'submit',
+            self::SUBMIT_VERIFY,
+            [
+                'data-progress-label' => $this->translate('Verifying'),
+                'label'               => $this->translate('Verify'),
+            ]
+        );
+
+        $this->addElement(
+            'submit',
+            self::SUBMIT_CANCEL,
+            [
+                'ignore'              => true,
+                'formnovalidate'      => true,
+                'class'               => 'btn-cancel',
+                'label'               => $this->translate('Cancel'),
+                'data-progress-label' => $this->translate('Canceling')
+            ]
+        );
+
+        $this->addElement(
+            'hidden',
+            'redirect',
+            [
+                'value' => Url::fromRequest()->getParam('redirect')
+            ]
+        );
+    }
+
+    protected function onSuccess(): void
+    {
+        $user = Auth::getInstance()->getUser();
+        $twoFactor = TwoFactorTotp::loadFromDb($this->getDb(), $user->getUsername());
+        if ($this->getElement('token') && $twoFactor->verify($this->getValue('token'))) {
+            $auth = Auth::getInstance();
+            $user = $auth->getUser();
+            $user->setTwoFactorSuccessful();
+
+            Session::getSession()->delete('2fa_must_challenge_token');
+
+            $auth->setAuthenticated($user);
+
+            if ($rememberMe = Session::getSession()->get('2fa_remember_me_cookie')) {
+                try {
+                    $this->getResponse()->setCookie($rememberMe->getCookie());
+                    $rememberMe->persist();
+                } catch (Exception $e) {
+                    Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
+                }
+            }
+
+            // Call provided AuthenticationHook(s) after successful login
+            AuthenticationHook::triggerLogin($user);
+
+            $this->getResponse()->setRerenderLayout(true);
+
+            $this->setRedirectUrl(Url::fromRequest());
+        }
+
+        $this->getElement('token')->addMessage($this->translate('Token is invalid!'));
+    }
+}
diff --git a/application/forms/Authentication/LoginForm.php b/application/forms/Authentication/LoginForm.php
index 87b32ab3c6..74386c4fb2 100644
--- a/application/forms/Authentication/LoginForm.php
+++ b/application/forms/Authentication/LoginForm.php
@@ -6,122 +6,212 @@
 use Exception;
 use Icinga\Application\Config;
 use Icinga\Application\Hook\AuthenticationHook;
+use Icinga\Application\Icinga;
 use Icinga\Application\Logger;
 use Icinga\Authentication\Auth;
-use Icinga\Authentication\User\ExternalBackend;
+use Icinga\Authentication\TwoFactorTotp;
 use Icinga\Common\Database;
 use Icinga\Exception\Http\HttpBadRequestException;
 use Icinga\User;
-use Icinga\Web\Form;
+use Icinga\Web\Form\Validator\TotpTokenValidator;
 use Icinga\Web\RememberMe;
+use Icinga\Web\Response;
+use Icinga\Web\Session;
 use Icinga\Web\Url;
+use ipl\Html\FormDecoration\LabelDecorator;
+use ipl\Html\FormDecoration\RenderElementDecorator;
+use ipl\Web\Common\CsrfCounterMeasure;
+use ipl\Web\Common\FormUid;
+use ipl\Web\Compat\CompatForm;
+use ipl\Web\Compat\FormDecorator\CheckboxDecorator;
 
 /**
  * Form for user authentication
  */
-class LoginForm extends Form
+class LoginForm extends CompatForm
 {
+    use CsrfCounterMeasure;
     use Database;
+    use FormUid;
 
-    const DEFAULT_CLASSES = 'icinga-controls';
-
-    /**
-     * Redirect URL
-     */
+    /** @var string Redirect URL */
     const REDIRECT_URL = 'dashboard';
 
-    public static $defaultElementDecorators = [
-        ['ViewHelper', ['separator' => '']],
-        ['Help', []],
-        ['Errors', ['separator' => '']],
-        ['HtmlTag', ['tag' => 'div', 'class' => 'control-group']]
-    ];
+    /** @var string */
+    const SUBMIT_LOGIN = 'btn_submit_login';
 
-    /**
-     * {@inheritdoc}
-     */
-    public function init()
+    /** @var string */
+    const SUBMIT_VERIFY_2FA = 'btn_submit_verify_2fa';
+
+    /** @var string */
+    const SUBMIT_CANCEL_2FA = 'btn_submit_cancel_2fa';
+
+    public function __construct()
     {
-        $this->setRequiredCue(null);
-        $this->setName('form_login');
-        $this->setSubmitLabel($this->translate('Login'));
-        $this->setProgressLabel($this->translate('Logging in'));
+        $this->setAttribute('name', 'form_login');
     }
 
     /**
-     * {@inheritdoc}
+     * Return the current Response
+     *
+     * @return Response
      */
-    public function createElements(array $formData)
+    protected function getResponse(): Response
+    {
+        return Icinga::app()->getFrontController()->getResponse();
+    }
+
+    /** @return void */
+    public function assembleLoginElements(): void
     {
         $this->addElement(
             'text',
             'username',
-            array(
-                'autocapitalize'    => 'off',
-                'autocomplete'      => 'username',
-                'class'             => false === isset($formData['username']) ? 'autofocus' : '',
-                'placeholder'       => $this->translate('Username'),
-                'required'          => true
-            )
+            [
+                'required'       => true,
+                'autocomplete'   => 'username',
+                'autocapitalize' => 'off',
+                'class'          => ! isset($formData['username']) ? 'autofocus' : '',
+                'placeholder'    => $this->translate('Username'),
+                'decorators'     => [
+                    'RenderElement' => new RenderElementDecorator(),
+                    'ControlGroup'  => [
+                        'name'    => 'HtmlTag',
+                        'options' => ['tag' => 'div', 'class' => 'control-group']
+                    ]
+                ]
+            ]
         );
+
         $this->addElement(
             'password',
             'password',
-            array(
-                'required'      => true,
-                'autocomplete'  => 'current-password',
-                'placeholder'   => $this->translate('Password'),
-                'class'         => isset($formData['username']) ? 'autofocus' : ''
-            )
+            [
+                'required'     => true,
+                'autocomplete' => 'current-password',
+                'class'        => isset($formData['username']) ? 'autofocus' : '',
+                'placeholder'  => $this->translate('Password'),
+                'decorators'   => [
+                    'RenderElement' => new RenderElementDecorator(),
+                    'Errors'        => ['name' => 'Errors', 'options' => ['class' => 'errors']],
+                    'ControlGroup'  => [
+                        'name'    => 'HtmlTag',
+                        'options' => ['tag' => 'div', 'class' => 'control-group']
+                    ]
+                ]
+            ]
         );
+
         $this->addElement(
             'checkbox',
             'rememberme',
             [
-                'label'         => $this->translate('Stay logged in'),
-                'decorators'    => [
-                    ['ViewHelper', ['separator' => '']],
-                    ['Label', [
-                        'tag'       => 'span',
-                        'separator' => '',
-                        'class'     => 'control-label',
-                        'placement' => 'APPEND'
-                    ]],
-                    ['Help', []],
-                    ['Errors', ['separator' => '']],
-                    ['HtmlTag', ['tag' => 'div', 'class' => 'control-group remember-me-box']]
+                'label'      => $this->translate('Stay logged in'),
+                'disabled'   => ! RememberMe::isSupported(),
+                'decorators' => [
+                    'Checkbox'      => new CheckboxDecorator(),
+                    'RenderElement' => new RenderElementDecorator(),
+                    'Label'         => new LabelDecorator(),
+                    'ControlGroup'  => [
+                        'name'    => 'HtmlTag',
+                        'options' => ['tag' => 'div', 'class' => 'control-group remember-me-box']
+                    ]
                 ]
             ]
         );
-        if (! RememberMe::isSupported()) {
-            $this->getElement('rememberme')
-                ->setAttrib('disabled', true)
-                ->setDescription($this->translate(
-                    'Staying logged in requires a database configuration backend'
-                    . ' and an appropriate OpenSSL encryption method'
-                ));
+
+        $this->addElement(
+            'submit',
+            static::SUBMIT_LOGIN,
+            [
+                'label'               => $this->translate('Login'),
+                'data-progress-label' => $this->translate('Logging in'),
+            ]
+        );
+    }
+
+    /** @return void */
+    public function assembleTwoFactorElements(): void
+    {
+        $this->addElement(
+            'text',
+            'token',
+            [
+                'required'       => true,
+                'class'          => 'autofocus content-centered',
+                'placeholder'    => $this->translate('Please enter your 2FA token'),
+                'autocomplete'   => 'off',
+                'autocapitalize' => 'off',
+                'decorators'     => [
+                    'RenderElement' => new RenderElementDecorator(),
+                    'Errors'        => ['name' => 'Errors', 'options' => ['class' => 'errors']]
+                ],
+                'validators'     => [new TotpTokenValidator()]
+            ]
+        );
+
+        $this->addElement(
+            'submit',
+            static::SUBMIT_VERIFY_2FA,
+            [
+                'data-progress-label' => $this->translate('Verifying'),
+                'label'               => $this->translate('Verify'),
+            ]
+        );
+
+        $this->addElement(
+            'submit',
+            static::SUBMIT_CANCEL_2FA,
+            [
+                'ignore'              => true,
+                'formnovalidate'      => true,
+                'class'               => 'btn-cancel',
+                'label'               => $this->translate('Cancel'),
+                'data-progress-label' => $this->translate('Canceling')
+            ]
+        );
+
+        $this->addElement(
+            'hidden',
+            'redirect',
+            [
+                'value' => Url::fromRequest()->getParam('redirect')
+            ]
+        );
+    }
+
+    protected function assemble(): void
+    {
+        $this->addCsrfCounterMeasure(Session::getSession()->getId());
+        $this->addElement($this->createUidElement());
+
+        if (Session::getSession()->get('2fa_must_challenge_token', false)) {
+            $this->assembleTwoFactorElements();
+        } else {
+            $this->assembleLoginElements();
         }
 
         $this->addElement(
             'hidden',
             'redirect',
-            array(
+            [
                 'value' => Url::fromRequest()->getParam('redirect')
-            )
+            ]
         );
     }
 
     /**
-     * {@inheritdoc}
+     * @return string|null
+     * @throws HttpBadRequestException
      */
-    public function getRedirectUrl()
+    public function createRedirectUrl(): string|null
     {
         $redirect = null;
-        if ($this->created) {
+        if ($this->hasBeenAssembled) {
             $redirect = $this->getElement('redirect')->getValue();
         }
 
-        if (empty($redirect) || strpos($redirect, 'authentication/logout') !== false) {
+        if (empty($redirect) || str_contains($redirect, 'authentication/logout')) {
             $redirect = static::REDIRECT_URL;
         }
 
@@ -133,82 +223,123 @@ public function getRedirectUrl()
         return $redirectUrl;
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function onSuccess()
+    protected function onSuccess(): void
     {
-        $auth = Auth::getInstance();
-        $authChain = $auth->getAuthChain();
-        $authChain->setSkipExternalBackends(true);
-        $user = new User($this->getElement('username')->getValue());
-        if (! $user->hasDomain()) {
-            $user->setDomain(Config::app()->get('authentication', 'default_domain'));
-        }
-        $password = $this->getElement('password')->getValue();
-        $authenticated = $authChain->authenticate($user, $password);
-        if ($authenticated) {
-            $auth->setAuthenticated($user);
-            if ($this->getElement('rememberme')->isChecked()) {
-                try {
-                    $rememberMe = RememberMe::fromCredentials($user->getUsername(), $password);
-                    $this->getResponse()->setCookie($rememberMe->getCookie());
-                    $rememberMe->persist();
-                } catch (Exception $e) {
-                    Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
+        switch ($this->getPressedSubmitElement()?->getName())
+        {
+            case static::SUBMIT_LOGIN:
+                $auth = Auth::getInstance();
+                $authChain = $auth->getAuthChain();
+                $authChain->setSkipExternalBackends(true);
+                $user = new User($this->getElement('username')->getValue());
+                if (! $user->hasDomain()) {
+                    $user->setDomain(Config::app()->get('authentication', 'default_domain'));
+                }
+                $password = $this->getElement('password')->getValue();
+                $authenticated = $authChain->authenticate($user, $password);
+                if ($authenticated) {
+                    if (! $user->getTwoFactorEnabled()) {
+                        $auth->setAuthenticated($user);
+                    } else {
+                        $session = Session::getSession();
+                        $session->set('2fa_must_challenge_token', true);
+                        $session->set('2fa_temporary_user', $user);
+
+                        if ($this->getElement('rememberme')->isChecked()) {
+                            $rememberMe = RememberMe::fromCredentials($user->getUsername(), $password);
+                            $session->set('2fa_remember_me_cookie', $rememberMe);
+                        }
+
+                        $this->setRedirectUrl(Url::fromRequest());
+
+                        return;
+                    }
+
+                    if ($this->getElement('rememberme')->isChecked()) {
+                        try {
+                            $rememberMe = RememberMe::fromCredentials($user->getUsername(), $password);
+                            $this->getResponse()->setCookie($rememberMe->getCookie());
+                            $rememberMe->persist();
+                        } catch (Exception $e) {
+                            Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
+                        }
+                    }
+
+                    // Call provided AuthenticationHook(s) after successful login
+                    AuthenticationHook::triggerLogin($user);
+
+                    $this->getResponse()->setRerenderLayout(true);
+                    $this->setRedirectUrl($this->createRedirectUrl());
+
+                    return;
+                }
+                switch ($authChain->getError()) {
+                    case $authChain::EEMPTY:
+                        $this->addMessage($this->translate(
+                            'No authentication methods available.'
+                            . ' Did you create authentication.ini when setting up Icinga Web 2?'
+                        ));
+
+                        break;
+                    case $authChain::EFAIL:
+                        $this->addMessage($this->translate(
+                            'All configured authentication methods failed.'
+                            . ' Please check the system log or Icinga Web 2 log for more information.'
+                        ));
+
+                        break;
+                    /** @noinspection PhpMissingBreakStatementInspection */
+                    case $authChain::ENOTALL:
+                        $this->addMessage($this->translate(
+                            'Please note that not all authentication methods were available.'
+                            . ' Check the system log or Icinga Web 2 log for more information.'
+                        ));
+                    // Move to default
+                    default:
+                        $this->getElement('password')->addMessage($this->translate('Incorrect username or password'));
                 }
-            }
 
-            // Call provided AuthenticationHook(s) after successful login
-            AuthenticationHook::triggerLogin($user);
-            $this->getResponse()->setRerenderLayout(true);
-            return true;
-        }
-        switch ($authChain->getError()) {
-            case $authChain::EEMPTY:
-                $this->addError($this->translate(
-                    'No authentication methods available.'
-                    . ' Did you create authentication.ini when setting up Icinga Web 2?'
-                ));
-                break;
-            case $authChain::EFAIL:
-                $this->addError($this->translate(
-                    'All configured authentication methods failed.'
-                    . ' Please check the system log or Icinga Web 2 log for more information.'
-                ));
-                break;
-            /** @noinspection PhpMissingBreakStatementInspection */
-            case $authChain::ENOTALL:
-                $this->addError($this->translate(
-                    'Please note that not all authentication methods were available.'
-                    . ' Check the system log or Icinga Web 2 log for more information.'
-                ));
-                // Move to default
-            default:
-                $this->getElement('password')->addError($this->translate('Incorrect username or password'));
                 break;
+
+            case static::SUBMIT_VERIFY_2FA:
+                $session = Session::getSession();
+                /** @var User $user */
+                $user = $session->get('2fa_temporary_user');
+                $twoFactor = TwoFactorTotp::loadFromDb($this->getDb(), $user->getUsername());
+                if ($this->getElement('token') && $twoFactor->verify($this->getValue('token'))) {
+                    $user->setTwoFactorSuccessful();
+                    $session->delete('2fa_must_challenge_token');
+                    Auth::getInstance()->setAuthenticated($user);
+
+                    if ($rememberMe = $session->get('2fa_remember_me_cookie')) {
+                        try {
+                            $this->getResponse()->setCookie($rememberMe->getCookie());
+                            $rememberMe->persist();
+                        } catch (Exception $e) {
+                            Logger::error('Failed to let user "%s" stay logged in: %s', $user->getUsername(), $e);
+                        }
+                    }
+
+                    // Call provided AuthenticationHook(s) after successful login
+                    AuthenticationHook::triggerLogin($user);
+
+                    $this->getResponse()->setRerenderLayout(true);
+
+                    $this->setRedirectUrl(Url::fromRequest());
+
+                    return;
+                }
+
+                $this->getElement('token')->addMessage($this->translate('Token is invalid!'));
         }
-        return false;
+
+        // Display the messages that were added to form or form elements
+        $this->onError();
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function onRequest()
+    // Expose protected method onError() to use it in event listener callbacks
+    public function onError(): void
     {
-        $auth = Auth::getInstance();
-        $onlyExternal = true;
-        // TODO(el): This may be set on the auth chain once iterated. See Auth::authExternal().
-        foreach ($auth->getAuthChain() as $backend) {
-            if (! $backend instanceof ExternalBackend) {
-                $onlyExternal = false;
-            }
-        }
-        if ($onlyExternal) {
-            $this->addError($this->translate(
-                'You\'re currently not authenticated using any of the web server\'s authentication mechanisms.'
-                . ' Make sure you\'ll configure such, otherwise you\'ll not be able to login.'
-            ));
-        }
+        parent::onError();
     }
 }
diff --git a/application/forms/Security/RoleForm.php b/application/forms/Security/RoleForm.php
index 58387f7aa5..4ab1263734 100644
--- a/application/forms/Security/RoleForm.php
+++ b/application/forms/Security/RoleForm.php
@@ -573,6 +573,9 @@ public static function collectProvidedPrivileges()
             'user/password-change' => [
                 'description' => t('Allow password changes in the account preferences')
             ],
+            'user/two-factor-authentication'=> [
+                'description' => t('Allow 2FA configuration in the account preferences')
+            ],
             'user/application/stacktraces' => [
                 'description' => t('Allow to adjust in the preferences whether to show stacktraces')
             ],
diff --git a/application/views/scripts/account/index.phtml b/application/views/scripts/account/index.phtml
index efc2bcbf6d..58e32ca322 100644
--- a/application/views/scripts/account/index.phtml
+++ b/application/views/scripts/account/index.phtml
@@ -5,6 +5,10 @@
 <?php if (isset($changePasswordForm)): ?>
     <h1><?= $this->translate('Account') ?></h1>
     <?= $changePasswordForm ?>
+<?php endif ?>
+<?php if (isset($twoFactorForm)): ?>
+    <h1><?= $this->translate('2 Factor Authentication') ?></h1>
+    <?= $twoFactorForm ?>
 <?php endif ?>
     <h1><?= $this->translate('Preferences') ?></h1>
     <?= $form ?>
diff --git a/application/views/scripts/authentication/login.phtml b/application/views/scripts/authentication/login.phtml
index 130e9b97bc..c9761d2613 100644
--- a/application/views/scripts/authentication/login.phtml
+++ b/application/views/scripts/authentication/login.phtml
@@ -22,6 +22,7 @@
             ) ?></p>
         <?php endif ?>
         <?= $this->form ?>
+        <?= $this->cancel2faForm ?>
         <div id="login-footer">
             <p>Icinga Web 2 &copy; 2013-<?= date('Y') ?></p>
             <?= $this->qlink($this->translate('icinga.com'), 'https://icinga.com') ?>
diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index 7325aae3de..95d16cc60a 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -11,6 +11,7 @@
 use Icinga\Application\Logger;
 use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Authentication\UserGroup\UserGroupBackend;
+use Icinga\Common\Database;
 use Icinga\Data\ConfigObject;
 use Icinga\Exception\IcingaException;
 use Icinga\Exception\NotReadableError;
@@ -22,6 +23,8 @@
 
 class Auth
 {
+    use Database;
+
     /**
      * Singleton instance
      *
@@ -86,15 +89,22 @@ public function getAuthChain()
      *
      * @return bool
      */
-    public function isAuthenticated()
+    public function isAuthenticated(bool $skip2fa = false)
     {
         if ($this->user !== null) {
+            if (! $skip2fa && $this->user->getTwoFactorEnabled() && ! $this->user->getTwoFactorSuccessful()) {
+                return false;
+            }
             return true;
         }
         $this->authenticateFromSession();
         if ($this->user === null && ! $this->authExternal()) {
             return false;
         }
+
+        // 2fa check from must happen here, to apply the 2fa challenge for external users as well
+        // but the session authentication would also get the 2fa challenge
+
         return true;
     }
 
@@ -130,7 +140,10 @@ public function setAuthenticated(User $user, $persist = true)
             $this->persistCurrentUser();
         }
 
-        AuditHook::logActivity('login', 'User logged in');
+        // Don't log if 2FA is enabled and hasn't been successful yet
+        if (! $user->getTwoFactorEnabled() || $user->getTwoFactorSuccessful()) {
+            AuditHook::logActivity('login', 'User logged in');
+        }
     }
 
     /**
@@ -452,5 +465,8 @@ public function setupUser(User $user)
         // Load the user's roles
         $admissionLoader = new AdmissionLoader();
         $admissionLoader->applyRoles($user);
+
+//        // Set 2FA status on the user object depending on whether a secret exists for the user
+//        $user->setTwoFactorEnabled(TwoFactorTotp::hasDbSecret($this->getDb(), $user->getUsername()));
     }
 }
diff --git a/library/Icinga/Authentication/PsrClock.php b/library/Icinga/Authentication/PsrClock.php
new file mode 100644
index 0000000000..7863e69d5f
--- /dev/null
+++ b/library/Icinga/Authentication/PsrClock.php
@@ -0,0 +1,16 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Authentication;
+
+use DateTimeImmutable;
+use Psr\Clock\ClockInterface;
+
+class PsrClock implements ClockInterface
+{
+    public function now(): DateTimeImmutable
+    {
+        return new DateTimeImmutable();
+    }
+}
diff --git a/library/Icinga/Authentication/TwoFactorTotp.php b/library/Icinga/Authentication/TwoFactorTotp.php
new file mode 100644
index 0000000000..3d95f416e6
--- /dev/null
+++ b/library/Icinga/Authentication/TwoFactorTotp.php
@@ -0,0 +1,209 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Authentication;
+
+use DateTime;
+use Endroid\QrCode\Builder\Builder;
+use Icinga\Common\Database;
+use Icinga\Exception\ConfigurationError;
+use Icinga\Model\TwoFactorModel;
+use ipl\Sql\Connection;
+use ipl\Sql\Delete;
+use ipl\Sql\Insert;
+use ipl\Stdlib\Filter;
+use OTPHP\TOTP;
+use PDOException;
+use Throwable;
+
+/**
+ * This TwoFactorTotp class provides methods to generate, store and retrieve 2FA TOTP secrets.
+ * Additionally, it provides a method to verify TOTP tokens.
+ */
+class TwoFactorTotp
+{
+    use Database;
+
+    /** @var TOTP The 2FA TOTP instance */
+    protected TOTP $totp;
+
+    /** @var string The user for whom the 2FA TOTP instance is generated */
+    protected string $user;
+
+    private function __construct(string $user)
+    {
+        $this->user = $user;
+    }
+
+    /**
+     * Generate a new 2FA TOTP instance for the given user.
+     *
+     * @return $this
+     */
+    public static function generate(string $user): static
+    {
+        $twoFactor = new static($user);
+        $twoFactor->totp = TOTP::generate(new PsrClock());
+
+        return $twoFactor;
+    }
+
+    /**
+     * Create a 2FA TOTP instance from a secret for the given user.
+     *
+     * @param string $secret The secret to use for the TOTP instance.
+     * @param string $user   The user for whom the TOTP instance is generated.
+     *
+     * @return $this
+     */
+    public static function createFromSecret(string $secret, string $user): static
+    {
+        $twoFactor = new static($user);
+        $twoFactor->totp = TOTP::createFromSecret($secret, new PsrClock());
+
+        return $twoFactor;
+    }
+
+    /**
+     * Load a 2FA TOTP instance from the database secret for the given user.
+     *
+     * @param Connection $db   The database connection to use.
+     * @param string     $user The user for whom the TOTP instance is loaded.
+     *
+     * @return $this|null
+     */
+    public static function loadFromDb(Connection $db, string $user): ?static
+    {
+        $dbTwoFactor = TwoFactorModel::on($db)->filter(Filter::equal('username', $user))->first();
+
+        /** @var TwoFactorModel|null $dbTwoFactor */
+        if ($dbTwoFactor === null) {
+            return null;
+        }
+
+        return self::createFromSecret($dbTwoFactor->secret, $user);
+    }
+
+    /**
+     * Check whether a 2FA TOTP secret exists for the given user in the database.
+     *
+     * @param Connection $db   The database connection to use.
+     * @param string     $user The user to check for.
+     *
+     * @return bool
+     */
+    public static function hasDbSecret(Connection $db, string $user): bool
+    {
+        try {
+            return TwoFactorModel::on($db)->filter(Filter::equal('username', $user))->first() !== null;
+        } catch (PDOException) {
+            return false;
+        }
+    }
+
+    /**
+     * Get the 2FA TOTP secret.
+     *
+     * @return string
+     */
+    public function getSecret(): string
+    {
+        return $this->totp->getSecret();
+    }
+
+    /**
+     * Verify a 2FA TOTP token.
+     *
+     * @param string $otp
+     *
+     * @return bool
+     */
+    public function verify(string $otp): bool
+    {
+        // The code is valid for 10 seconds before and after the current time to allow some clock drift
+        return $this->totp->verify($otp, null, 10);
+    }
+
+    /**
+     * Creates a QR code for the 2FA TOTP secret.
+     * This method generates a QR code that can be scanned by TOTP apps to set up the user's secret.
+     *
+     * @return string The rendered QR code as a string
+     */
+    public function createQRCode(): string
+    {
+        return (new Builder(data: $this->getTotpAuthUrl()))->build()->getDataUri();
+    }
+
+    /**
+     * Get the URL for the 2FA TOTP authenticator app.
+     *
+     * @return string
+     */
+    public function getTotpAuthUrl(): string
+    {
+        $this->totp->setIssuer('icingaweb2');
+        $this->totp->setLabel($this->user);
+
+        return $this->totp->getProvisioningUri();
+    }
+
+    /**
+     * Saves the 2FA TOTP secret to the database.
+     *
+     * This method stores the 2FA TOTP secret associated with the user in the database.
+     *
+     * @throws ConfigurationError If the database operation fails
+     */
+    public function saveToDb(): void
+    {
+        $db = $this->getDb();
+        $db->beginTransaction();
+
+        try {
+            $db->prepexec(
+                (new Insert())
+                    ->into('icingaweb_2fa')
+                    ->values([
+                        'username' => $this->user,
+                        'secret'   => $this->getSecret(),
+                        'ctime'    => (int) (new DateTime())->format("Uv"),
+                    ])
+            );
+            $db->commitTransaction();
+        } catch (Throwable $e) {
+            $db->rollBackTransaction();
+            throw new ConfigurationError(
+                sprintf('Failed to save 2FA TOTP secret for user %s: %s', $this->user, $e->getMessage()),
+            );
+        }
+    }
+
+    /**
+     * Removes the 2FA TOTP secret from the database.
+     *
+     * This method removes the 2FA TOTP secret associated with the user from the database.
+     *
+     * @throws ConfigurationError If the database operation fails
+     */
+    public function removeFromDb(): void
+    {
+        $db = $this->getDb();
+        $db->beginTransaction();
+
+        try {
+            $db->prepexec(
+                (new Delete())
+                    ->from('icingaweb_2fa')
+                    ->where(['username = ?' => $this->user])
+            );
+            $db->commitTransaction();
+        } catch (Throwable $e) {
+            $db->rollBackTransaction();
+            throw new ConfigurationError(
+                sprintf('Failed to remove 2FA TOTP secret for user %s: %s', $this->user, $e->getMessage()),
+            );
+        }
+    }
+}
diff --git a/library/Icinga/Model/TwoFactorModel.php b/library/Icinga/Model/TwoFactorModel.php
new file mode 100644
index 0000000000..af4867bd29
--- /dev/null
+++ b/library/Icinga/Model/TwoFactorModel.php
@@ -0,0 +1,44 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Model;
+
+use DateTime;
+use ipl\Orm\Behavior\MillisecondTimestamp;
+use ipl\Orm\Behaviors;
+use ipl\Orm\Model;
+
+/**
+ * Database model for the table that stores the 2FA TOTP secrets
+ *
+ * @property string   $username The user who owns the secret
+ * @property string   $secret   The secret from which the tokens are generated
+ * @property DateTime $ctime    The creation time of the secret
+ */
+class TwoFactorModel extends Model
+{
+    public function getTableName(): string
+    {
+        return 'icingaweb_2fa';
+    }
+
+    public function getKeyName(): string
+    {
+        return 'username';
+    }
+
+    public function getColumns(): array
+    {
+        return [
+            'username',
+            'secret',
+            'ctime'
+        ];
+    }
+
+    public function createBehaviors(Behaviors $behaviors): void
+    {
+        $behaviors->add(new MillisecondTimestamp(['ctime']));
+    }
+}
diff --git a/library/Icinga/User.php b/library/Icinga/User.php
index 8610dd0fed..468db0fc7d 100644
--- a/library/Icinga/User.php
+++ b/library/Icinga/User.php
@@ -4,13 +4,15 @@
 namespace Icinga;
 
 use DateTimeZone;
-use Icinga\Authentication\AdmissionLoader;
-use InvalidArgumentException;
 use Icinga\Application\Config;
+use Icinga\Authentication\AdmissionLoader;
 use Icinga\Authentication\Role;
+use Icinga\Authentication\TwoFactorTotp;
+use Icinga\Common\Database;
 use Icinga\Exception\ProgrammingError;
 use Icinga\User\Preferences;
 use Icinga\Web\Navigation\Navigation;
+use InvalidArgumentException;
 
 /**
  *  This class represents an authorized user
@@ -19,6 +21,8 @@
  */
 class User
 {
+    use Database;
+
     /**
      * Firstname
      *
@@ -122,6 +126,20 @@ class User
      */
     protected $isHttpUser = false;
 
+    /**
+     * Whether the user has 2FA enabled (secret is stored in the database)
+     *
+     * @var bool
+     */
+    protected bool $twoFactorEnabled = false;
+
+    /**
+     * Whether the user has successfully completed 2FA
+     *
+     * @var bool
+     */
+    protected bool $twoFactorSuccessful = false;
+
     /**
      * Creates a user object given the provided information
      *
@@ -145,6 +163,9 @@ public function __construct($username, $firstname = null, $lastname = null, $ema
         if ($email !== null) {
             $this->setEmail($email);
         }
+
+        // Set 2FA status on the user object depending on whether a secret exists for the user
+        $this->setTwoFactorEnabled(TwoFactorTotp::hasDbSecret($this->getDb(), $username));
     }
 
     /**
@@ -646,4 +667,52 @@ public function getNavigation($type)
 
         return $navigation;
     }
+
+    /**
+     * Get whether the user has 2FA enabled
+     *
+     * @return bool
+     */
+    public function getTwoFactorEnabled(): bool
+    {
+        return $this->twoFactorEnabled;
+    }
+
+    /**
+     * Set whether the user has 2FA enabled
+     *
+     * @param bool $enabled
+     *
+     * @return $this
+     */
+    public function setTwoFactorEnabled(bool $enabled = true): static
+    {
+        $this->twoFactorEnabled = $enabled;
+
+        return $this;
+    }
+
+    /**
+     * Get whether the user has successfully completed 2FA
+     *
+     * @return bool
+     */
+    public function getTwoFactorSuccessful(): bool
+    {
+        return $this->twoFactorSuccessful;
+    }
+
+    /**
+     * Set whether the user has successfully completed 2FA
+     *
+     * @param bool $successful
+     *
+     * @return $this
+     */
+    public function setTwoFactorSuccessful(bool $successful = true): static
+    {
+        $this->twoFactorSuccessful = $successful;
+
+        return $this;
+    }
 }
diff --git a/library/Icinga/User/Preferences/PreferencesStore.php b/library/Icinga/User/Preferences/PreferencesStore.php
index 8ecc677c9a..eea137704d 100644
--- a/library/Icinga/User/Preferences/PreferencesStore.php
+++ b/library/Icinga/User/Preferences/PreferencesStore.php
@@ -282,8 +282,9 @@ protected function update(array $preferences, string $section): void
             }
         } catch (Exception $e) {
             throw new NotWritableError(
-                'Cannot update preferences for user %s in database',
+                'Cannot update preferences for user %s in database: %s',
                 $this->getUser()->getUsername(),
+                $e->getMessage(),
                 $e
             );
         }
diff --git a/library/Icinga/Web/Form/Element/FakeFormElement.php b/library/Icinga/Web/Form/Element/FakeFormElement.php
new file mode 100644
index 0000000000..102f19c370
--- /dev/null
+++ b/library/Icinga/Web/Form/Element/FakeFormElement.php
@@ -0,0 +1,69 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Web\Form\Element;
+
+use ipl\Html\Attributes;
+use ipl\Html\BaseHtmlElement;
+use ipl\Html\HtmlElement;
+use ipl\Html\Text;
+use ipl\Html\ValidHtml;
+use ipl\Web\Widget\Icon;
+
+/**
+ * This is an element that integrates {@see ValidHtml} into an IPL Web {@see CompatForm}.
+ *
+ * The html will be rendered as follows:
+ * <pre>
+ * <div class='control-group'>
+ *     <div class='control-label-group'>
+ *         <!-- if label is set -->
+ *         <label>$this->label</label>
+ *     </div>
+ *     <div class='fake-form-element'>
+ *         $this->content
+ *     </div>
+ *     <!-- if description is set -->
+ *     <i class="icon fa-info-circle control-info fa" role="image"
+ *        title="Please enter the token from your authenticator app to verify your setup."></i>
+ * </div>
+ * </pre>
+ */
+class FakeFormElement extends BaseHtmlElement
+{
+    protected $tag = 'div';
+
+    protected $defaultAttributes = ['class' => 'control-group'];
+
+    /**
+     * @param ValidHtml $content     The element to add to the form
+     * @param ?string   $label       The label to render in the control-label-group element
+     * @param ?string   $description The description to show for the element
+     */
+    public function __construct(
+        protected ValidHtml $content,
+        protected ?string $label = null,
+        protected ?string $description = null
+    ) {
+    }
+
+    protected function assemble(): void
+    {
+        $this->addHtml(
+            HtmlElement::create(
+                'div',
+                Attributes::create(['class' => 'control-label-group']),
+                $this->label ? HtmlElement::create('label', null, new Text($this->label)) : null
+            )
+        );
+        $this->addHtml(
+            HtmlElement::create('div', Attributes::create(['class' => 'fake-form-element']), $this->content)
+        );
+        if ($this->description) {
+            $this->addHtml(
+                new Icon('info-circle', Attributes::create(['class' => 'control-info', 'title' => $this->description]))
+            );
+        }
+    }
+}
diff --git a/library/Icinga/Web/Form/Validator/TotpTokenValidator.php b/library/Icinga/Web/Form/Validator/TotpTokenValidator.php
new file mode 100644
index 0000000000..a35fe9467b
--- /dev/null
+++ b/library/Icinga/Web/Form/Validator/TotpTokenValidator.php
@@ -0,0 +1,39 @@
+<?php
+
+/* Icinga Web 2 | (c) 2025 Icinga GmbH | GPLv2+ */
+
+namespace Icinga\Web\Form\Validator;
+
+use ipl\I18n\Translation;
+use ipl\Validator\BaseValidator;
+
+class TotpTokenValidator extends BaseValidator
+{
+    use Translation;
+
+    public function __construct(
+        /** @var int Token length */
+        protected int $digits = 6
+    ) {
+    }
+
+    public function isValid($value): bool
+    {
+        // Multiple isValid() calls must not stack validation messages
+        $this->clearMessages();
+
+        if (! is_numeric($value)) {
+            $this->addMessage($this->translate('The token must only contain numbers'));
+
+            return false;
+        }
+
+        if (strlen($value) !== $this->digits) {
+            $this->addMessage($this->translate('The token must be exactly 6 digits long.'));
+
+            return false;
+        }
+
+        return true;
+    }
+}
diff --git a/library/Icinga/Web/RememberMe.php b/library/Icinga/Web/RememberMe.php
index 10023960c5..9c6a757948 100644
--- a/library/Icinga/Web/RememberMe.php
+++ b/library/Icinga/Web/RememberMe.php
@@ -5,8 +5,8 @@
 
 use Icinga\Application\Config;
 use Icinga\Authentication\Auth;
-use Icinga\Crypt\AesCrypt;
 use Icinga\Common\Database;
+use Icinga\Crypt\AesCrypt;
 use Icinga\User;
 use ipl\Sql\Expression;
 use ipl\Sql\Select;
@@ -246,6 +246,7 @@ public function authenticate()
         );
 
         if ($authenticated) {
+            $user->setTwoFactorSuccessful();
             $auth->setAuthenticated($user);
         }
 
diff --git a/modules/setup/library/Setup/WebWizard.php b/modules/setup/library/Setup/WebWizard.php
index cfc961d6dc..897d637fe6 100644
--- a/modules/setup/library/Setup/WebWizard.php
+++ b/modules/setup/library/Setup/WebWizard.php
@@ -99,7 +99,8 @@ class WebWizard extends Wizard implements SetupWizard
         'icingaweb_user',
         'icingaweb_user_preference',
         'icingaweb_rememberme',
-        'icingaweb_schema'
+        'icingaweb_schema',
+        'icingaweb_2fa'
     );
 
     /**
diff --git a/public/css/icinga/forms.less b/public/css/icinga/forms.less
index 7af2e8862f..fe54bbb638 100644
--- a/public/css/icinga/forms.less
+++ b/public/css/icinga/forms.less
@@ -186,7 +186,8 @@ form.icinga-form {
   input[type="file"],
   .control-group > fieldset,
   textarea,
-  select {
+  select,
+  .control-group > .fake-form-element {
     flex: 1 1 auto;
     width: 0;
   }
@@ -604,3 +605,15 @@ form.icinga-form .form-info {
     }
   }
 }
+
+.two-factor-totp-qr-code {
+  width: 20em;
+  height: 20em;
+}
+
+.two-factor-totp-auth-url {
+  background-color: @base-disabled;
+  padding: @vertical-padding;
+  border-radius: .25em;
+  line-break: anywhere;
+}
diff --git a/public/css/icinga/login.less b/public/css/icinga/login.less
index b37dbd8652..b368dd1474 100644
--- a/public/css/icinga/login.less
+++ b/public/css/icinga/login.less
@@ -20,6 +20,14 @@
     padding: 2em 6em;
     background-color: @login-box-background;
     .box-shadow(0, 0, 1em, 1em, @login-box-background);
+
+    .icinga-form {
+      width: unset;
+
+      .control-group {
+        margin: 1em 0;
+      }
+    }
   }
 
   #icinga-logo {
@@ -39,12 +47,21 @@
   .errors,
   .form-errors {
     list-style-type: none;
-    padding: 0.5em;
   }
 
   .errors {
-    background-color: @color-critical;
-    color: white;
+    margin: 0;
+
+    li {
+      background-color: @color-critical;
+      color: white;
+      margin: 1em 0 1em 0;
+      padding: .5em;
+
+      &:last-child {
+        margin-bottom: 0;
+      }
+    }
   }
 
   .form-errors {
@@ -91,6 +108,11 @@
     &:hover {
       background-color: @icinga-secondary-dark;
     }
+
+    &.btn-cancel {
+      //.button(@body-bg-color, @gray, @black);
+      .button(@body-bg-color, @icinga-secondary, @icinga-secondary);
+    }
   }
 
   .config-note {
@@ -108,7 +130,7 @@
 
   .remember-me-box {
     display: flex;
-    align-items: flex-start;
+    align-items: center;
 
     .toggle-switch {
       margin-right: 1em;
diff --git a/schema/mysql-upgrades/2.13.0.sql b/schema/mysql-upgrades/2.13.0.sql
new file mode 100644
index 0000000000..535a7cb7c0
--- /dev/null
+++ b/schema/mysql-upgrades/2.13.0.sql
@@ -0,0 +1,6 @@
+CREATE TABLE `icingaweb_2fa` (
+  `username` varchar(254) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `secret`   varchar(255) NOT NULL,
+  `ctime`    bigint NULL DEFAULT NULL,
+  PRIMARY KEY (`username`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
diff --git a/schema/mysql.schema.sql b/schema/mysql.schema.sql
index 1eb71a8a96..9133aead95 100644
--- a/schema/mysql.schema.sql
+++ b/schema/mysql.schema.sql
@@ -64,5 +64,12 @@ CREATE TABLE icingaweb_schema (
   CONSTRAINT idx_icingaweb_schema_version UNIQUE (version)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin ROW_FORMAT=DYNAMIC;
 
+CREATE TABLE `icingaweb_2fa` (
+  `username` varchar(254) COLLATE utf8mb4_unicode_ci NOT NULL,
+  `secret`   varchar(255) NOT NULL,
+  `ctime`    bigint NULL DEFAULT NULL,
+  PRIMARY KEY (`username`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
+
 INSERT INTO icingaweb_schema (version, timestamp, success)
   VALUES ('2.12.0', UNIX_TIMESTAMP() * 1000, 'y');
diff --git a/schema/pgsql-upgrades/2.13.0.sql b/schema/pgsql-upgrades/2.13.0.sql
new file mode 100644
index 0000000000..aa5d890dc5
--- /dev/null
+++ b/schema/pgsql-upgrades/2.13.0.sql
@@ -0,0 +1,6 @@
+CREATE TABLE "icingaweb_2fa" (
+  "username" varchar(254) NOT NULL,
+  "secret"   varchar(255) NOT NULL,
+  "ctime"    bigint,
+  CONSTRAINT pk_icingaweb_2fa PRIMARY KEY ("username")
+);
diff --git a/schema/pgsql.schema.sql b/schema/pgsql.schema.sql
index 3a5413bbb9..2394c34bf5 100644
--- a/schema/pgsql.schema.sql
+++ b/schema/pgsql.schema.sql
@@ -131,5 +131,12 @@ CREATE TABLE "icingaweb_schema" (
   CONSTRAINT idx_icingaweb_schema_version UNIQUE (version)
 );
 
+CREATE TABLE "icingaweb_2fa" (
+  "username" varchar(254) NOT NULL,
+  "secret"   varchar(255) NOT NULL,
+  "ctime"    bigint,
+  CONSTRAINT pk_icingaweb_2fa PRIMARY KEY ("username")
+);
+
 INSERT INTO icingaweb_schema (version, timestamp, success)
   VALUES ('2.12.0', extract(epoch from now()) * 1000, 'y');