Add TOTP-based Multi-Factor Authentication (MFA) for local users

Global MFA toggle in Security settings, QR code setup on first login, 6-digit TOTP verification on subsequent logins. Azure AD users exempt. Admins can reset user MFA. TOTP secrets encrypted at rest with Fernet. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 23:14:06 +01:00
parent 647630ff19
commit 3d28f13054
13 changed files with 615 additions and 62 deletions
--- a/static/lang/en.json
+++ b/static/lang/en.json
@@ -225,6 +225,29 @@
    "cancel": "Cancel",
    "createUser": "Create User"
  },
+  "mfa": {
+    "title": "Multi-Factor Authentication (MFA)",
+    "enableMfa": "Enable MFA for all local users",
+    "mfaDescription": "When enabled, local users must verify with a TOTP authenticator app after entering their password. Azure AD users are not affected.",
+    "saveMfaSettings": "Save MFA Settings",
+    "yourTotpStatus": "Your TOTP Status",
+    "totpActive": "Active",
+    "totpNotSetUp": "Not set up",
+    "disableMyTotp": "Disable my TOTP",
+    "enterCode": "Enter your 6-digit authenticator code",
+    "verify": "Verify",
+    "backToLogin": "Back to login",
+    "scanQrCode": "Scan this QR code with your authenticator app",
+    "orEnterManually": "Or enter this key manually:",
+    "verifyAndActivate": "Verify & Activate",
+    "resetMfa": "Reset MFA",
+    "confirmResetMfa": "Reset MFA for '{username}'? They will need to set up their authenticator again on next login.",
+    "mfaResetSuccess": "MFA reset for '{username}'.",
+    "mfaDisabled": "Your TOTP has been disabled.",
+    "mfaSaved": "MFA settings saved.",
+    "invalidCode": "Invalid code. Please try again.",
+    "codeExpired": "Verification expired. Please log in again."
+  },
  "common": {
    "loading": "Loading...",
    "back": "Back",