diff --git a/app/application.go b/app/application.go
index 1c670477..93a5f0d4 100644
--- a/app/application.go
+++ b/app/application.go
@@ -263,6 +263,11 @@ func initRoutes(router *gin.Engine) {
 		webRoutes.POST("/users/2fa_push", webui.UserTwoFactorPush)
 		webRoutes.POST("/users/2fa_verify", webui.UserTwoFactorVerify)
 
+		// Generate and validate Time-based One-Time Passwords for MFA
+		webRoutes.GET("/users/generate_totp", webui.UserGenerateTOTP)
+		webRoutes.GET("/users/validate_totp", webui.UserValidateTOTPView)
+		webRoutes.POST("/users/validate_totp", webui.UserValidateTOTP)
+
 		// User forgot password
 		webRoutes.GET("/users/forgot_password", webui.UserShowForgotPasswordForm)
 		webRoutes.POST("/users/forgot_password", webui.UserSendForgotPasswordMessage)
diff --git a/cfn/cfn-registry-cluster.yml b/cfn/cfn-registry-cluster.yml
index de5837b5..d60d3932 100644
--- a/cfn/cfn-registry-cluster.yml
+++ b/cfn/cfn-registry-cluster.yml
@@ -200,7 +200,7 @@ Resources:
         - Condition: SUCCESS
           ContainerName: Nsqadmin_ResolvConf_InitContainer
         Essential: true
-        Image: 997427182289.dkr.ecr.us-east-1.amazonaws.com/docker-hub/aptrust/registry:bb2623b-master
+        Image: 997427182289.dkr.ecr.us-east-1.amazonaws.com/docker-hub/aptrust/registry:596d1ee-mfa-totp
         Secrets:
         - Name: APT_ENV
           ValueFrom: !Sub 'arn:aws:ssm:us-east-1:997427182289:parameter/${Envn}/REGISTRY/APT_ENV'
diff --git a/constants/constants.go b/constants/constants.go
index 3f31cfb3..5be1f6f8 100644
--- a/constants/constants.go
+++ b/constants/constants.go
@@ -84,6 +84,7 @@ const (
 	RoleInstUser               = "institutional_user"
 	RoleNone                   = "none"
 	RoleSysAdmin               = "admin"
+	SecondFactorTOTP           = "Authenticator App"
 	SecondFactorAuthy          = "Authy"
 	SecondFactorBackupCode     = "Backup Code"
 	SecondFactorSMS            = "SMS"
@@ -132,6 +133,8 @@ const (
 	TopicFixity                = "fixity_check"
 	TopicGlacierRestore        = "restore_glacier"
 	TopicObjectRestore         = "restore_object"
+	TOTPSecretIssuer           = "APTrust"
+	TwoFactorTOTP              = "totp"
 	TwoFactorAuthy             = "onetouch"
 	TwoFactorNone              = "none"
 	TwoFactorSMS               = "sms"
diff --git a/constants/permissions.go b/constants/permissions.go
index ac97f99c..4876bc65 100644
--- a/constants/permissions.go
+++ b/constants/permissions.go
@@ -73,6 +73,7 @@ const (
 	UserDelete                         = "UserDelete"
 	UserDeleteSelf                     = "UserDeleteSelf"
 	UserGenerateBackupCodes            = "UserGenerateBackupCodes"
+	UserGenerateTOTP                   = "UserGenerateTOTP"
 	UserInit2FASetup                   = "UserInit2FASetup"
 	UserRead                           = "UserRead"
 	UserReadSelf                       = "UserReadSelf"
@@ -86,6 +87,8 @@ const (
 	UserTwoFactorVerify                = "UserTwoFactorVerify"
 	UserUpdate                         = "UserUpdate"
 	UserUpdateSelf                     = "UserUpdateSelf"
+	UserValidateTOTP                   = "UserValidateTOTP"
+	UserValidateTOTPView               = "UserValidateTOTPView"
 	WorkItemCreate                     = "WorkItemCreate"
 	WorkItemDelete                     = "WorkItemDelete"
 	WorkItemRead                       = "WorkItemRead"
@@ -152,6 +155,7 @@ var Permissions = []Permission{
 	UserDelete,
 	UserDeleteSelf,
 	UserGenerateBackupCodes,
+	UserGenerateTOTP,
 	UserInit2FASetup,
 	UserRead,
 	UserReadSelf,
@@ -165,6 +169,8 @@ var Permissions = []Permission{
 	UserTwoFactorVerify,
 	UserUpdate,
 	UserUpdateSelf,
+	UserValidateTOTP,
+	UserValidateTOTPView,
 	WorkItemCreate,
 	WorkItemDelete,
 	WorkItemRead,
@@ -228,6 +234,7 @@ func initPermissions() {
 	instUser[UserComplete2FASetup] = true
 	instUser[UserConfirmPhone] = true
 	instUser[UserGenerateBackupCodes] = true
+	instUser[UserGenerateTOTP] = true
 	instUser[UserInit2FASetup] = true
 	instUser[UserReadSelf] = true
 	instUser[UserSignIn] = true
@@ -238,6 +245,8 @@ func initPermissions() {
 	instUser[UserTwoFactorPush] = true
 	instUser[UserTwoFactorResend] = true
 	instUser[UserTwoFactorVerify] = true
+	instUser[UserValidateTOTP] = true
+	instUser[UserValidateTOTPView] = true
 	instUser[UserUpdateSelf] = true
 	instUser[WorkItemRead] = true
 
@@ -268,6 +277,7 @@ func initPermissions() {
 	instAdmin[UserCreate] = true
 	instAdmin[UserDelete] = true
 	instAdmin[UserGenerateBackupCodes] = true
+	instAdmin[UserGenerateTOTP] = true
 	instAdmin[UserInit2FASetup] = true
 	instAdmin[UserReadSelf] = true
 	instAdmin[UserRead] = true
@@ -279,6 +289,8 @@ func initPermissions() {
 	instAdmin[UserTwoFactorPush] = true
 	instAdmin[UserTwoFactorResend] = true
 	instAdmin[UserTwoFactorVerify] = true
+	instAdmin[UserValidateTOTP] = true
+	instAdmin[UserValidateTOTPView] = true
 	instAdmin[UserUpdateSelf] = true
 	instAdmin[UserUpdate] = true
 	instAdmin[WorkItemRead] = true
@@ -341,6 +353,7 @@ func initPermissions() {
 	sysAdmin[UserDeleteSelf] = true
 	sysAdmin[UserDelete] = true
 	sysAdmin[UserGenerateBackupCodes] = true
+	sysAdmin[UserGenerateTOTP] = true
 	sysAdmin[UserInit2FASetup] = true
 	sysAdmin[UserReadSelf] = true
 	sysAdmin[UserRead] = true
@@ -352,6 +365,8 @@ func initPermissions() {
 	sysAdmin[UserTwoFactorPush] = true
 	sysAdmin[UserTwoFactorResend] = true
 	sysAdmin[UserTwoFactorVerify] = true
+	sysAdmin[UserValidateTOTP] = true
+	sysAdmin[UserValidateTOTPView] = true
 	sysAdmin[UserUpdateSelf] = true
 	sysAdmin[UserUpdate] = true
 	sysAdmin[WorkItemCreate] = true
diff --git a/db/fixtures/users.csv b/db/fixtures/users.csv
index 78247fdb..ebbad5ab 100644
--- a/db/fixtures/users.csv
+++ b/db/fixtures/users.csv
@@ -1,10 +1,10 @@
-id,name,email,phone_number,created_at,updated_at,encrypted_password,reset_password_token,reset_password_sent_at,remember_created_at,sign_in_count,current_sign_in_at,last_sign_in_at,current_sign_in_ip,last_sign_in_ip,institution_id,encrypted_api_secret_key,password_changed_at,encrypted_otp_secret,encrypted_otp_secret_iv,encrypted_otp_secret_salt,encrypted_otp_sent_at,consumed_timestep,otp_required_for_login,deactivated_at,enabled_two_factor,confirmed_two_factor,otp_backup_codes,authy_id,last_sign_in_with_authy,authy_status,email_verified,initial_password_updated,force_password_update,account_confirmed,grace_period,awaiting_second_factor,role
-4,Inactive User,inactive@inst1.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,2,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,1/15/21 13:49,FALSE,FALSE,"{code1,code2,code3}",,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,none
-5,Inst Two Admin,admin@inst2.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,3,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_admin
-7,Inst Two User,user@inst2.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,3,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_user
-2,Inst One Admin,admin@inst1.edu,14345551212,1/12/21 17:14,9/10/21 14:22,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,2,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,,,,,,,TRUE,TRUE,,TRUE,12/31/99 23:59,FALSE,institutional_admin
-3,Inst One User,user@inst1.edu,14345551212,1/12/21 17:14,9/10/21 14:22,$2a$10$raEJqJ7eRcEwWmeoiJ2vxenR8dqVXCI1SU9zcgkrxeS.6/haWGi4K,,,,1,9/10/21 14:22,,,,2,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,,,,,,,TRUE,TRUE,,TRUE,12/31/99 23:59,FALSE,institutional_user
-1,APTrust System,system@aptrust.org,14345551212,1/12/21 17:14,9/10/21 14:24,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,1,9/10/21 14:24,,127.0.0.1,,1,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,,,,,,,TRUE,TRUE,,TRUE,12/31/99 23:59,FALSE,admin
-6,Two Factor SMS User,sms_user@example.com,12125551212,9/10/21 14:25,9/10/21 14:25,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,2,,,,,,,,TRUE,,,,,,,,,,TRUE,TRUE,11/9/21 5:00,FALSE,institutional_user
-8,Test.edu Admin,admin@test.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,4,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_admin
-9,Test.edu User,user@test.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,4,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_user
\ No newline at end of file
+id,name,email,phone_number,created_at,updated_at,encrypted_password,reset_password_token,reset_password_sent_at,remember_created_at,sign_in_count,current_sign_in_at,last_sign_in_at,current_sign_in_ip,last_sign_in_ip,institution_id,encrypted_api_secret_key,password_changed_at,encrypted_otp_secret,encrypted_otp_secret_iv,encrypted_otp_secret_salt,encrypted_otp_sent_at,consumed_timestep,otp_required_for_login,deactivated_at,enabled_two_factor,confirmed_two_factor,otp_backup_codes,authy_id,last_sign_in_with_authy,authy_status,email_verified,initial_password_updated,force_password_update,account_confirmed,grace_period,awaiting_second_factor,role,encrypted_auth_app_secret
+4,Inactive User,inactive@inst1.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,2,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,1/15/21 13:49,FALSE,FALSE,"{code1,code2,code3}",,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,none,
+5,Inst Two Admin,admin@inst2.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,3,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_admin,
+7,Inst Two User,user@inst2.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,3,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_user,
+2,Inst One Admin,admin@inst1.edu,14345551212,1/12/21 17:14,9/10/21 14:22,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,2,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,,,,,,,TRUE,TRUE,,TRUE,12/31/99 23:59,FALSE,institutional_admin,
+3,Inst One User,user@inst1.edu,14345551212,1/12/21 17:14,9/10/21 14:22,$2a$10$raEJqJ7eRcEwWmeoiJ2vxenR8dqVXCI1SU9zcgkrxeS.6/haWGi4K,,,,1,9/10/21 14:22,,,,2,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,,,,,,,TRUE,TRUE,,TRUE,12/31/99 23:59,FALSE,institutional_user,
+1,APTrust System,system@aptrust.org,14345551212,1/12/21 17:14,9/10/21 14:24,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,1,9/10/21 14:24,,127.0.0.1,,1,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,,,,,,,TRUE,TRUE,,TRUE,12/31/99 23:59,FALSE,admin,
+6,Two Factor SMS User,sms_user@example.com,12125551212,9/10/21 14:25,9/10/21 14:25,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,2,,,,,,,,TRUE,,,,,,,,,,TRUE,TRUE,11/9/21 5:00,FALSE,institutional_user,
+8,Test.edu Admin,admin@test.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,4,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_admin,
+9,Test.edu User,user@test.edu,14345551212,1/12/21 17:14,1/12/21 17:14,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,0,,,,,4,$2a$10$7aoot2KFFqikpTYVEbErYOxZijCHDPvqT4OMoFwdmsYBE9SK2PibC,,,,,,,,,FALSE,FALSE,,,,,TRUE,TRUE,FALSE,TRUE,12/31/99 23:59,FALSE,institutional_user,
\ No newline at end of file
diff --git a/db/migrations/013_add_auth_app_secret.sql b/db/migrations/013_add_auth_app_secret.sql
new file mode 100644
index 00000000..b4da8cef
--- /dev/null
+++ b/db/migrations/013_add_auth_app_secret.sql
@@ -0,0 +1,12 @@
+-- 013_add_auth_app_secret.sql
+-- Adds a field to represent a secret from an authenticator app for use with MFA
+
+-- Note that we're starting the migration.
+insert into schema_migrations ("version", started_at) values ('013_add_auth_app_secret', now())
+on conflict ("version") do update set started_at = now();
+
+-- Add new encrypted_auth_app_secret to the users table
+alter table users add column if not exists encrypted_auth_app_secret varchar null;
+
+-- Now mark the migration as completed.
+update schema_migrations set finished_at = now() where "version" = '013_add_auth_app_secret';
diff --git a/db/schema.sql b/db/schema.sql
index 0d324f5b..e3395439 100644
--- a/db/schema.sql
+++ b/db/schema.sql
@@ -501,6 +501,7 @@ CREATE TABLE public.users (
 	grace_period timestamp NULL,
 	awaiting_second_factor bool NOT NULL DEFAULT false,
 	"role" varchar(50) NOT NULL DEFAULT 'none'::character varying,
+	encrypted_auth_app_secret varchar NULL,
 	CONSTRAINT users_pkey PRIMARY KEY (id)
 );
 CREATE INDEX index_users_on_authy_id ON public.users USING btree (authy_id);
diff --git a/forms/lists.go b/forms/lists.go
index 428fe180..a40959ff 100644
--- a/forms/lists.go
+++ b/forms/lists.go
@@ -80,6 +80,7 @@ var StorageOptionList = []*ListOption{
 
 var TwoFactorMethodList = []*ListOption{
 	{constants.TwoFactorNone, "None (Turn Off Two-Factor Authentication)", false},
+	{constants.TwoFactorTOTP, "Authenticator App", false},
 	{constants.TwoFactorAuthy, "Authy OneTouch", false},
 	{constants.TwoFactorSMS, "Text Message", false},
 }
diff --git a/forms/two_factor_setup_form.go b/forms/two_factor_setup_form.go
index bd9f8f42..3d60b519 100644
--- a/forms/two_factor_setup_form.go
+++ b/forms/two_factor_setup_form.go
@@ -21,7 +21,7 @@ func (f *TwoFactorSetupForm) init() {
 	f.Fields["AuthyStatus"] = &Field{
 		Name:        "AuthyStatus",
 		Label:       "Preferred Method for Two-Factor Auth",
-		Placeholder: "",
+		Placeholder: "Authy",
 		ErrMsg:      "Please choose your preferred method.",
 		Options:     TwoFactorMethodList,
 		Attrs: map[string]string{
diff --git a/go.mod b/go.mod
index eb0fcd7f..686f3574 100644
--- a/go.mod
+++ b/go.mod
@@ -32,6 +32,7 @@ require (
 	github.com/andybalholm/brotli v1.0.4 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
 	github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b // indirect
+	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bytedance/sonic v1.9.1 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -72,8 +73,10 @@ require (
 	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
 	github.com/pkg/errors v0.8.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pquerna/otp v1.5.0 // indirect
 	github.com/sanity-io/litter v1.5.5 // indirect
 	github.com/sergi/go-diff v1.0.0 // indirect
+	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e // indirect
 	github.com/spf13/afero v1.1.2 // indirect
 	github.com/spf13/cast v1.3.0 // indirect
 	github.com/spf13/jwalterweatherman v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 76495f6b..38d7eed4 100644
--- a/go.sum
+++ b/go.sum
@@ -39,6 +39,8 @@ github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdn
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b h1:AP/Y7sqYicnjGDfD5VcY4CIfh1hRXBUavxrvELjTiOE=
 github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D1fsDb3EJvhqgXRbFx7bs2wqZ10HQPeU8U/Q=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc h1:biVzkmvwrH8WK8raXaxBx6fRVTlJILwEwQGL1I/ByEI=
+github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/brianvoe/gofakeit/v6 v6.9.0 h1:UCGhPCKLiqBc910TKS7LcOGf74NozftibFCbGIS6GZQ=
 github.com/brianvoe/gofakeit/v6 v6.9.0/go.mod h1:palrJUk4Fyw38zIFB/uBZqsgzW5VsNllhHKKwAebzew=
 github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM=
@@ -273,6 +275,8 @@ github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
+github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
+github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
@@ -297,6 +301,8 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg
 github.com/sergi/go-diff v1.0.0 h1:Kpca3qRNrduNnOQeazBd0ysaKrUJiIuISHxogkT9RPQ=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
+github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
diff --git a/middleware/authenticate.go b/middleware/authenticate.go
index 1b665163..1573a2a8 100644
--- a/middleware/authenticate.go
+++ b/middleware/authenticate.go
@@ -174,7 +174,7 @@ func SetDefaultHeaders(c *gin.Context) {
 	// Set these security headers on all responses.
 	c.Writer.Header().Set("X-XSS-Protection", "1")
 	c.Writer.Header().Set("X-Content-Type-Options", "nosniff")
-	c.Writer.Header().Set("Content-Security-Policy", "default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; script-src 'self' 'unsafe-inline'")
+	c.Writer.Header().Set("Content-Security-Policy", "default-src 'self'; font-src 'self' fonts.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; script-src 'self' 'unsafe-inline'; img-src 'self' data:;")
 }
 
 func forceCompletionOfPasswordChange(c *gin.Context, currentUser *pgmodels.User) bool {
@@ -198,6 +198,7 @@ func forceCompletionOfTwoFactorAuth(c *gin.Context, currentUser *pgmodels.User)
 	p := c.FullPath()
 	return currentUser.ResetPasswordToken == "" &&
 		currentUser.AwaitingSecondFactor &&
+		!strings.HasPrefix(p, "/users/validate_totp") &&
 		!strings.HasPrefix(p, "/users/2fa_backup") &&
 		!strings.HasPrefix(p, "/users/2fa_choose") &&
 		!strings.HasPrefix(p, "/users/2fa_push") &&
diff --git a/middleware/authorization_map.go b/middleware/authorization_map.go
index 77c4b867..799d4d2c 100644
--- a/middleware/authorization_map.go
+++ b/middleware/authorization_map.go
@@ -122,6 +122,7 @@ var AuthMap = map[string]AuthMetadata{
 	"UserDeleteSelf":                     {"User", constants.UserDeleteSelf, "Deactivate Your Account"},
 	"UserEdit":                           {"User", constants.UserUpdate, "Edit User"},
 	"UserGenerateBackupCodes":            {"User", constants.UserGenerateBackupCodes, "Create Two-Factor Backup Codes"},
+	"UserGenerateTOTP":                   {"User", constants.UserGenerateTOTP, "Authenticator App Setup"},
 	"UserGetAPIKey":                      {"User", constants.UserUpdateSelf, "Generate API Key"},
 	"UserIndex":                          {"User", constants.UserRead, "Users"},
 	"UserInit2FASetup":                   {"User", constants.UserInit2FASetup, "Start Two-Factor Setup"},
@@ -141,6 +142,8 @@ var AuthMap = map[string]AuthMetadata{
 	"UserUpdate":                         {"User", constants.UserUpdate, "Update User"},
 	"UserUpdateXHR":                      {"User", constants.UserUpdate, "Update User"},
 	"UserUpdateSelf":                     {"User", constants.UserUpdateSelf, "Update User"},
+	"UserValidateTOTP":                   {"User", constants.UserValidateTOTP, "MFA Confirm TOTP Via Authenticator App"},
+	"UserValidateTOTPView":               {"User", constants.UserValidateTOTPView, "MFA Confirm TOTP Via Authenticator App Form"},
 	"WorkItemCreate":                     {"WorkItem", constants.WorkItemCreate, "Create Work Item"},
 	"WorkItemDelete":                     {"WorkItem", constants.WorkItemDelete, "Delete Work Item"},
 	"WorkItemEdit":                       {"WorkItem", constants.WorkItemUpdate, "Edit Work Item"},
diff --git a/notes.md b/notes.md
index 20d34ab4..885ae219 100644
--- a/notes.md
+++ b/notes.md
@@ -102,11 +102,14 @@ Remember, depdenency hell and mountains of garbage code are only one npm package
 ### Login
 
 * Email/password login
+* Two-factor authenticator app (recommended)
 * Two-factor text/sms
 * Two-factor Authy
 
 To ensure users won't have to change their passwords when moving from the Rails app, implement the same password encryption scheme as Devise. The scheme is described [here](https://www.freecodecamp.org/news/how-does-devise-keep-your-passwords-safe-d367f6e816eb/), and the [Go bcrypt library](https://pkg.go.dev/golang.org/x/crypto/bcrypt) should be able to support it.
 
+You can utilize any authenticator app that supports QR codes for two-factor authentication, including but not limited to Google Authenticator, Microsoft Authenticator, or Duo.
+
 For two-factor auth, since we're already using Authy, try the [Go Client for Authy](https://github.com/dcu/go-authy).
 
 ### Edit
@@ -345,6 +348,8 @@ The term "items" below refers to Intellectual Objects, Generic Files, Checksums,
 
 # Two Factor Authentication
 
+The recommended method currently is to use an authenticator app on your device. You can use any authenticator app that supports QR codes, such as Google Authenticator, Microsoft Authenticator, or Duo.
+
 Current Pharos users who have enabled two-factor authentication receive one-time passwords through SMS or push notifications through Authy OneTouch. These methods were chosen after long discussion with depositors and we cannot change them without another long discussion. So for now, we're sticking with these two.
 
 Notes on two-factor setup and workflow have grown large enoug to warrant their own document. See [Two Factor Notes](two_factor_notes.md).
diff --git a/pgmodels/user.go b/pgmodels/user.go
index 0917ced3..90eddd6c 100644
--- a/pgmodels/user.go
+++ b/pgmodels/user.go
@@ -112,6 +112,12 @@ type User struct {
 	// we're waiting for a user to enter a text/SMS OTP.
 	EncryptedOTPSentAt time.Time `json:"-" form:"-" pg:"encrypted_otp_sent_at"`
 
+	// EncryptedAuthAppSecret is a secret value shared with the user's device.
+	// This value is not used for SMS OTP - that would be the EncryptedOTPSecret.
+	// Rather, this value is used with authenticator apps if the user has
+	// Authenticator App MFA enabled.
+	EncryptedAuthAppSecret string `json:"-" form:"-" pg:"encrypted_auth_app_secret"`
+
 	// ConsumedTimestep is a legacy field from Devise, which used it
 	// for time-based one-time passwords. Not used.
 	// TODO: Delete this.
@@ -377,6 +383,12 @@ func (user *User) IsAuthyOneTouchUser() bool {
 	return user.IsTwoFactorUser() && (user.AuthyStatus == constants.TwoFactorAuthy)
 }
 
+// IsAuthenticatorAppUser returns true if the user has enabled an authenticator app
+// for two-factor login.
+func (user *User) IsAuthenticatorAppUser() bool {
+	return user.IsTwoFactorUser() && (user.AuthyStatus == constants.TwoFactorTOTP)
+}
+
 // IsTwoFactorUser returns true if this user has enabled and confirmed
 // two factor authentication.
 //
@@ -401,7 +413,10 @@ func (user *User) TwoFactorMethod() string {
 	if user.IsSMSUser() {
 		return constants.TwoFactorSMS
 	}
-	return constants.TwoFactorAuthy
+	if user.IsAuthyOneTouchUser() {
+		return constants.TwoFactorAuthy
+	}
+	return constants.TwoFactorTOTP
 }
 
 // CreateOTPToken creates a new one-time password token, typically
diff --git a/views/users/choose_second_factor.html b/views/users/choose_second_factor.html
index 073d8952..e2e9157a 100644
--- a/views/users/choose_second_factor.html
+++ b/views/users/choose_second_factor.html
@@ -25,6 +25,22 @@ <h2>Multi-Factor Authentication Required</h2>
   <div class="modal-content">
     <p class="mb-3">How would you like to complete your login?</p>
 
+    <div class="two-factor-option mb-3">
+      <button class="button is-primary" onclick="submitSecondFactor('totp')">Authenticator App</button>
+      <article id="two-factor-method-totp" class="message is-info mt-4 two-factor-message" style="display:none">
+        <p class="mb-5">Using your authenticator app, please enter the one-time code that you see for APTrust.</p>
+
+        {{ if .errorMessage }}
+          <p class="mb-5">{{ .errorMessage }}</p> 
+        {{ end }}
+
+        <form name="validateTOTP" method="get" action="/users/validate_totp">
+          <input name="totpCode" type="password" label="One-Time Code">
+          {{ template "forms/csrf_token.html" . }}
+          <input class="button" type="submit" value="Continue">
+        </form>
+      </article>
+    </div>
     <div class="two-factor-option mb-3">
       <button class="button is-primary" onclick="submitSecondFactor('authy')" disabled title="Authy is temporarily not available. APTrust is working to resolve this issue.">Authy</button>
       <article id="two-factor-method-authy" class="message is-info mt-4 two-factor-message" style="display:none">
@@ -57,7 +73,10 @@ <h2>Multi-Factor Authentication Required</h2>
     let csrfToken = "{{ .csrf_token }}"
     form["two_factor_method"].value = twoFactorMethod
 
-    if (twoFactorMethod == "backup") {
+    if (twoFactorMethod == "totp") {
+      // form = document.forms["validateTOTP"]
+      // addCsrf(form, csrfToken)
+    } else if (twoFactorMethod == "backup") {
       form["csrf_token"] = null
       form.method = "get"
       form.action = "/users/2fa_backup/"
@@ -71,7 +90,9 @@ <h2>Multi-Factor Authentication Required</h2>
       form.action = "/users/2fa_sms/"
     }
     showTwoFactorMessage(twoFactorMethod)
-    form.submit()
+    if (twoFactorMethod != "totp") {
+      form.submit()
+    }
   }
   function addCsrf(form, token) {
     if (form["csrf_token"] == null) {
diff --git a/views/users/setup_authenticator_app.html b/views/users/setup_authenticator_app.html
new file mode 100644
index 00000000..a1eb02b8
--- /dev/null
+++ b/views/users/setup_authenticator_app.html
@@ -0,0 +1,52 @@
+{{ define "users/setup_authenticator_app.html" }}
+
+<!-- Show the header unless query string says modal=true -->
+{{ if not .showAsModal }}
+  {{ template "shared/_header.html" .}}
+{{ end }}
+
+<div class="box" style="padding: 5px 30px;">
+  <div class="box-header">
+    <h2>Set Up Authenticator App</h2>
+  </div>
+
+  <div class="modal-content">
+    <p class="mb-5">Using your authenticator app, please scan the QR code displayed below. Then, follow the instructions in your authenticator app. When you're done setting up your authenticator app, click Continue.</p>
+    <p class="mb-5">If you cannot or do not wish to continue with the setup, click on the Cancel Setup button.</p>
+
+    <img src="data:image/png;base64,{{ .otpQRImage }}" alt="This is the QR code image used to set up your authenticator app." />
+    <p class="mb-5">If you would rather enter a setup key into your app instead of scanning the QR code, please click the Show Setup Key button below.</p>
+    <button class="button" onclick="showSecVal()">Show Setup Key</button>
+    <p class="mb-5" id="secValSection" style="display:none;">
+        <br/><br/>
+        Enter this Setup Key into your authenticator app.<br />
+        Note: Please enter the exact Setup Key with care. Your authenticator app may not show any message or error if the Setup Key is entered incorrectly.<br />
+        In the next step, you will have the opportunity to validate that the authenticator app is set up correctly. If you are having trouble validating in the next step, you will be able to cancel setup and try again.<br />
+        Please do not share the Setup Key with anyone.
+        <br /><br/>
+        <span style="font-family: 'Courier New', Courier, monospace; font-size: 20pt; font-weight: bold;">{{ .secVal }}</span>
+    </p>
+    <br/><br/>
+    <form name="finishTOTPSetup" method="get" action="/users/validate_totp">
+        <input class="text" type="text" name="firstConfirm" value="firstConfirm" style="display:none;">
+        <input class="button is-primary" type="submit" value="Continue"><br />
+        <input class="button" onclick="cancelSetup()" value="Cancel Setup">
+    </form>
+  </div>
+</div>
+
+<script>
+    function showSecVal(){
+        document.getElementById('secValSection').style.display = "block"    
+    }
+    function cancelSetup(){
+        window.location = "/users/my_account"
+    }
+</script>
+<!-- Show the footer unless query string says modal=true -->
+{{ if not .showAsModal }}
+  {{ template "shared/_footer.html" .}}
+{{ end }}
+
+
+{{ end }}
diff --git a/views/users/validate_totp.html b/views/users/validate_totp.html
new file mode 100644
index 00000000..4cd9780f
--- /dev/null
+++ b/views/users/validate_totp.html
@@ -0,0 +1,46 @@
+{{ define "users/validate_totp.html" }}
+
+<!-- Show the header unless query string says modal=true -->
+{{ if not .showAsModal }}
+  {{ template "shared/_header.html" .}}
+{{ end }}
+
+<div class="box" style="padding: 5px 30px;">
+  <div class="box-header">
+    <h2>Enter One-Time Code From Your Authenticator App</h2>
+  </div>
+
+  <div class="modal-content">
+    <p class="mb-5">Using your authenticator app, please enter the one-time code that you see for APTrust.</p>
+
+    {{ if .errorMessage }}
+      <p class="mb-5">{{ .errorMessage }}</p> 
+    {{ end }}
+
+    <form name="validateTOTP" method="post" action="/users/validate_totp">
+      <input name="totpCode" type="password" label="One-Time Code" autofocus>
+      {{ if .firstConfirm }}
+          <input name="firstConfirm" type="text" value="firstConfirm" style="visibility:hidden">  
+      {{ end }}
+      {{ template "forms/csrf_token.html" . }}
+      <input class="button" type="submit" value="Continue">
+      {{ if .firstConfirm }}
+          <input class="button" onclick="cancelSetup()" value="Cancel Setup">
+      {{ end }}
+    </form>
+    <br/><br/>
+  </div>
+</div>
+
+<script>
+    function cancelSetup(){
+        window.location = "/users/my_account"
+    }
+</script>
+<!-- Show the footer unless query string says modal=true -->
+{{ if not .showAsModal }}
+  {{ template "shared/_footer.html" .}}
+{{ end }}
+
+
+{{ end }}
diff --git a/web/webui/two_factor_controller.go b/web/webui/two_factor_controller.go
index a20e112c..d40f93dc 100644
--- a/web/webui/two_factor_controller.go
+++ b/web/webui/two_factor_controller.go
@@ -1,6 +1,7 @@
 package webui
 
 import (
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	"time"
@@ -10,6 +11,8 @@ import (
 	"github.com/APTrust/registry/forms"
 	"github.com/APTrust/registry/helpers"
 	"github.com/gin-gonic/gin"
+	"github.com/pquerna/otp/totp"
+	"github.com/skip2/go-qrcode"
 	"github.com/stretchr/stew/slice"
 )
 
@@ -99,7 +102,11 @@ func UserTwoFactorVerify(c *gin.Context) {
 
 	user := req.CurrentUser
 
-	if method == constants.TwoFactorSMS {
+	if method == constants.TwoFactorTOTP {
+		if OTPTokenIsExpired(user.EncryptedOTPSentAt) {
+			c.Redirect(http.StatusFound, "/users/validate_totp")
+		}
+	} else if method == constants.TwoFactorSMS {
 		if OTPTokenIsExpired(user.EncryptedOTPSentAt) {
 			helpers.SetFlashCookie(c, "Your one-time password expired. Please sign in again.")
 			c.Redirect(http.StatusFound, "/users/sign_out")
@@ -117,7 +124,9 @@ func UserTwoFactorVerify(c *gin.Context) {
 		// User model needs FailedLogins and LockoutUntil.
 		// Then we need logic to enforce the lockout.
 		msg := "Backup code is incorrect. Try again."
-		if method == constants.TwoFactorSMS {
+		if method == constants.TwoFactorTOTP {
+			msg = "One-time code is incorrect. Try again."
+		} else if method == constants.TwoFactorSMS {
 			msg = "One-time password is incorrect. Try again."
 		}
 		req.TemplateData["flash"] = msg
@@ -197,6 +206,23 @@ func UserComplete2FASetup(c *gin.Context) {
 		return
 	}
 
+	if prefs.UseAuthenticatorApp() {
+		userCompleteAuthenticatorAppSetup(c, req, prefs)
+		return
+		/* if AbortIfError(c, err) {
+			return
+		}
+		if ok {
+			helpers.SetFlashCookie(c, "Your two-factor setup is complete. Next time you log in, you will need to use your authenticator app and provide a six-digit one-time code to complete the sign-in process.")
+			c.Redirect(http.StatusFound, "/users/my_account")
+			return
+		} else {
+			// User did not approve
+			c.Redirect(http.StatusFound, "/users/sign_out")
+			return
+		} */
+	}
+
 	if prefs.UseAuthy() {
 		ok, err := userCompleteAuthySetup(req, prefs)
 		if AbortIfError(c, err) {
@@ -226,6 +252,7 @@ func UserComplete2FASetup(c *gin.Context) {
 			helpers.SetFlashCookie(c, "Your phone number has been updated.")
 		}
 	}
+
 	c.Redirect(http.StatusFound, "/users/my_account")
 }
 
@@ -375,6 +402,17 @@ func userCompleteAuthySetup(req *Request, prefs *TwoFactorPreferences) (ok bool,
 	return ok, err
 }
 
+func userCompleteAuthenticatorAppSetup(c *gin.Context, req *Request, prefs *TwoFactorPreferences) {
+	if prefs.NeedsAuthenticatorAppRegistration() {
+		c.Redirect(http.StatusFound, "/users/generate_totp")
+		return
+	} else if prefs.NeedsAuthenticatorAppConfirmation() {
+		c.Redirect(http.StatusFound, "/users/validate_totp")
+		return
+	}
+	c.Redirect(http.StatusFound, "/users/my_account")
+}
+
 func UserCompleteSMSSetup(req *Request) error {
 	// Send SMS code and redirect to UserConfirmPhone
 	user := req.CurrentUser
@@ -397,3 +435,93 @@ func OTPTokenIsExpired(tokenSentAt time.Time) bool {
 	expiration := tokenSentAt.Add(common.Context().Config.TwoFactor.OTPExpiration)
 	return time.Now().After(expiration)
 }
+
+// Generates a QR code that a user can use to set up MFA with any Authenticator App
+// on their device.
+//
+// GET /users/generate_totp
+func UserGenerateTOTP(c *gin.Context) {
+	req := NewRequest(c)
+	user := req.CurrentUser
+	if user.EncryptedAuthAppSecret == "" {
+		// if 1 == 1 {
+		secret, err := totp.Generate(totp.GenerateOpts{
+			Issuer:      constants.TOTPSecretIssuer,
+			AccountName: user.Email,
+		})
+		if err != nil {
+			if AbortIfError(c, err) {
+				return
+			}
+		}
+		user.EncryptedAuthAppSecret = secret.Secret()
+		err = user.Save()
+		if AbortIfError(c, err) {
+			return
+		}
+		// req.TemplateData["sec"] = secret // temp - remove
+	}
+	otpURL := fmt.Sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s", constants.TOTPSecretIssuer, user.Email, user.EncryptedAuthAppSecret, constants.TOTPSecretIssuer)
+	//otpURL := fmt.Sprintf("otpauth://totp/%s:%s?secret=%s&issuer=%s", constants.TOTPSecretIssuer, user.Email, "nonesuch", constants.TOTPSecretIssuer)
+	png, err := qrcode.Encode(otpURL, qrcode.Medium, 256)
+	if err != nil {
+		if AbortIfError(c, err) {
+			return
+		}
+	}
+	otpQRImage := base64.StdEncoding.EncodeToString(png)
+	req.TemplateData["otpQRImage"] = otpQRImage
+	req.TemplateData["secVal"] = user.EncryptedAuthAppSecret
+	// req.TemplateData["secVal"] = "nonesuch"
+	c.HTML(http.StatusOK, "users/setup_authenticator_app.html", req.TemplateData)
+}
+
+// Displays page for user to validate their TOTP using an authenticator app.
+func UserValidateTOTPView(c *gin.Context) {
+	req := NewRequest(c)
+	_, firstConfirm := c.GetQueryMap("firstConfirm")
+	if firstConfirm {
+		req.TemplateData["firstConfirm"] = firstConfirm
+	}
+	c.HTML(http.StatusOK, "users/validate_totp.html", req.TemplateData)
+}
+
+// Validates a TOTP provided by the user from their authenticator app.
+func UserValidateTOTP(c *gin.Context) {
+	req := NewRequest(c)
+	user := req.CurrentUser
+	totpCode := c.PostForm("totpCode")
+	confirming := c.PostForm("firstConfirm")
+	isValid := totp.Validate(totpCode, user.EncryptedAuthAppSecret)
+	// isValid := totp.Validate(totpCode, "nonesuch")
+	if !isValid {
+		req.TemplateData["errorMessage"] = "Oops! That wasn't the right code. Please try again."
+		c.HTML(http.StatusOK, "users/validate_totp.html", req.TemplateData)
+		return
+	} else {
+		// If we've reached here, you've provided a valid code
+		if confirming == "" {
+			// req.CurrentUser.AwaitingSecondFactor = false
+
+			err := req.CurrentUser.Save()
+			if err != nil {
+				if AbortIfError(c, err) {
+					return
+				}
+			}
+		}
+		user.AwaitingSecondFactor = false
+		user.EnabledTwoFactor = true
+		user.ConfirmedTwoFactor = true
+		user.Save()
+		if confirming != "" {
+			helpers.SetFlashCookie(c, "Your two-factor setup is complete. Next time you log in, you'll need to use your authenticator app to enter a one-time password.")
+			c.Redirect(http.StatusFound, "/users/my_account")
+			return
+		} else {
+			helpers.SetFlashCookie(c, "Logged in successfully!")
+			c.Redirect(http.StatusFound, "/dashboard")
+			return
+		}
+	}
+}
diff --git a/web/webui/two_factor_preferences.go b/web/webui/two_factor_preferences.go
index 961975fb..6c59fa07 100644
--- a/web/webui/two_factor_preferences.go
+++ b/web/webui/two_factor_preferences.go
@@ -6,16 +6,19 @@ import (
 )
 
 type TwoFactorPreferences struct {
-	OldPhone  string
-	NewPhone  string
-	OldMethod string
-	NewMethod string
-	User      *pgmodels.User
+	OldPhone         string
+	NewPhone         string
+	OldMethod        string
+	NewMethod        string
+	OldAuthAppMethod string
+	NewAuthAppMethod string
+	User             *pgmodels.User
 }
 
 func NewTwoFactorPreferences(req *Request) (*TwoFactorPreferences, error) {
 	oldPhone := req.CurrentUser.PhoneNumber
 	oldMethod := req.CurrentUser.AuthyStatus
+	oldAuthAppMethod := constants.TwoFactorNone // req.CurrentUser.UseAuthenticatorApp
 
 	// Get phone and authy data submitted in the form.
 	user := &pgmodels.User{}
@@ -29,11 +32,13 @@ func NewTwoFactorPreferences(req *Request) (*TwoFactorPreferences, error) {
 	user.ReformatPhone()
 
 	prefs := &TwoFactorPreferences{
-		OldPhone:  oldPhone,
-		NewPhone:  user.PhoneNumber,
-		OldMethod: oldMethod,
-		NewMethod: user.AuthyStatus,
-		User:      user,
+		OldPhone:         oldPhone,
+		NewPhone:         user.PhoneNumber,
+		OldMethod:        oldMethod,
+		NewMethod:        user.AuthyStatus,
+		User:             user,
+		OldAuthAppMethod: oldAuthAppMethod,
+		NewAuthAppMethod: constants.TwoFactorNone,
 	}
 
 	return prefs, nil
@@ -47,18 +52,26 @@ func (p *TwoFactorPreferences) MethodChanged() bool {
 	return p.OldMethod != p.NewMethod
 }
 
+func (p *TwoFactorPreferences) AuthAppMethodChanged() bool {
+	return p.OldAuthAppMethod != p.NewAuthAppMethod
+}
+
 func (p *TwoFactorPreferences) NeedsConfirmation() bool {
-	return p.PhoneChanged() || p.MethodChanged()
+	return p.PhoneChanged() || p.MethodChanged() || p.AuthAppMethodChanged()
 }
 
 func (p *TwoFactorPreferences) NothingChanged() bool {
-	return !p.PhoneChanged() && !p.MethodChanged()
+	return !p.PhoneChanged() && !p.MethodChanged() && !p.AuthAppMethodChanged()
 }
 
 func (p *TwoFactorPreferences) DoNotUseTwoFactor() bool {
 	return p.NewMethod == constants.TwoFactorNone
 }
 
+func (p *TwoFactorPreferences) UseAuthenticatorApp() bool {
+	return p.NewMethod == constants.TwoFactorTOTP
+}
+
 func (p *TwoFactorPreferences) UseAuthy() bool {
 	return p.NewMethod == constants.TwoFactorAuthy
 }
@@ -75,6 +88,15 @@ func (p *TwoFactorPreferences) NeedsAuthyConfirmation() bool {
 	return p.NeedsConfirmation() && p.NewMethod == constants.TwoFactorAuthy
 }
 
+func (p *TwoFactorPreferences) NeedsAuthenticatorAppRegistration() bool {
+	return true
+	// return p.NewAuthAppMethod == constants.TwoFactorTOTP && p.User.TOTPSecret == ""
+}
+
+func (p *TwoFactorPreferences) NeedsAuthenticatorAppConfirmation() bool {
+	return p.NeedsConfirmation() && p.NewMethod == constants.TwoFactorTOTP
+}
+
 func (p *TwoFactorPreferences) NeedsSMSConfirmation() bool {
 	return p.NeedsConfirmation() && p.NewMethod == constants.TwoFactorSMS
 }
diff --git a/web/webui/two_factor_preferences_test.go b/web/webui/two_factor_preferences_test.go
index 25f932ca..9529c4a9 100644
--- a/web/webui/two_factor_preferences_test.go
+++ b/web/webui/two_factor_preferences_test.go
@@ -30,16 +30,25 @@ func TestTwoFactorPreferences(t *testing.T) {
 	assert.True(t, prefs.DoNotUseTwoFactor())
 	assert.False(t, prefs.UseAuthy())
 	assert.False(t, prefs.UseSMS())
+	assert.False(t, prefs.UseAuthenticatorApp())
 
 	prefs.NewMethod = constants.TwoFactorSMS
 	assert.False(t, prefs.DoNotUseTwoFactor())
 	assert.False(t, prefs.UseAuthy())
 	assert.True(t, prefs.UseSMS())
+	assert.False(t, prefs.UseAuthenticatorApp())
 
 	prefs.NewMethod = constants.TwoFactorAuthy
 	assert.False(t, prefs.DoNotUseTwoFactor())
 	assert.True(t, prefs.UseAuthy())
 	assert.False(t, prefs.UseSMS())
+	assert.False(t, prefs.UseAuthenticatorApp())
+
+	prefs.NewMethod = constants.TwoFactorTOTP
+	assert.False(t, prefs.DoNotUseTwoFactor())
+	assert.False(t, prefs.UseAuthy())
+	assert.False(t, prefs.UseSMS())
+	assert.True(t, prefs.UseAuthenticatorApp())
 
 	prefs.NewMethod = constants.TwoFactorAuthy
 	prefs.User.AuthyID = ""
@@ -49,6 +58,14 @@ func TestTwoFactorPreferences(t *testing.T) {
 	prefs.User.AuthyID = ""
 	assert.False(t, prefs.NeedsAuthyRegistration())
 
+	prefs.NewMethod = constants.TwoFactorAuthy
+	prefs.User.AuthyID = ""
+	assert.True(t, prefs.NeedsAuthyRegistration())
+
+	prefs.NewMethod = constants.TwoFactorTOTP
+	prefs.User.AuthyID = ""
+	assert.False(t, prefs.NeedsAuthyRegistration())
+
 	prefs.NewMethod = constants.TwoFactorAuthy
 	prefs.User.AuthyID = "12345"
 	assert.False(t, prefs.NeedsAuthyRegistration())
diff --git a/web/webui/users_controller.go b/web/webui/users_controller.go
index cb022bbd..f0323fa1 100644
--- a/web/webui/users_controller.go
+++ b/web/webui/users_controller.go
@@ -524,7 +524,9 @@ func SignInUser(c *gin.Context) (int, string, error) {
 	c.Set("CurrentUser", user)
 
 	redirectTo = "/dashboard"
-	if user.IsTwoFactorUser() {
+	if user.IsTwoFactorUser() && user.IsAuthenticatorAppUser() {
+		redirectTo = "/users/validate_totp"
+	} else if user.IsTwoFactorUser() {
 		redirectTo = "/users/2fa_choose"
 	}
 	return http.StatusFound, redirectTo, nil