diff --git a/apollo/core.py b/apollo/core.py
index 6a99f157c..2da56cc32 100644
--- a/apollo/core.py
+++ b/apollo/core.py
@@ -16,6 +16,8 @@
 except ImportError:
     fdt_available = False
 from flask_jwt_extended import JWTManager
+from flask_limiter import Limiter
+from flask_limiter.util import get_remote_address
 from flask_mail import Mail
 from flask_menu import Menu
 from flask_migrate import Migrate
@@ -41,6 +43,7 @@ def index(self):
 cors = CORS()
 db = SQLAlchemy(session_options={"expire_on_commit": False})
 jwt_manager = JWTManager()
+limiter = Limiter(get_remote_address)
 mail = Mail()
 menu = Menu()
 metrics = PrometheusMetrics.for_app_factory(defaults_prefix=NO_PREFIX)
diff --git a/apollo/factory.py b/apollo/factory.py
index 4deed34df..53fbd52d0 100644
--- a/apollo/factory.py
+++ b/apollo/factory.py
@@ -24,6 +24,7 @@
     debug_toolbar,
     fdt_available,
     jwt_manager,
+    limiter,
     mail,
     menu,
     metrics,
@@ -127,6 +128,7 @@ def _before_send(event, hint):
     cors.init_app(app)
     db.init_app(app)
     jwt_manager.init_app(app)
+    limiter.init_app(app)
     migrate.init_app(app, db)
     mail.init_app(app)
     red.init_app(app)
diff --git a/apollo/participants/api/views.py b/apollo/participants/api/views.py
index c1f96a408..4e03a6e39 100644
--- a/apollo/participants/api/views.py
+++ b/apollo/participants/api/views.py
@@ -1,12 +1,20 @@
 # -*- coding: utf-8 -*-
+import random
+import string
 from http import HTTPStatus
 
-from flask import g, jsonify, request
+from flask import g, jsonify, request, session
 from flask_apispec import MethodResource, marshal_with, use_kwargs
 from flask_babel import gettext
 from flask_jwt_extended import (
-    create_access_token, get_jwt, get_jwt_identity, jwt_required,
-    set_access_cookies, unset_access_cookies)
+    create_access_token,
+    get_jwt,
+    get_jwt_identity,
+    jwt_required,
+    set_access_cookies,
+    unset_access_cookies,
+)
+from passlib import totp
 from sqlalchemy import and_, bindparam, func, or_, text, true
 from sqlalchemy.orm import aliased
 from sqlalchemy.orm.exc import NoResultFound
@@ -15,18 +23,35 @@
 from apollo import settings
 from apollo.api.common import BaseListResource
 from apollo.api.decorators import protect
-from apollo.core import csrf, red
+from apollo.core import csrf, limiter, red
 from apollo.deployments.models import Event
 from apollo.formsframework.api.schema import FormSchema
 from apollo.formsframework.models import Form
 from apollo.locations.models import Location
+from apollo.messaging.tasks import send_message
 from apollo.participants.api.schema import ParticipantSchema
 from apollo.participants.models import (
-    Participant, ParticipantFirstNameTranslations,
-    ParticipantFullNameTranslations, ParticipantLastNameTranslations,
-    ParticipantOtherNamesTranslations, ParticipantRole, ParticipantSet)
+    Participant,
+    ParticipantFirstNameTranslations,
+    ParticipantFullNameTranslations,
+    ParticipantLastNameTranslations,
+    ParticipantOtherNamesTranslations,
+    ParticipantRole,
+    ParticipantSet,
+)
 from apollo.submissions.models import Submission
 
+OTP_LENGTH = 6
+OTP_LIFETIME = 5 * 60
+
+if settings.PWA_TWO_FACTOR:
+    TOTP_INSTANCE = totp.TOTP.using(
+        issuer=settings.SECURITY_TOTP_ISSUER,
+        secrets=settings.SECURITY_TOTP_SECRETS
+    )
+else:
+    TOTP_INSTANCE = None
+
 
 @marshal_with(ParticipantSchema)
 @use_kwargs({'event_id': fields.Int()}, location='query')
@@ -158,6 +183,14 @@ def login():
 
         return response
 
+    session.set("uid", str(participant.uuid))
+    if getattr(settings, "PWA_TWO_FACTOR", False):
+        return _process_2fa_login(participant)
+    else:
+        return _process_login(participant)
+
+
+def _process_login(participant: Participant):
     access_token = create_access_token(
         identity=str(participant.uuid), fresh=True)
 
@@ -174,7 +207,7 @@ def login():
                 'other_names': participant.other_names,
                 'last_name': participant.last_name,
                 'full_name': participant.full_name,
-                'participant_id': participant_id,
+                'participant_id': participant.participant_id,
                 'location': participant.location.name,
                 'locale': participant.locale,
             },
@@ -194,6 +227,60 @@ def login():
     return resp
 
 
+def generate_otp(participant: Participant) -> str:
+    if not participant.totp_secret:
+        participant.totp_secret = TOTP_INSTANCE.new().to_json(encrypt=True)
+        participant.save()
+    result = TOTP_INSTANCE.from_source(participant.totp_secret).generate()
+    return result.token
+
+
+def _process_2fa_login(participant: Participant):
+    key = f"2fa:{participant.uuid}"
+    result = generate_otp(key)
+    if result:
+        response = jsonify({"status": "ok", "data": {"uid": str(participant.uuid), "twoFactor": True}})
+        message = gettext("Your Apollo verification code is: %(totp_code)s", totp_code=result)
+        send_message.delay(g.event.id, message, participant.primary_phone)
+        return response
+    else:
+        response = jsonify({"status": "error", "message": gettext("Please contact the administrator")})
+        return response
+
+
+@csrf.exempt
+def resend_otp():
+    uid = session.get("uid")
+    participant: Participant | None = Participant.query.where(Participant.uuid == uid).one_or_none()
+    if not participant:
+        response = jsonify({"status": "error", "message": "Not found"})
+        response.status_code = HTTPStatus.NOT_FOUND
+        return response
+
+    return _process_2fa_login(participant)
+
+
+@csrf.exempt
+def verify_otp():
+    request_data = request.json
+    uid = session.get("uid")
+    entered_otp = request_data.get("otp")
+    participant: Participant | None = Participant.query.where(Participant.uuid == uid).one_or_none()
+    if not participant or not participant.totp_secret:
+        response = jsonify({"status": "error", "message": "Not found"})
+        response.status_code = HTTPStatus.NOT_FOUND
+        return response
+
+    try:
+        TOTP_INSTANCE.verify(entered_otp, participant.totp_secret)
+    except Exception:
+        response = jsonify({"status": "error", "message": gettext("Verification failed.")})
+        response.status_code = HTTPStatus.FORBIDDEN
+        return response
+
+    return _process_login(participant)
+
+
 @csrf.exempt
 @jwt_required()
 def logout():
@@ -320,7 +407,7 @@ def get_participant_count(**kwargs):
         participants = participants.join(
             Location, Participant.location_id == Location.id
         ).filter(Location.location_type_id == level_id)
-    
+
     if role_id:
         participants = participants.join(
             ParticipantRole, Participant.role_id == ParticipantRole.id
diff --git a/apollo/participants/models.py b/apollo/participants/models.py
index 24f1683b2..063c099a6 100644
--- a/apollo/participants/models.py
+++ b/apollo/participants/models.py
@@ -205,6 +205,7 @@ class Participant(BaseModel):
     password = db.Column(db.String)
     extra_data = db.Column(JSONB)
     locale = db.Column(db.String)
+    totp_secret = db.Column(db.String, nullable=True)
 
     full_name = translation_hybrid(full_name_translations)
     first_name = translation_hybrid(first_name_translations)
diff --git a/apollo/participants/views_participants.py b/apollo/participants/views_participants.py
index 9fd2935c2..ca3154714 100644
--- a/apollo/participants/views_participants.py
+++ b/apollo/participants/views_participants.py
@@ -54,6 +54,8 @@
 
 bp.add_url_rule("/api/participants/login", view_func=api_views.login, methods=["POST"])
 bp.add_url_rule("/api/participants/logout", view_func=api_views.logout, methods=["DELETE"])
+bp.add_url_rule("/api/participants/resend", view_func=api_views.resend_otp, methods=["POST"])
+bp.add_url_rule("/api/participants/verify", view_func=api_views.verify_otp, methods=["POST"])
 bp.add_url_rule(
     "/api/participants/forms",
     view_func=api_views.get_forms,
diff --git a/apollo/pwa/static/js/client.js b/apollo/pwa/static/js/client.js
index 1224aa3c0..16bfc6507 100644
--- a/apollo/pwa/static/js/client.js
+++ b/apollo/pwa/static/js/client.js
@@ -24,6 +24,30 @@ class APIClient {
       }).then(this._getResult);
   };
 
+  verify = function (uid, otp) {
+    return fetch(this.endpoints.verify, {
+      body: JSON.stringify({
+        uid: uid,
+        otp: otp
+      }),
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      method: 'POST'
+    }).then(this._getResult);
+  };
+
+  resend = function (uid) {
+    return fetch(this.endpoints.resend, {
+      body: JSON.stringify({
+        uid: uid
+      }),
+      headers: {
+        'Content-Type': 'application/json'
+      }
+    }).then(this._getResult);
+  }
+
   submit = function (formData, csrf_token) {
     return fetch(this.endpoints.submit, {
       body: formData,
diff --git a/apollo/pwa/static/js/serviceworker.js b/apollo/pwa/static/js/serviceworker.js
index cf33a03f9..dc24595d7 100644
--- a/apollo/pwa/static/js/serviceworker.js
+++ b/apollo/pwa/static/js/serviceworker.js
@@ -1,4 +1,4 @@
-const CACHE_NAME = 'apollo-cache-static-v11';
+const CACHE_NAME = 'apollo-cache-static-v12';
 
 const CACHED_URLS = [
   '/pwa/',
@@ -18,6 +18,7 @@ const CACHED_URLS = [
   '/pwa/static/vendor/dexie/dexie.min.js',
   '/pwa/static/vendor/fast-copy/fast-copy.min.js',
   '/pwa/static/vendor/image-blob-reduce/image-blob-reduce.min.js',
+  '/pwa/static/vendor/js-cookie/js.cookie.min.js',
   '/pwa/static/vendor/luxon/luxon.min.js',
   '/pwa/static/vendor/notiflix/notiflix-2.7.0.min.css',
   '/pwa/static/vendor/notiflix/notiflix-2.7.0.min.js',
diff --git a/apollo/pwa/static/vendor/js-cookie/js.cookie.min.js b/apollo/pwa/static/vendor/js-cookie/js.cookie.min.js
new file mode 100644
index 000000000..962d48d0e
--- /dev/null
+++ b/apollo/pwa/static/vendor/js-cookie/js.cookie.min.js
@@ -0,0 +1,2 @@
+/*! js-cookie v3.0.5 | MIT */
+!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self,function(){var n=e.Cookies,o=e.Cookies=t();o.noConflict=function(){return e.Cookies=n,o}}())}(this,(function(){"use strict";function e(e){for(var t=1;t<arguments.length;t++){var n=arguments[t];for(var o in n)e[o]=n[o]}return e}var t=function t(n,o){function r(t,r,i){if("undefined"!=typeof document){"number"==typeof(i=e({},o,i)).expires&&(i.expires=new Date(Date.now()+864e5*i.expires)),i.expires&&(i.expires=i.expires.toUTCString()),t=encodeURIComponent(t).replace(/%(2[346B]|5E|60|7C)/g,decodeURIComponent).replace(/[()]/g,escape);var c="";for(var u in i)i[u]&&(c+="; "+u,!0!==i[u]&&(c+="="+i[u].split(";")[0]));return document.cookie=t+"="+n.write(r,t)+c}}return Object.create({set:r,get:function(e){if("undefined"!=typeof document&&(!arguments.length||e)){for(var t=document.cookie?document.cookie.split("; "):[],o={},r=0;r<t.length;r++){var i=t[r].split("="),c=i.slice(1).join("=");try{var u=decodeURIComponent(i[0]);if(o[u]=n.read(c,u),e===u)break}catch(e){}}return e?o[e]:o}},remove:function(t,n){r(t,"",e({},n,{expires:-1}))},withAttributes:function(n){return t(this.converter,e({},this.attributes,n))},withConverter:function(n){return t(e({},this.converter,n),this.attributes)}},{attributes:{value:Object.freeze(o)},converter:{value:Object.freeze(n)}})}({read:function(e){return'"'===e[0]&&(e=e.slice(1,-1)),e.replace(/(%[\dA-F]{2})+/gi,decodeURIComponent)},write:function(e){return encodeURIComponent(e).replace(/%(2[346BF]|3[AC-F]|40|5[BDE]|60|7[BCD])/g,decodeURIComponent)}},{path:"/"});return t}));
diff --git a/apollo/pwa/static/vendor/tiny-cookie/tiny-cookie.min.js b/apollo/pwa/static/vendor/tiny-cookie/tiny-cookie.min.js
deleted file mode 100644
index 1573c2345..000000000
--- a/apollo/pwa/static/vendor/tiny-cookie/tiny-cookie.min.js
+++ /dev/null
@@ -1 +0,0 @@
-!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e=e||self).Cookie={})}(this,function(e){"use strict";function n(){return(n=Object.assign||function(e){for(var t=1;t<arguments.length;t++){var o=arguments[t];for(var n in o)Object.prototype.hasOwnProperty.call(o,n)&&(e[n]=o[n])}return e}).apply(this,arguments)}function c(e,t){return Object.prototype.hasOwnProperty.call(e,t)}function u(e){var t=e.charAt(e.length-1),o=parseInt(e,10),n=new Date;switch(t){case"Y":n.setFullYear(n.getFullYear()+o);break;case"M":n.setMonth(n.getMonth()+o);break;case"D":n.setDate(n.getDate()+o);break;case"h":n.setHours(n.getHours()+o);break;case"m":n.setMinutes(n.getMinutes()+o);break;case"s":n.setSeconds(n.getSeconds()+o);break;default:n=new Date(e)}return n}function t(){var e="@key@",t=/(?:^|; )@key@=1(?:;|$)/;document.cookie=e+"=1;path=/";var o=t.test(document.cookie);return o&&a(e),o}function o(e,t){if(void 0===t&&(t=decodeURIComponent),"string"!=typeof e||!e)return null;var o=RegExp("(?:^|; )"+e.replace(/[.*+?^$|[\](){}\\-]/g,"\\$&")+"(?:=([^;]*))?(?:;|$)").exec(document.cookie);return null===o?null:"function"==typeof t?t(o[1]):o[1]}function r(e){void 0===e&&(e=decodeURIComponent);for(var t,o=/(?:^|; )([^=]+?)(?:=([^;]*))?(?:;|$)/g,n={};t=o.exec(document.cookie);)o.lastIndex=t.index+t.length-1,n[t[1]]="function"==typeof e?e(t[2]):t[2];return n}function i(e,t,o,n){void 0===o&&(o=encodeURIComponent),"object"==typeof o&&null!==o&&(n=o,o=encodeURIComponent);var r=function(e){var t="";for(var o in e)if(c(e,o))if(/^expires$/i.test(o)){var n=e[o];"object"!=typeof n&&(n=u(n+="number"==typeof n?"D":"")),t+=";"+o+"="+n.toUTCString()}else/^secure$/.test(o)?e[o]&&(t+=";"+o):t+=";"+o+"="+e[o];return c(e,"path")||(t+=";path=/"),t}(n||{}),i="function"==typeof o?o(t):t;document.cookie=e+"="+i+r}function a(e,t){var o={expires:-1};return t&&(o=n({},t,o)),i(e,"a",o)}function s(e){return o(e,null)}function f(e,t,o){return i(e,t,null,o)}e.isEnabled=t,e.isCookieEnabled=t,e.get=o,e.getCookie=o,e.getAll=r,e.getAllCookies=r,e.set=i,e.setCookie=i,e.getRaw=s,e.getRawCookie=s,e.setRaw=f,e.setRawCookie=f,e.remove=a,e.removeCookie=a,Object.defineProperty(e,"__esModule",{value:!0})});
diff --git a/apollo/pwa/templates/pwa/index.html b/apollo/pwa/templates/pwa/index.html
index 1c48f1e6a..35de0537a 100644
--- a/apollo/pwa/templates/pwa/index.html
+++ b/apollo/pwa/templates/pwa/index.html
@@ -34,7 +34,8 @@
       <div class="row h-75 align-items-center">
         <div class="col-sm-8 offset-sm-2 mt-6">
           <transition mode="out-in" enter-active-class="animate__animated animate__fadeIn" leave-active-class="animate__animated animate__fadeOut">
-            <login-form v-if="participant === null" @authenticated="authenticationSuccess" :navigator-online="navigatorOnline"></login-form>
+            <login-form v-if="participant === null && uid === null" @authenticated="authenticationSuccess" @prompt-verify="promptVerify" :navigator-online="navigatorOnline"></login-form>
+            <verify-form v-if="participant === null && uid !== null" :uid="uid" @authenticated="authenticationSuccess"></verify-form>
             <div v-else>
               <div class="mb-3">
                 <participant-info :global-status="globalStatus()" :participant="participant" :pending-submissions="pendingSubmissions" @logged-out="loggedOut" @toggle-location-access="locationAccessToggled" ></participant-info>
@@ -95,6 +96,33 @@ <h5 class="card-header">{{ _('Login') }}</h5>
       </div>
     </div>
   </template>
+  <template id="verify-form">
+    <div class="row">
+      <div class="col">
+        <div class="form">
+          <form>
+            <div class="card shadow-sm mt-3">
+              <h5 class="card-header">{{ _('Verify login') }}</h5>
+              <div class="card-body">
+                <div class="mb-3">
+                  <label for="otp" class="visually-hidden">{{ _('OTP') }}</label>
+                  <input type="number" class="form-control bg-light" id="otp" placeholder="{{ _('OTP') }}" v-model="otp">
+                </div>
+                <div class="mb-3">
+                  <div class="d-grid gap-2">
+                    <button class="btn btn-primary" @click.prevent="verifyOTP">{{ _('Verify') }}</button>
+                  </div>
+                </div>
+                <div class="mb-3">
+                  <button class="btn btn-secondary" @click.prevent="resendOTP">Resend code</button>
+                </div>
+              </div>
+            </div>
+          </form>
+        </div>
+      </div>
+    </div>
+  </template>
   <template id="participant-info">
     <div class="row">
       <div class="col">
@@ -297,9 +325,9 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
   <script src="{{ url_for('pwa.static', filename='vendor/dexie/dexie.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='vendor/fast-copy/fast-copy.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='vendor/image-blob-reduce/image-blob-reduce.min.js') }}"></script>
+  <script src="{{ url_for('pwa.static', filename='vendor/js-cookie/js.cookie.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='vendor/luxon/luxon.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='vendor/notiflix/notiflix-2.7.0.min.js') }}"></script>
-  <script src="{{ url_for('pwa.static', filename='vendor/tiny-cookie/tiny-cookie.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='vendor/tippy.js/tippy.umd.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='vendor/vue/vue.min.js') }}"></script>
   <script src="{{ url_for('pwa.static', filename='js/app.js') }}"></script>
@@ -415,6 +443,8 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
       logout: "{{ url_for('participants.logout') }}",
       qaStatus: "{{ url_for('submissions.checklist_qa_status', uuid='') }}",
       submit: "{{ url_for('submissions.submission') }}",
+      resend: "{{ url_for('participants.resend_otp') }}",
+      verify: "{{ url_for('participants.verify_otp') }}",
       versionCheck: "{{ url_for('pwa.version_check') }}",
     };
     const client = new APIClient(endpoints);
@@ -615,9 +645,13 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
               Notiflix.Loading.Remove();
               if (result.status === 200) {
                 result.result.then(data => {
-                  let participant = data.data.participant;
-                  participant.lastLogin = new Date();
-                  instance.$emit('authenticated', participant);
+                  if (data.data.twoFactor) {
+                    instance.$emit('prompt-verify', data.data.uid);
+                  } else {
+                    let participant = data.data.participant;
+                    participant.lastLogin = new Date();
+                    instance.$emit('authenticated', participant);
+                  }
                 });
               } else {
                 Notiflix.Report.Failure(
@@ -645,6 +679,50 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
       template: '#login-form'
     });
 
+    // verification form
+    Vue.component('verify-form', {
+      data() {
+        return {otp: ''};
+      },
+      delimiters: ['[[', ']]'],
+      methods: {
+        resendOTP() {
+          client.resend(this.uid).then(result => {
+            if (!result.ok) {
+              Notiflix.Report.Failure(
+                '{{ _("Error") }}',
+                '{{ _("Please contact the administrator") }}',
+                '{{ _("OK") }}'
+              );
+            }
+          });
+        },
+        verifyOTP() {
+          let instance = this;
+          if (instance.otp) {
+            client.verify(instance.uid, instance.otp)
+              .then(result => {
+                if (!result.ok) {
+                  Notiflix.Report.Failure(
+                    '{{ _("Error") }}',
+                    '{{ _("Please contact the administrator") }}',
+                    '{{ _("OK") }}'
+                  );
+                } else {
+                  result.result.then(data => {
+                    let participant = data.data.participant;
+                    participant.lastLogin = new Date();
+                    instance.$emit('authenticated', participant);
+                  });
+                }
+              })
+          }
+        }
+      },
+      props: ['uid'],
+      template: '#verify-form'
+    });
+
     // participant-info component
     Vue.component('participant-info', {
       computed: {
@@ -1081,7 +1159,8 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
         submissionSyncIntervalHandle: null,
         syncingSubmission: null,
         updateNotificationCleared: true,
-        syncRunning: false
+        syncRunning: false,
+        uid: null
       },
       el: '#app',
       methods: {
@@ -1143,12 +1222,16 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
             });
         },
         authenticationSuccess(participant) {
+          this.uid = null;
           this.participant = participant;
           this.participant.allowLocationAccess = this.allowLocationAccess;
           this.saveParticipantToDatabase(participant);
           this.refreshForms(false);
           this.loadSubmissionsFromDatabase();
         },
+        promptVerify(uid) {
+          this.uid = uid;
+        },
         formsLoaded(forms) {
           let formsWithParticipantIds = forms.map(form => Object.assign({}, form, {participant_id: this.participant.participant_id}));
           formsWithParticipantIds.sort(formSorter);
@@ -1239,7 +1322,7 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
           ));
         },
         loggedOut() {
-          client.logout(Cookie.get('csrf_access_token'));
+          client.logout(Cookies.get('csrf_access_token'));
           this.participant = null;
           this.currentForm = null;
           this.currentSubmission = null;
@@ -1346,7 +1429,7 @@ <h6 class="card-header" :class="getCompletionClass(index)"><a class="text-white"
           formData.append('submission', JSON.stringify(subCopy));
 
           try {
-            let result = await client.submit(formData, Cookie.get('csrf_access_token'));
+            let result = await client.submit(formData, Cookies.get('csrf_access_token'));
             let data = await result.result;
             if (result.status === 401) {
               Notiflix.Report.Warning(
diff --git a/apollo/settings.py b/apollo/settings.py
index fb90bdbbf..cbbdba63a 100644
--- a/apollo/settings.py
+++ b/apollo/settings.py
@@ -222,6 +222,12 @@
 PERMANENT_SESSION_LIFETIME = timedelta(hours=1)
 SECURITY_USER_IDENTITY_ATTRIBUTES = [{"username": {"mapper": uia_username_mapper, "case_insensitive": True}}]
 APOLLO_FIELD_COORDINATOR_EMAIL = config("APOLLO_FIELD_COORDINATOR_EMAIL", default="fc@example.com")
+SECURITY_TWO_FACTOR = config("SECURITY_TWO_FACTOR", cast=config.boolean, default=False)
+SECURITY_TOTP_ISSUER = config("SECURITY_TOTP_ISSUER")
+TOTP_VERSION_TAG = config("TOTP_VERSION_TAG", default=None)
+TOTP_SECRET = config("TOTP_SECRET", default=None)
+SECURITY_TOTP_SECRETS = {TOTP_VERSION_TAG: TOTP_SECRET}
+SECURITY_TWO_FACTOR_ENABLED_METHODS = config("SECURITY_TWO_FACTOR_ENABLED_METHODS", cast=config.list, default=["email", "sms"])
 
 AWS_ACCESS_KEY_ID = config("AWS_ACCESS_KEY_ID") if ATTACHMENTS_USE_S3 else None
 AWS_SECRET_ACCESS_KEY = config("AWS_SECRET_ACCESS_KEY") if ATTACHMENTS_USE_S3 else None
@@ -240,3 +246,9 @@
 JWT_ERROR_MESSAGE_KEY = "message"
 JWT_COOKIE_SECURE = SESSION_COOKIE_SECURE
 JWT_ACCESS_COOKIE_PATH = "/api"
+
+# PWA 2FA
+PWA_TWO_FACTOR = config("PWA_TWO_FACTOR", cast=config.boolean, default=SECURITY_TWO_FACTOR)
+
+# rate limiting settings
+RATELIMIT_STORAGE_URI = REDIS_URL
diff --git a/poetry.lock b/poetry.lock
index 714e7a1a4..057564de4 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -741,6 +741,23 @@ files = [
     {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
 ]
 
+[[package]]
+name = "deprecated"
+version = "1.2.14"
+description = "Python @deprecated decorator to deprecate old python classes, functions or methods."
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+files = [
+    {file = "Deprecated-1.2.14-py2.py3-none-any.whl", hash = "sha256:6fac8b097794a90302bdbb17b9b815e732d3c4720583ff1b198499d78470466c"},
+    {file = "Deprecated-1.2.14.tar.gz", hash = "sha256:e5323eb936458dccc2582dc6f9c322c852a775a27065ff2b0c4970b9d53d01b3"},
+]
+
+[package.dependencies]
+wrapt = ">=1.10,<2"
+
+[package.extras]
+dev = ["PyTest", "PyTest-Cov", "bump2version (<1)", "sphinx (<2)", "tox"]
+
 [[package]]
 name = "distlib"
 version = "0.3.8"
@@ -980,6 +997,29 @@ Werkzeug = ">=0.14"
 [package.extras]
 asymmetric-crypto = ["cryptography (>=3.3.1)"]
 
+[[package]]
+name = "flask-limiter"
+version = "3.8.0"
+description = "Rate limiting for flask applications"
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "Flask_Limiter-3.8.0-py3-none-any.whl", hash = "sha256:0ab44f586d8cc349412791711b6cbafe8f86e7b60ad9e8f24f2686009f00900e"},
+    {file = "flask_limiter-3.8.0.tar.gz", hash = "sha256:686f8b4a75404e47b91565a795c70d29f69c145f6907f1f32522e962b134dada"},
+]
+
+[package.dependencies]
+Flask = ">=2"
+limits = ">=3.13"
+ordered-set = ">4,<5"
+rich = ">=12,<14"
+typing-extensions = ">=4"
+
+[package.extras]
+memcached = ["limits[memcached]"]
+mongodb = ["limits[mongodb]"]
+redis = ["limits[redis]"]
+
 [[package]]
 name = "flask-login"
 version = "0.6.3"
@@ -1625,6 +1665,35 @@ sqs = ["boto3 (>=1.26.143)", "pycurl (>=7.43.0.5)", "urllib3 (>=1.26.16)"]
 yaml = ["PyYAML (>=3.10)"]
 zookeeper = ["kazoo (>=2.8.0)"]
 
+[[package]]
+name = "limits"
+version = "3.13.0"
+description = "Rate limiting utilities"
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "limits-3.13.0-py3-none-any.whl", hash = "sha256:9767f7233da4255e9904b79908a728e8ec0984c0b086058b4cbbd309aea553f6"},
+    {file = "limits-3.13.0.tar.gz", hash = "sha256:6571b0c567bfa175a35fed9f8a954c0c92f1c3200804282f1b8f1de4ad98a953"},
+]
+
+[package.dependencies]
+deprecated = ">=1.2"
+importlib-resources = ">=1.3"
+packaging = ">=21,<25"
+typing-extensions = "*"
+
+[package.extras]
+all = ["aetcd", "coredis (>=3.4.0,<5)", "emcache (>=0.6.1)", "emcache (>=1)", "etcd3", "motor (>=3,<4)", "pymemcache (>3,<5.0.0)", "pymongo (>4.1,<5)", "redis (>3,!=4.5.2,!=4.5.3,<6.0.0)", "redis (>=4.2.0,!=4.5.2,!=4.5.3)"]
+async-etcd = ["aetcd"]
+async-memcached = ["emcache (>=0.6.1)", "emcache (>=1)"]
+async-mongodb = ["motor (>=3,<4)"]
+async-redis = ["coredis (>=3.4.0,<5)"]
+etcd = ["etcd3"]
+memcached = ["pymemcache (>3,<5.0.0)"]
+mongodb = ["pymongo (>4.1,<5)"]
+redis = ["redis (>3,!=4.5.2,!=4.5.3,<6.0.0)"]
+rediscluster = ["redis (>=4.2.0,!=4.5.2,!=4.5.3)"]
+
 [[package]]
 name = "loginpass"
 version = "0.5"
@@ -1831,6 +1900,30 @@ babel = ["Babel"]
 lingua = ["lingua"]
 testing = ["pytest"]
 
+[[package]]
+name = "markdown-it-py"
+version = "3.0.0"
+description = "Python port of markdown-it. Markdown parsing, done right!"
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "markdown-it-py-3.0.0.tar.gz", hash = "sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb"},
+    {file = "markdown_it_py-3.0.0-py3-none-any.whl", hash = "sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1"},
+]
+
+[package.dependencies]
+mdurl = ">=0.1,<1.0"
+
+[package.extras]
+benchmarking = ["psutil", "pytest", "pytest-benchmark"]
+code-style = ["pre-commit (>=3.0,<4.0)"]
+compare = ["commonmark (>=0.9,<1.0)", "markdown (>=3.4,<4.0)", "mistletoe (>=1.0,<2.0)", "mistune (>=2.0,<3.0)", "panflute (>=2.3,<3.0)"]
+linkify = ["linkify-it-py (>=1,<3)"]
+plugins = ["mdit-py-plugins"]
+profiling = ["gprof2dot"]
+rtd = ["jupyter_sphinx", "mdit-py-plugins", "myst-parser", "pyyaml", "sphinx", "sphinx-copybutton", "sphinx-design", "sphinx_book_theme"]
+testing = ["coverage", "pytest", "pytest-cov", "pytest-regressions"]
+
 [[package]]
 name = "markupsafe"
 version = "2.1.5"
@@ -1940,6 +2033,17 @@ docs = ["alabaster (==0.7.12)", "sphinx (==4.3.1)", "sphinx-issues (==1.2.0)"]
 lint = ["flake8 (==4.0.1)", "flake8-bugbear (==21.11.29)", "pre-commit (>=2.0,<3.0)"]
 tests = ["pytest", "pytest-lazy-fixture (>=0.6.2)"]
 
+[[package]]
+name = "mdurl"
+version = "0.1.2"
+description = "Markdown URL utilities"
+optional = false
+python-versions = ">=3.7"
+files = [
+    {file = "mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8"},
+    {file = "mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"},
+]
+
 [[package]]
 name = "mimesis"
 version = "18.0.0"
@@ -2104,6 +2208,20 @@ files = [
 [package.dependencies]
 et-xmlfile = "*"
 
+[[package]]
+name = "ordered-set"
+version = "4.1.0"
+description = "An OrderedSet is a custom MutableSet that remembers its order, so that every"
+optional = false
+python-versions = ">=3.7"
+files = [
+    {file = "ordered-set-4.1.0.tar.gz", hash = "sha256:694a8e44c87657c59292ede72891eb91d34131f6531463aab3009191c77364a8"},
+    {file = "ordered_set-4.1.0-py3-none-any.whl", hash = "sha256:046e1132c71fcf3330438a539928932caf51ddbc582496833e23de611de14562"},
+]
+
+[package.extras]
+dev = ["black", "mypy", "pytest"]
+
 [[package]]
 name = "outcome"
 version = "1.3.0.post0"
@@ -2253,6 +2371,17 @@ bcrypt = ["bcrypt (>=3.1.0)"]
 build-docs = ["cloud-sptheme (>=1.10.1)", "sphinx (>=1.6)", "sphinxcontrib-fulltoc (>=1.2.0)"]
 totp = ["cryptography"]
 
+[[package]]
+name = "phonenumberslite"
+version = "8.13.48"
+description = "Python version of Google's common library for parsing, formatting, storing and validating international phone numbers."
+optional = false
+python-versions = "*"
+files = [
+    {file = "phonenumberslite-8.13.48-py2.py3-none-any.whl", hash = "sha256:db060fd07421306f8fbc4332ca16b8785df0fa70371d3ed632519546c1a11274"},
+    {file = "phonenumberslite-8.13.48.tar.gz", hash = "sha256:9548bc4c3a7c4d67f7945ba0286e9a37c3ee4ea5531f7ea2518d1cbdc857f50f"},
+]
+
 [[package]]
 name = "pillow"
 version = "10.4.0"
@@ -2570,6 +2699,20 @@ files = [
     {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"},
 ]
 
+[[package]]
+name = "pygments"
+version = "2.18.0"
+description = "Pygments is a syntax highlighting package written in Python."
+optional = false
+python-versions = ">=3.8"
+files = [
+    {file = "pygments-2.18.0-py3-none-any.whl", hash = "sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a"},
+    {file = "pygments-2.18.0.tar.gz", hash = "sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199"},
+]
+
+[package.extras]
+windows-terminal = ["colorama (>=0.4.6)"]
+
 [[package]]
 name = "pyjwt"
 version = "2.9.0"
@@ -2942,6 +3085,24 @@ urllib3 = ">=1.21.1,<3"
 socks = ["PySocks (>=1.5.6,!=1.5.7)"]
 use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
 
+[[package]]
+name = "rich"
+version = "13.9.3"
+description = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal"
+optional = false
+python-versions = ">=3.8.0"
+files = [
+    {file = "rich-13.9.3-py3-none-any.whl", hash = "sha256:9836f5096eb2172c9e77df411c1b009bace4193d6a481d534fea75ebba758283"},
+    {file = "rich-13.9.3.tar.gz", hash = "sha256:bc1e01b899537598cf02579d2b9f4a415104d3fc439313a7a2c165d76557a08e"},
+]
+
+[package.dependencies]
+markdown-it-py = ">=2.2.0"
+pygments = ">=2.13.0,<3.0.0"
+
+[package.extras]
+jupyter = ["ipywidgets (>=7.5.1,<9)"]
+
 [[package]]
 name = "ruff"
 version = "0.6.8"
@@ -3836,4 +3997,4 @@ testing = ["coverage (>=5.0.3)", "zope.event", "zope.testing"]
 [metadata]
 lock-version = "2.0"
 python-versions = "~3.11.10"
-content-hash = "a72c902bb55faa4d7f282c55a515e4ce7611a06eb3630006ca1fb45df2536d90"
+content-hash = "7f89a9be09f3aedea182d3971d47eb4ce1b39925654cd88220cfa8aa7adf0b1b"
diff --git a/pyproject.toml b/pyproject.toml
index 2bc3b5488..8e8e31d34 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -81,6 +81,8 @@ sentry-sdk = {extras = ["celery", "flask"], version = "^2.14.0"}
 bleach = "^6.1.0"
 prometheus-flask-exporter = "^0.23.1"
 loguru = "^0.7.2"
+phonenumberslite = "^8.13.48"
+flask-limiter = "^3.8.0"
 
 [tool.poetry.group.dev.dependencies]
 Flask-DebugToolbar = "^0.16.0"