diff --git a/common/auth.py b/common/auth.py
index bae340f8aa..2721af423d 100644
--- a/common/auth.py
+++ b/common/auth.py
@@ -3,6 +3,7 @@
 import traceback
 
 import simplejson as json
+from django.contrib.sessions.backends.db import SessionStore
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
@@ -12,7 +13,7 @@
 
 from common.config import SysConfig
 from common.utils.ding_api import get_ding_user_id
-from sql.models import Users, ResourceGroup
+from sql.models import Users, ResourceGroup, TwoFactorAuthConfig
 
 logger = logging.getLogger('default')
 
@@ -64,7 +65,6 @@ def authenticate(self):
             if authenticated_user:
                 # ldap 首次登录逻辑
                 init_user(authenticated_user)
-                login(self.request, authenticated_user)
                 return {'status': 0, 'msg': 'ok', 'data': authenticated_user}
             else:
                 return {'status': 1, 'msg': '用户名或密码错误，请重新输入！', 'data': ''}
@@ -90,7 +90,6 @@ def authenticate(self):
         if authenticated_user:
             if not authenticated_user.last_login:
                 init_user(authenticated_user)
-            login(self.request, authenticated_user)
             return {'status': 0, 'msg': 'ok', 'data': authenticated_user}
         user.failed_login_count += 1
         user.last_login_failed_at = datetime.datetime.now()
@@ -104,11 +103,25 @@ def authenticate_entry(request):
     new_auth = ArcheryAuth(request)
     result = new_auth.authenticate()
     if result['status'] == 0:
-        # 从钉钉获取该用户的 dingding_id，用于单独给他发消息
-        if SysConfig().get("ding_to_person") is True and "admin" not in request.POST.get('username'):
-            get_ding_user_id(request.POST.get('username'))
-
-        result = {'status': 0, 'msg': 'ok', 'data': None}
+        authenticated_user = result['data']
+        twofa_enabled = TwoFactorAuthConfig.objects.filter(user=authenticated_user)
+        if twofa_enabled:
+            # 用户设置了2fa的情况需要进一步验证
+            auth_type = twofa_enabled[0].auth_type
+            # 设置无登录状态cookie
+            s = SessionStore()
+            s['user'] = authenticated_user.username
+            s['auth_type'] = auth_type
+            s.set_expiry(300)
+            s.create()
+            result = {'status': 0, 'msg': 'ok', 'data': s.session_key}
+        else:
+            # 未设置2fa直接登录
+            login(request, authenticated_user)
+            # 从钉钉获取该用户的 dingding_id，用于单独给他发消息
+            if SysConfig().get("ding_to_person") is True and "admin" not in request.POST.get('username'):
+                get_ding_user_id(request.POST.get('username'))
+            result = {'status': 0, 'msg': 'ok', 'data': None}
 
     return HttpResponse(json.dumps(result), content_type='application/json')
 
diff --git a/common/middleware/check_login_middleware.py b/common/middleware/check_login_middleware.py
index 3707169e73..ba4b6c3138 100644
--- a/common/middleware/check_login_middleware.py
+++ b/common/middleware/check_login_middleware.py
@@ -5,6 +5,7 @@
 
 IGNORE_URL = [
     '/login/',
+    '/login/2fa/',
     '/authenticate/',
     '/signup/',
     '/api/info'
diff --git a/common/templates/2fa.html b/common/templates/2fa.html
new file mode 100644
index 0000000000..88cdd4e8ca
--- /dev/null
+++ b/common/templates/2fa.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <title>Archery - 两步验证</title>
+    {% load static %}
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <!-- 引入 Bootstrap -->
+    <link href="{% static 'bootstrap/css/bootstrap.min.css' %}" rel="stylesheet">
+    <link href="{% static 'dist/css/login.css' %}" rel="stylesheet">
+    <!-- HTML5 Shim 和 Respond.js 用于让 IE8 支持 HTML5元素和媒体查询 -->
+    <!-- 注意： 如果通过 file://  引入 Respond.js 文件，则该文件无法起效果 -->
+    <!--[if lt IE 9]>
+         <script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
+         <script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
+      <![endif]-->
+    <link rel="shortcut icon" href="{% static 'img/favicon.ico' %}" />
+</head>
+<body onload="document.getElementById('otpCode').focus()" style="background-color:#edeff1;">
+<div class="row lsb-login">
+    <div class="col-sm-2 mypanalbox">
+        <form class="login-form fade-in-effect" id="auth" method="post" role="form">
+            {% csrf_token %}
+            {% if auth_type == 'totp' %}
+            <div class="form-group is-focused">
+                <label class="control-label" for="otpCode">OTP验证码</label>
+                <input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text"
+                       oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
+
+            </div>
+            <div class="form-group">
+                <button id="btnAuth" type="button" class="btn btn-success btn-block"><i class="fa-lock"></i>验证</button>
+            </div>
+            {% else %}
+            <div class="form-group is-focused">
+                <label class="control-label" for="otpCode">验证码</label>
+                <input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text"
+                       oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
+            </div>
+            <div class="form-group">
+                <button id="btnCaptcha" type="button" class="btn btn-default btn-block" >获取验证码</button>
+                <button id="btnAuth" type="button" class="btn btn-success btn-block" style="display: none"><i class="fa-lock"></i>验证</button>
+            </div>
+            {% endif %}
+            <input type="text" style="display:none">
+        </form>
+    </div>
+</div>
+
+<!--底部部分 -->
+<div class="user-bottom-div">
+    <p><strong>&copy; Archery</strong>&nbsp;(v{{ archery_version }})</p>
+</div>
+<script src="{% static 'jquery/jquery.min.js' %}"></script>
+<script src="{% static 'bootstrap/js/bootstrap.min.js' %}"></script>
+</body>
+<!-- 解决CSRF-->
+<script>
+    $(function () {
+        $.ajaxSetup({
+            headers: {"X-CSRFToken": getCookie("csrftoken")}
+        });
+    });
+
+    function getCookie(name) {
+        var cookieValue = null;
+        if (document.cookie && document.cookie !== '') {
+            var cookies = document.cookie.split(';');
+            for (var i = 0; i < cookies.length; i++) {
+                var cookie = jQuery.trim(cookies[i]);
+                // Does this cookie string begin with the name we want?
+                if (cookie.substring(0, name.length + 1) === (name + '=')) {
+                    cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
+                    break;
+                }
+            }
+        }
+        return cookieValue;
+    }
+</script>
+<script>
+
+    //回车键提交验证
+    $(document).ready(function () {
+        $(document).keydown(function (event) {
+            //keycode==13为回车键
+            if (event.keyCode === 13) {
+                let otp = $('#otpCode').val();
+                authOTP(otp);
+            }
+        });
+    });
+
+    $('#btnAuth').click(function () {
+        let otp = $('#otpCode').val();
+        authOTP(otp);
+    });
+
+    function authOTP(otp) {
+        $.ajax({
+            type: "post",
+            url: "/api/v1/user/2fa/verify/",
+            dataType: "json",
+            data: {
+                engineer: '{{ username }}',
+                otp: otp
+            },
+            complete: function () {
+            },
+            success: function (data) {
+                if (data.status === 0) {
+                    $(location).attr('href', '/index/');
+                } else {
+                    alert(data.msg)
+                }
+            },
+            error: function (XMLHttpRequest, textStatus, errorThrown) {
+                alert(errorThrown + ' : ' + XMLHttpRequest.responseText)
+            }
+        });
+    };
+</script>
+</html>
diff --git a/common/templates/base.html b/common/templates/base.html
index 0b37ef1288..7fe28b4268 100644
--- a/common/templates/base.html
+++ b/common/templates/base.html
@@ -73,6 +73,7 @@
                             <a target="_blank" href="/admin"><i class="fa fa-sitemap fa-fw"></i> 管理后台</a>
                         </li>
                     {% endif %}
+                    <li><a id="2fa-menu" href="javascript:;"><i class="fa fa-lock fa-fw"></i> 两步验证</a></li>
                     <li><a href="/admin/password_change/"><i class="fa fa-user fa-fw"></i> 修改密码</a></li>
                     <li><a href="/logout/"><i class="fa fa-gear fa-fw"></i> 退出</a></li>
                 </ul>
@@ -279,6 +280,63 @@
         <!-- /.navbar-static-side -->
     </nav>
 
+<!-- 两步验证配置模态框-->
+<div class="modal fade" id="2fa" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
+    <div class="modal-dialog modal-sm" role="document">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
+                        aria-hidden="true">&times;</span></button>
+                <h4 class="modal-title" id="myModalLabel1">两步验证</h4>
+            </div>
+            <div class="modal-body">
+                <div class="form-group">
+                    <label for="auth_type">验证方式:</label>
+                    <select id="auth_type" class="form-control show-tick selectpicker" name="instances"
+                                    title="选择额外验证方式:"
+                                    data-live-search="true">
+                        <option value="disabled">关闭两步验证</option>
+                        <option value="totp" selected="selected">Google身份验证器</option>
+                    </select>
+                </div>
+                <div class="form-group">
+                    <label for="passwd">需输入密码验证:</label>
+                    <input type="password" class="form-control" id="passwd" placeholder="确认密码" required>
+                </div>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">取消</button>
+                <button id="btnConfirm" type="submit" class="btn btn-success">确认</button>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- 二维码模态框-->
+<div class="modal fade bs-example-modal-sm" id="qrcode" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
+    <div class="modal-dialog modal-sm" role="document">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
+                        aria-hidden="true">&times;</span></button>
+                <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
+            </div>
+            <div class="modal-body">
+                <div class="form-group">
+                    <label class="control-label" for="qrcode-img">1. 使用Google身份验证器扫码：</label>
+                    <img id="qrcode-img" key="" src="">
+                    <label class="control-label" for="otp">2. 输入6位验证码完成绑定：</label>
+                    <input class="form-control ng-valid ng-dirty ng-touched" id="otp" name="otpCode" type="text"
+                       oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
+                </div>
+            </div>
+            <div class="modal-footer">
+                <button id="binding" type="button" class="btn btn-success">绑定</button>
+            </div>
+        </div>
+    </div>
+</div>
+
     <!-- Page Content -->
     <div id="page-wrapper">
         <div class="clearfix">
@@ -319,6 +377,156 @@
         }
     };
 </script>
+<script>
+    function twofa(auth_type) {
+        // 配置2fa
+        let result;
+        $.ajax({
+            type: "post",
+            url: "/api/v1/user/2fa/",
+            dataType: "json",
+            data: {
+                engineer: '{{ user.username }}',
+                auth_type: auth_type
+            },
+            async: false,
+            complete: function () {
+            },
+            success: function (data) {
+                if (data.status === 0) {
+                    result = data
+                    $("#2fa").modal('hide');
+                } else {
+                    alert(data.msg);
+                }
+            },
+            error: function (XMLHttpRequest, textStatus, errorThrown) {
+                alert(errorThrown + ' : ' + XMLHttpRequest.responseText);
+            }
+        })
+        return result
+    }
+
+    function save(key) {
+        $.ajax({
+            type: "post",
+            url: "/api/v1/user/2fa/save/",
+            dataType: "json",
+            data: {
+                engineer: '{{ user.username }}',
+                key: key,
+            },
+            complete: function () {
+            },
+            success: function (data) {
+                if (data.status === 0) {
+                    alert("已开启两步验证！");
+                    $("#qrcode").modal("hide");
+                } else {
+                    alert(data.msg)
+                }
+            },
+            error: function (XMLHttpRequest, textStatus, errorThrown) {
+                alert(errorThrown + ' : ' + XMLHttpRequest.responseText)
+            }
+        });
+    }
+
+    function authOTP(otp) {
+        let key = $("#qrcode-img").attr('key');
+        let auth_type = $("#auth_type").val();
+        $.ajax({
+            type: "post",
+            url: "/api/v1/user/2fa/verify/",
+            dataType: "json",
+            data: {
+                engineer: '{{ user.username }}',
+                auth_type: auth_type,
+                key: key,
+                otp: otp
+            },
+            complete: function () {
+            },
+            success: function (data) {
+                if (data.status === 0) {
+                    alert("验证成功！");
+                    save(key);
+                } else {
+                    alert(data.msg)
+                }
+            },
+            error: function (XMLHttpRequest, textStatus, errorThrown) {
+                alert(errorThrown + ' : ' + XMLHttpRequest.responseText)
+            }
+        });
+    }
+
+    function auth(username, password) {
+        // 用户认证校验
+        let result = false;
+        $.ajax({
+            type: "post",
+            url: "/api/v1/user/auth/",
+            dataType: "json",
+            data: {
+                engineer: username,
+                password: password
+            },
+            async: false,
+            complete: function () {
+            },
+            success: function (data) {
+                if (data.status === 0) {
+                    $("#2fa").modal('hide');
+                    result = true
+                } else {
+                    alert(data.msg);
+                }
+            },
+            error: function (XMLHttpRequest, textStatus, errorThrown) {
+                alert(errorThrown + ' : ' + XMLHttpRequest.responseText);
+            }
+        });
+        return result
+    }
+
+    $("#2fa-menu").click(function () {
+        $("#2fa").modal('show');
+    })
+
+    $("#binding").click(function () {
+        let otp = $('#otp').val();
+        authOTP(otp);
+    })
+
+    $("#btnConfirm").click(function () {
+        let auth_type = $("#auth_type").val();
+        let password = $("#passwd").val();
+        password = password.replace(/(^\s*)|(\s*$)/g, "");
+        if (!password) {
+            alert('请输入密码！')
+            return
+        }
+        $("#passwd").val('');
+        let isAuthenticated = auth('{{ user.username }}', password);
+        if (isAuthenticated) {
+            let data = twofa(auth_type);
+            if (data.status === 0) {
+                if (auth_type === 'disabled') {
+                    alert("已关闭两步验证！")
+                } else if (auth_type === 'totp') {
+                    let key = data.data.key;
+                    $("#qrcode-img").attr("key", key)
+                    $("#qrcode-img").attr("src", "/user/qrcode/" + key)
+                    // 展示二维码
+                    $("#qrcode").modal("show");
+                }
+            } else {
+                alert(data.msg)
+            }
+        }
+    })
+</script>
 </body>
 <script>
     <!-- 解决CSRF-->
diff --git a/common/templates/login.html b/common/templates/login.html
index 8cc3ddc01a..17338512b9 100644
--- a/common/templates/login.html
+++ b/common/templates/login.html
@@ -216,8 +216,13 @@ <h4 class="modal-title" id="myModalLabel">
                 $('#btnLogin').prop('disabled', false);
             },
             success: function (data) {
-                if (data.status == 0) {
-                    $(location).attr('href', '/index/');
+                if (data.status === 0) {
+                    if (data.data) {
+                        document.cookie = "sessionid=" + data.data
+                        $(location).attr('href', '/login/2fa/');
+                    } else {
+                        $(location).attr('href', '/index/');
+                    }
                 } else {
                     $('#wrongpwd-modal-body').html(data.msg);
                     $('#wrongpwd-modal').modal({
diff --git a/common/twofa/__init__.py b/common/twofa/__init__.py
new file mode 100644
index 0000000000..81066f0ef0
--- /dev/null
+++ b/common/twofa/__init__.py
@@ -0,0 +1,40 @@
+from sql.models import TwoFactorAuthConfig
+
+
+class TwoFactorAuthBase:
+
+    def __init__(self, user=None):
+        self.user = user
+
+    def get_captcha(self):
+        """获取验证码"""
+
+    def verify(self, opt):
+        """校验一次性验证码"""
+
+    def enable(self):
+        """启用"""
+        result = {'status': 1, 'msg': 'failed'}
+        return result
+
+    def disable(self):
+        """禁用"""
+        result = {'status': 0, 'msg': 'ok'}
+        try:
+            TwoFactorAuthConfig.objects.get(user=self.user).delete()
+        except TwoFactorAuthConfig.DoesNotExist as e:
+            result = {'status': 0, 'msg': str(e)}
+        return result
+
+    @property
+    def auth_type(self):
+        """返回认证类型"""
+        return "base"
+
+
+def get_authenticator(user=None, auth_type=None):
+    """获取认证器"""
+    if auth_type == "totp":
+        from .totp import TOTP
+
+        return TOTP(user=user)
diff --git a/common/twofa/totp.py b/common/twofa/totp.py
new file mode 100644
index 0000000000..1ea86daf38
--- /dev/null
+++ b/common/twofa/totp.py
@@ -0,0 +1,98 @@
+from django.db import transaction
+from django.conf import settings
+from django.http import HttpResponse
+from qrcode import QRCode, constants
+from sql.models import TwoFactorAuthConfig
+from . import TwoFactorAuthBase
+from io import BytesIO
+import traceback
+import logging
+import pyotp
+import os
+
+logger = logging.getLogger('default')
+
+
+class TOTP(TwoFactorAuthBase):
+    """Time-based One-time Password，适用Google身份验证器等App"""
+
+    def __init__(self, user=None):
+        super(TOTP, self).__init__(user=user)
+        self.user = user
+
+    def verify(self, opt, key=None):
+        """校验一次性验证码"""
+        result = {'status': 0, 'msg': 'ok'}
+        if key:
+            secret_key = key
+        else:
+            secret_key = TwoFactorAuthConfig.objects.get(username=self.user.username).secret_key
+        t = pyotp.TOTP(secret_key)
+        status = t.verify(opt)
+        result['status'] = 0 if status else 1
+        result['msg'] = 'ok' if status else '验证码不正确！'
+        return result
+
+    def generate_key(self):
+        """生成secret key"""
+        result = {'status': 0, 'msg': 'ok', 'data': {}}
+
+        # 生成用户secret_key
+        secret_key = pyotp.random_base32(32)
+        result['data'] = {
+            'auth_type': self.auth_type,
+            'key': secret_key
+        }
+
+        return result
+
+    def save(self, secret_key):
+        """保存2fa配置"""
+        result = {'status': 0, 'msg': 'ok'}
+
+        try:
+            with transaction.atomic():
+                # 删除旧的2fa配置
+                self.disable()
+                # 创建新的2fa配置
+                TwoFactorAuthConfig.objects.create(
+                    username=self.user.username,
+                    auth_type=self.auth_type,
+                    secret_key=secret_key,
+                    user=self.user
+                )
+        except Exception as msg:
+            result['status'] = 1
+            result['msg'] = str(msg)
+            logger.error(traceback.format_exc())
+
+        return result
+
+    @property
+    def auth_type(self):
+        """返回认证类型"""
+        return "totp"
+
+
+def generate_qrcode(request, data):
+    """生成并返回二维码图片流"""
+
+    username = request.user.username
+    secret_key = data
+
+    # 生成二维码
+    qr_data = pyotp.totp.TOTP(secret_key).provisioning_uri(username, issuer_name="Archery")
+    qrcode = QRCode(version=1, error_correction=constants.ERROR_CORRECT_L,
+                    box_size=6, border=4)
+    try:
+        qrcode.add_data(qr_data)
+        qrcode.make(fit=True)
+        qr_img = qrcode.make_image()
+        buffer = BytesIO()
+        qr_img.save(buffer)
+        img_stream = buffer.getvalue()
+    except Exception as msg:
+        logger.error(str(msg))
+        logger.error(traceback.format_exc())
+    else:
+        return HttpResponse(img_stream, content_type="image/png")
diff --git a/requirements.txt b/requirements.txt
index 1c13740082..f80408f2d0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -34,3 +34,6 @@ djangorestframework-simplejwt==4.3.0
 django-filter==21.1
 drf-spectacular==0.22.0
 pyjwt==1.7.1
+pyotp==2.6.0
+pillow==8.4.0
+qrcode==7.3.1
diff --git a/sql/admin.py b/sql/admin.py
index d3f532caad..5e526529fe 100755
--- a/sql/admin.py
+++ b/sql/admin.py
@@ -9,7 +9,7 @@
     AliyunRdsConfig, CloudAccessKey, ResourceGroup, QueryPrivilegesApply, \
     QueryPrivileges, InstanceAccount, InstanceDatabase, ArchiveConfig, \
     WorkflowAudit, WorkflowLog, ParamTemplate, ParamHistory, InstanceTag, \
-    Tunnel, AuditEntry
+    Tunnel, AuditEntry, TwoFactorAuthConfig
 
 from sql.form import TunnelForm, InstanceForm
 
@@ -40,6 +40,12 @@ class UsersAdmin(UserAdmin):
     list_filter = ('is_staff', 'is_superuser', 'is_active', 'groups', 'resource_group')
 
 
+# 用户2fa管理
+@admin.register(TwoFactorAuthConfig)
+class TwoFactorAuthConfigAdmin(admin.ModelAdmin):
+    list_display = ('id', 'username', 'auth_type', 'secret_key', 'user_id')
+
+
 # 资源组管理
 @admin.register(ResourceGroup)
 class ResourceGroupAdmin(admin.ModelAdmin):
diff --git a/sql/models.py b/sql/models.py
index bb4c87dfd3..9753f5c68e 100755
--- a/sql/models.py
+++ b/sql/models.py
@@ -1,10 +1,12 @@
 # -*- coding: UTF-8 -*-
 from django.db import models
 from django.contrib.auth.models import AbstractUser
+from django.conf import settings
 from mirage import fields
-
 from django.utils.translation import gettext as _
 from mirage.crypto import Crypto
+import os
+
 
 class ResourceGroup(models.Model):
     """
@@ -61,6 +63,29 @@ class Meta:
         verbose_name_plural = u'用户管理'
 
 
+class TwoFactorAuthConfig(models.Model):
+    """
+    2fa配置信息
+    """
+    auth_type_choice = (
+        ('totp', 'Google身份验证器'),
+    )
+
+    username = fields.EncryptedCharField(verbose_name='用户名', max_length=200)
+    auth_type = fields.EncryptedCharField(verbose_name='认证类型', max_length=128, choices=auth_type_choice)
+    secret_key = fields.EncryptedCharField(verbose_name='用户密钥', max_length=256, null=True)
+    user = models.OneToOneField(Users, on_delete=models.CASCADE)
+
+    def __int__(self):
+        return self.username
+
+    class Meta:
+        managed = True
+        db_table = '2fa_config'
+        verbose_name = u'2FA配置'
+        verbose_name_plural = u'2FA配置'
+
+
 class InstanceTag(models.Model):
     """实例标签配置"""
     tag_code = models.CharField('标签代码', max_length=20, unique=True)
diff --git a/sql/urls.py b/sql/urls.py
index 03942c24a5..e919ff647f 100644
--- a/sql/urls.py
+++ b/sql/urls.py
@@ -7,6 +7,7 @@
 import sql.query_privileges
 import sql.sql_optimize
 from common import auth, config, workflow, dashboard, check
+from common.twofa import totp
 from sql import views, sql_workflow, sql_analyze, query, slowlog, instance, instance_account, db_diagnostic, \
     resource_group, binlog, data_dictionary, archiver, audit_log, user
 from sql.utils import tasks
@@ -17,6 +18,7 @@
     path('jsi18n/', JavaScriptCatalog.as_view(), name='javascript-catalog'),
     path('index/', views.index),
     path('login/', views.login, name='login'),
+    path('login/2fa/', views.twofa, name='twofa'),
     path('logout/', auth.sign_out),
     path('signup/', auth.sign_up),
     path('sqlworkflow/', views.sqlworkflow),
@@ -161,4 +163,5 @@
     path('audit/log/', audit_log.audit_log),
     path('audit/input/', audit_log.audit_input),
     path('user/list/', user.lists),
+    path('user/qrcode/<str:data>/', totp.generate_qrcode),
 ]
diff --git a/sql/views.py b/sql/views.py
index 9423c8d6c2..a906a4d7f4 100644
--- a/sql/views.py
+++ b/sql/views.py
@@ -45,6 +45,20 @@ def login(request):
     return render(request, 'login.html', context={'sign_up_enabled': SysConfig().get('sign_up_enabled')})
 
 
+def twofa(request):
+    """2fa认证页面"""
+    if request.user.is_authenticated:
+        return HttpResponseRedirect('/')
+
+    username = request.session.get('user')
+    if username:
+        auth_type = request.session.get('auth_type')
+    else:
+        return HttpResponseRedirect('/login/')
+
+    return render(request, '2fa.html', context={'auth_type': auth_type, 'username': username})
+
+
 @permission_required('sql.menu_dashboard', raise_exception=True)
 def dashboard(request):
     """dashboard页面"""
diff --git a/sql_api/api_user.py b/sql_api/api_user.py
index 61f606cb73..d142fee632 100644
--- a/sql_api/api_user.py
+++ b/sql_api/api_user.py
@@ -1,12 +1,17 @@
-from rest_framework import views, generics, status
+from rest_framework import views, generics, status, permissions
 from rest_framework.response import Response
 from drf_spectacular.utils import extend_schema
-from .serializers import UserSerializer, UserDetailSerializer, GroupSerializer, ResourceGroupSerializer
+from .serializers import UserSerializer, UserDetailSerializer, GroupSerializer, \
+    ResourceGroupSerializer, TwoFASerializer, UserAuthSerializer, TwoFAVerifySerializer, TwoFASaveSerializer
 from .pagination import CustomizedPagination
+from .permissions import IsOwner
 from .filters import UserFilter
 from django.contrib.auth.models import Group
+from django.contrib.auth import authenticate, login
+from django.conf import settings
 from django.http import Http404
-from sql.models import Users, ResourceGroup
+from sql.models import Users, ResourceGroup, TwoFactorAuthConfig
+from common.twofa import TwoFactorAuthBase, get_authenticator
 
 
 class UserList(generics.ListAPIView):
@@ -203,3 +208,136 @@ def delete(self, request, pk):
         group = self.get_object(pk)
         group.delete()
         return Response(status=status.HTTP_204_NO_CONTENT)
+
+
+class UserAuth(views.APIView):
+    """
+    用户认证校验
+    """
+    permission_classes = [IsOwner]
+
+    @extend_schema(summary="用户认证校验",
+                   request=UserAuthSerializer,
+                   description="用户认证校验")
+    def post(self, request):
+        # 参数验证
+        serializer = UserAuthSerializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+        result = {'status': 0, 'msg': '认证成功'}
+        engineer = request.data['engineer']
+        password = request.data['password']
+
+        user = authenticate(username=engineer, password=password)
+        if not user:
+            result = {'status': 1, 'msg': '用户名或密码错误！'}
+
+        return Response(result)
+
+
+class TwoFA(views.APIView):
+    """
+    配置2fa
+    """
+    permission_classes = [IsOwner]
+
+    @extend_schema(summary="配置2fa",
+                   request=TwoFASerializer,
+                   description="启用或关闭2fa")
+    def post(self, request):
+        # 参数验证
+        serializer = TwoFASerializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+        engineer = request.data['engineer']
+        auth_type = request.data['auth_type']
+        user = Users.objects.get(username=engineer)
+
+        if auth_type == 'disabled':
+            # 关闭2fa
+            authenticator = TwoFactorAuthBase(user=user)
+            result = authenticator.disable()
+        elif auth_type == 'totp':
+            # 启用2fa - 先生成secret key
+            authenticator = get_authenticator(user=user, auth_type=auth_type)
+            result = authenticator.generate_key()
+        else:
+            # 启用2fa
+            authenticator = get_authenticator(user=user, auth_type=auth_type)
+            result = authenticator.enable()
+
+        return Response(result)
+
+
+class TwoFASave(views.APIView):
+    """
+    保存2fa配置（TOTP)
+    """
+    permission_classes = [IsOwner]
+
+    @extend_schema(summary="保存2fa配置（TOTP)",
+                   request=TwoFASaveSerializer,
+                   description="保存2fa配置（TOTP)")
+    def post(self, request):
+        # 参数验证
+        serializer = TwoFASaveSerializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+        engineer = request.data['engineer']
+        key = request.data['key']
+        user = Users.objects.get(username=engineer)
+
+        authenticator = get_authenticator(user=user, auth_type='totp')
+        result = authenticator.save(key)
+
+        return Response(result)
+
+
+class TwoFAVerify(views.APIView):
+    """
+    检验2fa密码
+    """
+    permission_classes = [permissions.AllowAny]
+
+    @extend_schema(summary="检验2fa密码",
+                   request=TwoFAVerifySerializer,
+                   description="检验2fa密码")
+    def post(self, request):
+        # 参数验证
+        serializer = TwoFAVerifySerializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+        engineer = request.data['engineer']
+        otp = request.data['otp']
+        key = request.data['key'] if 'key' in request.data.keys() else None
+        user = Users.objects.get(username=engineer)
+        request_user = request.session.get('user')
+
+        print(request.user)
+        if not request.user.is_authenticated:
+            if request_user:
+                if request_user != engineer:
+                    return Response({'status': 1, 'msg': '登录用户与校验用户不一致！'})
+            else:
+                return Response({'status': 1, 'msg': '需先校验用户密码！'})
+
+            twofa_config = TwoFactorAuthConfig.objects.filter(user=user)
+            if not twofa_config:
+                return Response({'status': 1, 'msg': '用户未配置2FA！'})
+            auth_type = twofa_config[0].auth_type
+        else:
+            auth_type = request.data['auth_type']
+
+        authenticator = get_authenticator(user=user, auth_type=auth_type)
+        result = authenticator.verify(otp, key)
+
+        # 校验通过后自动登录，刷新expire_date
+        if result['status'] == 0 and not request.user.is_authenticated:
+            login(request, user)
+            request.session.set_expiry(settings.SESSION_COOKIE_AGE)
+
+        return Response(result)
diff --git a/sql_api/permissions.py b/sql_api/permissions.py
index f1d8f54d09..ff017a2d49 100644
--- a/sql_api/permissions.py
+++ b/sql_api/permissions.py
@@ -13,3 +13,16 @@ def has_permission(self, request, view):
 
         # 只有在api_user_whitelist参数中的用户才有权限
         return request.user.id in api_user_whitelist
+
+
+class IsOwner(permissions.BasePermission):
+    """
+    当参数engineer与请求用户一致时才有权限
+    """
+    def has_permission(self, request, view):
+        try:
+            engineer = request.data['engineer']
+        except KeyError as e:
+            return False
+
+        return engineer == request.user.username
diff --git a/sql_api/serializers.py b/sql_api/serializers.py
index 646cf28b93..89058952b1 100644
--- a/sql_api/serializers.py
+++ b/sql_api/serializers.py
@@ -90,6 +90,58 @@ class Meta:
         fields = "__all__"
 
 
+class UserAuthSerializer(serializers.Serializer):
+    engineer = serializers.CharField(label='用户名')
+    password = serializers.CharField(label='密码')
+
+
+class TwoFASerializer(serializers.Serializer):
+    engineer = serializers.CharField(label='用户名')
+    auth_type = serializers.ChoiceField(choices=['disabled', 'totp'], label='验证类型：disabled-关闭，totp-Google身份验证器')
+
+    def validate(self, attrs):
+        engineer = attrs.get('engineer')
+
+        try:
+            Users.objects.get(username=engineer)
+        except Users.DoesNotExist:
+            raise serializers.ValidationError({"errors": "不存在该用户"})
+
+        return attrs
+
+
+class TwoFASaveSerializer(serializers.Serializer):
+    engineer = serializers.CharField(label='用户名')
+    key = serializers.CharField(label='密钥')
+
+    def validate(self, attrs):
+        engineer = attrs.get('engineer')
+
+        try:
+            Users.objects.get(username=engineer)
+        except Users.DoesNotExist:
+            raise serializers.ValidationError({"errors": "不存在该用户"})
+
+        return attrs
+
+
+class TwoFAVerifySerializer(serializers.Serializer):
+    engineer = serializers.CharField(label='用户名')
+    otp = serializers.IntegerField(label='一次性密码/验证码')
+    key = serializers.CharField(required=False, label='密钥')
+    auth_type = serializers.CharField(required=False, label='验证方式')
+
+    def validate(self, attrs):
+        engineer = attrs.get('engineer')
+
+        try:
+            user = Users.objects.get(username=engineer)
+        except Users.DoesNotExist:
+            raise serializers.ValidationError({"errors": "不存在该用户"})
+
+        return attrs
+
+
 class InstanceSerializer(serializers.ModelSerializer):
 
     class Meta:
diff --git a/sql_api/tests.py b/sql_api/tests.py
index 079643f39e..5686af0c78 100644
--- a/sql_api/tests.py
+++ b/sql_api/tests.py
@@ -6,7 +6,8 @@
 from rest_framework import status
 from common.config import SysConfig
 from sql.models import ResourceGroup, Instance, AliyunRdsConfig, CloudAccessKey, Tunnel, \
-    SqlWorkflow, SqlWorkflowContent, WorkflowAudit, WorkflowLog, InstanceTag, WorkflowAuditSetting
+    SqlWorkflow, SqlWorkflowContent, WorkflowAudit, WorkflowLog, InstanceTag, WorkflowAuditSetting, \
+    TwoFactorAuthConfig
 import json
 
 User = get_user_model()
@@ -160,6 +161,49 @@ def test_delete_resource_group(self):
         self.assertEqual(r.status_code, status.HTTP_204_NO_CONTENT)
         self.assertEqual(Group.objects.filter(name='test').count(), 0)
 
+    def test_user_auth(self):
+        """测试用户认证校验"""
+        json_data = {
+            "engineer": "test_user",
+            "password": "test_password"
+        }
+        r = self.client.post(f'/api/v1/user/auth/', json_data, format='json')
+        self.assertEqual(r.status_code, status.HTTP_200_OK)
+        self.assertEqual(r.json(), {'status': 0, 'msg': '认证成功'})
+
+    def test_2fa_config(self):
+        """测试用户配置2fa"""
+        json_data = {
+            "engineer": "test_user",
+            "auth_type": "disabled"
+        }
+        r = self.client.post(f'/api/v1/user/2fa/', json_data, format='json')
+        self.assertEqual(r.status_code, status.HTTP_200_OK)
+        self.assertEqual(TwoFactorAuthConfig.objects.count(), 0)
+
+    def test_2fa_save(self):
+        """测试用户保存2fa配置"""
+        json_data = {
+            "engineer": "test_user",
+            "auth_type": "totp",
+            "key": "ZUGRIJZP6H7LIOAL4LH5JA4GSXXT3WOK"
+        }
+        r = self.client.post(f'/api/v1/user/2fa/save/', json_data, format='json')
+        self.assertEqual(r.status_code, status.HTTP_200_OK)
+        self.assertEqual(TwoFactorAuthConfig.objects.count(), 1)
+
+    def test_2fa_verify(self):
+        """测试2fa验证码校验"""
+        json_data = {
+            "engineer": "test_user",
+            "otp": 123456,
+            "key": "ZUGRIJZP6H7LIOAL4LH5JA4GSXXT3WOK",
+            "auth_type": "totp"
+        }
+        r = self.client.post(f'/api/v1/user/2fa/verify/', json_data, format='json')
+        self.assertEqual(r.status_code, status.HTTP_200_OK)
+        self.assertEqual(r.json()['status'], 1)
+
 
 class TestInstance(APITestCase):
     """测试实例相关接口"""
diff --git a/sql_api/urls.py b/sql_api/urls.py
index d64089b613..ef01befd46 100644
--- a/sql_api/urls.py
+++ b/sql_api/urls.py
@@ -22,6 +22,10 @@
     url(r'^v1/user/group/(?P<pk>[0-9]+)/$', api_user.GroupDetail.as_view()),
     path('v1/user/resourcegroup/', api_user.ResourceGroupList.as_view()),
     url(r'^v1/user/resourcegroup/(?P<pk>[0-9]+)/$', api_user.ResourceGroupDetail.as_view()),
+    path('v1/user/auth/', api_user.UserAuth.as_view()),
+    path('v1/user/2fa/', api_user.TwoFA.as_view()),
+    path('v1/user/2fa/save/', api_user.TwoFASave.as_view()),
+    path('v1/user/2fa/verify/', api_user.TwoFAVerify.as_view()),
     path('v1/instance/', api_instance.InstanceList.as_view()),
     url(r'^v1/instance/(?P<pk>[0-9]+)/$', api_instance.InstanceDetail.as_view()),
     path('v1/instance/resource/', api_instance.InstanceResource.as_view()),
diff --git a/src/init_sql/v1.8.4.sql b/src/init_sql/v1.8.4.sql
index b698710e78..9a62e89488 100644
--- a/src/init_sql/v1.8.4.sql
+++ b/src/init_sql/v1.8.4.sql
@@ -1,3 +1,15 @@
 -- 新增openapi菜单权限
 set @content_type_id=(select id from django_content_type where app_label='sql' and model='permission');
 INSERT INTO auth_permission (name, content_type_id, codename) VALUES ('菜单 OpenAPI', @content_type_id, 'menu_openapi');
+
+-- 新增2fa配置表
+CREATE TABLE `2fa_config` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `username` varchar(200) NOT NULL,
+  `auth_type` varchar(128) NOT NULL,
+  `secret_key` varchar(256) DEFAULT NULL,
+  `user_id` int(11) NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `user_id` (`user_id`),
+  CONSTRAINT `2fa_config_user_id_a0d1d7c2_fk_sql_users_id` FOREIGN KEY (`user_id`) REFERENCES `sql_users` (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;