# Enable Two-Factor Authentication

**ID:** EU-004
**Priority:** High
**Status:** Implemented

## User Story
As an end user, I want to enable two-factor authentication on my account so that my account is protected even if my password is compromised.

## Acceptance Criteria
- [x] User can enable 2FA from account settings
- [x] Support for TOTP apps (Google Authenticator, Authy, etc.)
- [x] Backup codes are generated and shown once during setup
- [x] User must verify 2FA code during setup to confirm it works
- [x] Login flow prompts for 2FA code when enabled
- [x] User can disable 2FA (requires current 2FA code)
- [x] Account recovery option if 2FA device is lost via one-time backup codes

## Technical Notes
- TOTP is implemented with `otplib`.
- TOTP secrets are stored encrypted in dedicated credential records, not on the User model.
- Backup codes are stored as hashes and consumed once.
- WebAuthn passkeys are supported for passwordless login and MFA step-up.
- SMS OTP remains registration-only and is not a default login factor.

## Related TODOs
- Consider adding explicit recovery admin workflows beyond backup codes.