diff --git a/api/app/Http/Resources/Admin/AdminUserResource.php b/api/app/Http/Resources/Admin/AdminUserResource.php
index 8010c970..a2e258c1 100644
--- a/api/app/Http/Resources/Admin/AdminUserResource.php
+++ b/api/app/Http/Resources/Admin/AdminUserResource.php
@@ -24,6 +24,7 @@ final class AdminUserResource extends JsonResource
             'created_at' => $this->created_at->toIso8601String(),
             'roles' => $this->getRoleNames()->values()->all(),
             'is_super_admin' => $this->hasRole('super_admin'),
+            'mfa_enabled' => (bool) $this->mfa_enabled,
             'organisations' => $this->whenLoaded('organisations', fn () =>
                 $this->organisations->map(fn ($org) => [
                     'id' => $org->id,
diff --git a/apps/app/auto-imports.d.ts b/apps/app/auto-imports.d.ts
index 8adf5b53..d1511d10 100644
--- a/apps/app/auto-imports.d.ts
+++ b/apps/app/auto-imports.d.ts
@@ -52,9 +52,11 @@ declare global {
   const extendRef: typeof import('@vueuse/core')['extendRef']
   const formatDate: typeof import('./src/@core/utils/formatters')['formatDate']
   const formatDateToMonthShort: typeof import('./src/@core/utils/formatters')['formatDateToMonthShort']
+  const generateDeviceFingerprint: typeof import('./src/utils/deviceFingerprint')['generateDeviceFingerprint']
   const getActivePinia: typeof import('pinia')['getActivePinia']
   const getCurrentInstance: typeof import('vue')['getCurrentInstance']
   const getCurrentScope: typeof import('vue')['getCurrentScope']
+  const getDeviceName: typeof import('./src/utils/deviceFingerprint')['getDeviceName']
   const h: typeof import('vue')['h']
   const hexToRgb: typeof import('./src/@core/utils/colorConverter')['hexToRgb']
   const ignorableWatch: typeof import('@vueuse/core')['ignorableWatch']
@@ -421,9 +423,11 @@ declare module 'vue' {
     readonly extendRef: UnwrapRef<typeof import('@vueuse/core')['extendRef']>
     readonly formatDate: UnwrapRef<typeof import('./src/@core/utils/formatters')['formatDate']>
     readonly formatDateToMonthShort: UnwrapRef<typeof import('./src/@core/utils/formatters')['formatDateToMonthShort']>
+    readonly generateDeviceFingerprint: UnwrapRef<typeof import('./src/utils/deviceFingerprint')['generateDeviceFingerprint']>
     readonly getActivePinia: UnwrapRef<typeof import('pinia')['getActivePinia']>
     readonly getCurrentInstance: UnwrapRef<typeof import('vue')['getCurrentInstance']>
     readonly getCurrentScope: UnwrapRef<typeof import('vue')['getCurrentScope']>
+    readonly getDeviceName: UnwrapRef<typeof import('./src/utils/deviceFingerprint')['getDeviceName']>
     readonly h: UnwrapRef<typeof import('vue')['h']>
     readonly hexToRgb: UnwrapRef<typeof import('./src/@core/utils/colorConverter')['hexToRgb']>
     readonly ignorableWatch: UnwrapRef<typeof import('@vueuse/core')['ignorableWatch']>
diff --git a/apps/app/components.d.ts b/apps/app/components.d.ts
index 02a2e69c..a9583049 100644
--- a/apps/app/components.d.ts
+++ b/apps/app/components.d.ts
@@ -70,6 +70,10 @@ declare module 'vue' {
     ImportFromEventDialog: typeof import('./src/components/event/ImportFromEventDialog.vue')['default']
     InfoTooltip: typeof import('./src/components/common/InfoTooltip.vue')['default']
     InviteMemberDialog: typeof import('./src/components/members/InviteMemberDialog.vue')['default']
+    MfaChallengeCard: typeof import('./src/components/auth/MfaChallengeCard.vue')['default']
+    MfaDisableDialog: typeof import('./src/components/settings/MfaDisableDialog.vue')['default']
+    MfaEmailSetupDialog: typeof import('./src/components/settings/MfaEmailSetupDialog.vue')['default']
+    MfaTotpSetupDialog: typeof import('./src/components/settings/MfaTotpSetupDialog.vue')['default']
     MoreBtn: typeof import('./src/@core/components/MoreBtn.vue')['default']
     Notifications: typeof import('./src/@core/components/Notifications.vue')['default']
     OrganisationSwitcher: typeof import('./src/components/layout/OrganisationSwitcher.vue')['default']
diff --git a/apps/app/package.json b/apps/app/package.json
index f0b695b9..9fcae881 100644
--- a/apps/app/package.json
+++ b/apps/app/package.json
@@ -40,6 +40,7 @@
     "ofetch": "1.5.0",
     "pinia": "3.0.3",
     "prismjs": "1.30.0",
+    "qrcode": "^1.5.4",
     "roboto-fontface": "0.10.0",
     "shepherd.js": "13.0.3",
     "ufo": "1.6.1",
@@ -84,6 +85,7 @@
     "@tiptap/extension-underline": "^2.27.1",
     "@types/mapbox-gl": "3.4.1",
     "@types/node": "24.9.2",
+    "@types/qrcode": "^1.5.6",
     "@types/webfontloader": "1.6.38",
     "@typescript-eslint/eslint-plugin": "7.18.0",
     "@typescript-eslint/parser": "7.18.0",
diff --git a/apps/app/pnpm-lock.yaml b/apps/app/pnpm-lock.yaml
index 68cc6394..8eae7e09 100644
--- a/apps/app/pnpm-lock.yaml
+++ b/apps/app/pnpm-lock.yaml
@@ -90,6 +90,9 @@ importers:
       prismjs:
         specifier: 1.30.0
         version: 1.30.0
+      qrcode:
+        specifier: ^1.5.4
+        version: 1.5.4
       roboto-fontface:
         specifier: 0.10.0
         version: 0.10.0
@@ -217,6 +220,9 @@ importers:
       '@types/node':
         specifier: 24.9.2
         version: 24.9.2
+      '@types/qrcode':
+        specifier: ^1.5.6
+        version: 1.5.6
       '@types/webfontloader':
         specifier: 1.6.38
         version: 1.6.38
@@ -1435,6 +1441,9 @@ packages:
   '@types/pbf@3.0.5':
     resolution: {integrity: sha512-j3pOPiEcWZ34R6a6mN07mUkM4o4Lwf6hPNt8eilOeZhTFbxFXmKhvXl9Y28jotFPaI1bpPDJsbCprUoNke6OrA==}
 
+  '@types/qrcode@1.5.6':
+    resolution: {integrity: sha512-te7NQcV2BOvdj2b1hCAHzAoMNuj65kNBMz0KBaxM6c3VGBOhU0dURQKOtH8CFNI/dsKkwlv32p26qYQTWoB5bw==}
+
   '@types/semver@7.7.1':
     resolution: {integrity: sha512-FmgJfu+MOcQ370SD0ev7EI8TlCAfKYU+B4m5T3yXc1CiRN94g/SZPtsCkk506aUDtlMnFZvasDwHHUcZUEaYuA==}
 
@@ -2059,6 +2068,10 @@ packages:
     resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==}
     engines: {node: '>=6'}
 
+  camelcase@5.3.1:
+    resolution: {integrity: sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==}
+    engines: {node: '>=6'}
+
   caniuse-lite@1.0.30001752:
     resolution: {integrity: sha512-vKUk7beoukxE47P5gcVNKkDRzXdVofotshHwfR9vmpeFKxmI5PBpgOMC18LUJUA/DvJ70Y7RveasIBraqsyO/g==}
 
@@ -2126,6 +2139,9 @@ packages:
     resolution: {integrity: sha512-ouuZd4/dm2Sw5Gmqy6bGyNNNe1qt9RpmxveLSO7KcgsTnU7RXfsw+/bukWGo1abgBiMAic068rclZsO4IWmmxQ==}
     engines: {node: '>= 12'}
 
+  cliui@6.0.0:
+    resolution: {integrity: sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==}
+
   cliui@8.0.1:
     resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
     engines: {node: '>=12'}
@@ -2267,6 +2283,10 @@ packages:
       supports-color:
         optional: true
 
+  decamelize@1.2.0:
+    resolution: {integrity: sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==}
+    engines: {node: '>=0.10.0'}
+
   deep-is@0.1.4:
     resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==}
 
@@ -2316,6 +2336,9 @@ packages:
     resolution: {integrity: sha512-k1gCAXAsNgLwEL+Y8Wvl+M6oEFj5bgazfZULpS5CneoPPXRaCCW7dm+q21Ky2VEE5X+VeRDBVg1Pcvvsr4TtNQ==}
     engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0}
 
+  dijkstrajs@1.0.3:
+    resolution: {integrity: sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==}
+
   dir-glob@3.0.1:
     resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==}
     engines: {node: '>=8'}
@@ -3720,6 +3743,10 @@ packages:
     resolution: {integrity: sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==}
     engines: {node: '>=4'}
 
+  pngjs@5.0.0:
+    resolution: {integrity: sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==}
+    engines: {node: '>=10.13.0'}
+
   possible-typed-array-names@1.1.0:
     resolution: {integrity: sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg==}
     engines: {node: '>= 0.4'}
@@ -3872,6 +3899,11 @@ packages:
     resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
     engines: {node: '>=6'}
 
+  qrcode@1.5.4:
+    resolution: {integrity: sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==}
+    engines: {node: '>=10.13.0'}
+    hasBin: true
+
   quansync@0.2.11:
     resolution: {integrity: sha512-AifT7QEbW9Nri4tAwR5M/uzpBuqfZf+zwaEM/QkzEjj7NBuFD2rBuy0K3dE+8wltbezDV7JMA0WfnCPYRSYbXA==}
 
@@ -3940,6 +3972,9 @@ packages:
     resolution: {integrity: sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==}
     engines: {node: '>=0.10.0'}
 
+  require-main-filename@2.0.0:
+    resolution: {integrity: sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==}
+
   requires-port@1.0.0:
     resolution: {integrity: sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==}
 
@@ -4054,6 +4089,9 @@ packages:
     resolution: {integrity: sha512-owllqNuDDEimQat7EPG0tH7JjO090xKNzUtYz6X+Sk2BXDnOCilDdNLwjWeFywG9xkJul1ULvtUQa9O4pUaY0w==}
     engines: {node: '>=4.0.0'}
 
+  set-blocking@2.0.0:
+    resolution: {integrity: sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==}
+
   set-function-length@1.2.2:
     resolution: {integrity: sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==}
     engines: {node: '>= 0.4'}
@@ -4816,6 +4854,9 @@ packages:
     resolution: {integrity: sha512-K4jVyjnBdgvc86Y6BkaLZEN933SwYOuBFkdmBu9ZfkcAbdVbpITnDmjvZ/aQjRXQrv5EPkTnD1s39GiiqbngCw==}
     engines: {node: '>= 0.4'}
 
+  which-module@2.0.1:
+    resolution: {integrity: sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==}
+
   which-typed-array@1.1.19:
     resolution: {integrity: sha512-rEvr90Bck4WZt9HHFC4DJMsjvu7x+r6bImz0/BrbWb7A2djJ8hnZMrWnHo9F8ssv0OMErasDhftrfROTyqSDrw==}
     engines: {node: '>= 0.4'}
@@ -4856,6 +4897,9 @@ packages:
     resolution: {integrity: sha512-ICP2e+jsHvAj2E2lIHxa5tjXRlKDJo4IdvPvCXbXQGdzSfmSpNVyIKMvoZHjDY9DP0zV17iI85o90vRFXNccRw==}
     engines: {node: '>=12'}
 
+  y18n@4.0.3:
+    resolution: {integrity: sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==}
+
   y18n@5.0.8:
     resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==}
     engines: {node: '>=10'}
@@ -4875,10 +4919,18 @@ packages:
     engines: {node: '>= 14.6'}
     hasBin: true
 
+  yargs-parser@18.1.3:
+    resolution: {integrity: sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==}
+    engines: {node: '>=6'}
+
   yargs-parser@21.1.1:
     resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==}
     engines: {node: '>=12'}
 
+  yargs@15.4.1:
+    resolution: {integrity: sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==}
+    engines: {node: '>=8'}
+
   yargs@17.7.2:
     resolution: {integrity: sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==}
     engines: {node: '>=12'}
@@ -6050,6 +6102,10 @@ snapshots:
 
   '@types/pbf@3.0.5': {}
 
+  '@types/qrcode@1.5.6':
+    dependencies:
+      '@types/node': 24.9.2
+
   '@types/semver@7.7.1': {}
 
   '@types/statuses@2.0.6': {}
@@ -6825,6 +6881,8 @@ snapshots:
 
   callsites@3.1.0: {}
 
+  camelcase@5.3.1: {}
+
   caniuse-lite@1.0.30001752: {}
 
   case-police@0.6.1: {}
@@ -6899,6 +6957,12 @@ snapshots:
 
   cli-width@4.1.0: {}
 
+  cliui@6.0.0:
+    dependencies:
+      string-width: 4.2.3
+      strip-ansi: 6.0.1
+      wrap-ansi: 6.2.0
+
   cliui@8.0.1:
     dependencies:
       string-width: 4.2.3
@@ -7025,6 +7089,8 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
+  decamelize@1.2.0: {}
+
   deep-is@0.1.4: {}
 
   deepmerge-ts@5.1.0: {}
@@ -7064,6 +7130,8 @@ snapshots:
 
   diff-sequences@27.5.1: {}
 
+  dijkstrajs@1.0.3: {}
+
   dir-glob@3.0.1:
     dependencies:
       path-type: 4.0.0
@@ -8755,6 +8823,8 @@ snapshots:
 
   pluralize@8.0.0: {}
 
+  pngjs@5.0.0: {}
+
   possible-typed-array-names@1.1.0: {}
 
   postcss-html@1.8.0:
@@ -8936,6 +9006,12 @@ snapshots:
 
   punycode@2.3.1: {}
 
+  qrcode@1.5.4:
+    dependencies:
+      dijkstrajs: 1.0.3
+      pngjs: 5.0.0
+      yargs: 15.4.1
+
   quansync@0.2.11: {}
 
   querystringify@2.2.0: {}
@@ -9013,6 +9089,8 @@ snapshots:
 
   require-from-string@2.0.2: {}
 
+  require-main-filename@2.0.0: {}
+
   requires-port@1.0.0: {}
 
   resolve-from@4.0.0: {}
@@ -9140,6 +9218,8 @@ snapshots:
 
   serialize-to-js@3.1.2: {}
 
+  set-blocking@2.0.0: {}
+
   set-function-length@1.2.2:
     dependencies:
       define-data-property: 1.1.4
@@ -10073,6 +10153,8 @@ snapshots:
       is-weakmap: 2.0.2
       is-weakset: 2.0.4
 
+  which-module@2.0.1: {}
+
   which-typed-array@1.1.19:
     dependencies:
       available-typed-arrays: 1.0.7
@@ -10118,6 +10200,8 @@ snapshots:
 
   xml-name-validator@4.0.0: {}
 
+  y18n@4.0.3: {}
+
   y18n@5.0.8: {}
 
   yallist@3.1.1: {}
@@ -10131,8 +10215,27 @@ snapshots:
 
   yaml@2.8.1: {}
 
+  yargs-parser@18.1.3:
+    dependencies:
+      camelcase: 5.3.1
+      decamelize: 1.2.0
+
   yargs-parser@21.1.1: {}
 
+  yargs@15.4.1:
+    dependencies:
+      cliui: 6.0.0
+      decamelize: 1.2.0
+      find-up: 4.1.0
+      get-caller-file: 2.0.5
+      require-directory: 2.1.1
+      require-main-filename: 2.0.0
+      set-blocking: 2.0.0
+      string-width: 4.2.3
+      which-module: 2.0.1
+      y18n: 4.0.3
+      yargs-parser: 18.1.3
+
   yargs@17.7.2:
     dependencies:
       cliui: 8.0.1
diff --git a/apps/app/src/components/auth/MfaChallengeCard.vue b/apps/app/src/components/auth/MfaChallengeCard.vue
new file mode 100644
index 00000000..7345e59f
--- /dev/null
+++ b/apps/app/src/components/auth/MfaChallengeCard.vue
@@ -0,0 +1,283 @@
+<script setup lang="ts">
+import { useVerifyMfa, useSendMfaEmailCode } from '@/composables/api/useMfa'
+import { generateDeviceFingerprint, getDeviceName } from '@/utils/deviceFingerprint'
+import type { MfaMethod } from '@/types/mfa'
+
+const props = defineProps<{
+  mfaSessionToken: string
+  methods: MfaMethod[]
+  preferredMethod: string
+  expiresIn: number
+}>()
+
+const emit = defineEmits<{
+  verified: [data: unknown]
+  cancelled: []
+}>()
+
+const verifyMutation = useVerifyMfa()
+const sendEmailMutation = useSendMfaEmailCode()
+
+const selectedMethod = ref<string>(props.preferredMethod)
+const otpCode = ref('')
+const backupCode = ref('')
+const trustDevice = ref(false)
+const errorMessage = ref('')
+const timeLeft = ref(props.expiresIn)
+
+const isBackupMethod = computed(() => selectedMethod.value === 'backup_code')
+
+// Countdown timer
+const countdownInterval = setInterval(() => {
+  timeLeft.value--
+  if (timeLeft.value <= 0) {
+    clearInterval(countdownInterval)
+    errorMessage.value = 'MFA-sessie verlopen. Log opnieuw in.'
+  }
+}, 1000)
+
+onUnmounted(() => {
+  clearInterval(countdownInterval)
+})
+
+const formattedTimeLeft = computed(() => {
+  const minutes = Math.floor(timeLeft.value / 60)
+  const seconds = timeLeft.value % 60
+
+  return `${minutes}:${seconds.toString().padStart(2, '0')}`
+})
+
+const methodTabs = computed(() => {
+  const tabs: Array<{ value: string; title: string; icon: string }> = []
+
+  if (props.methods.includes('totp' as MfaMethod))
+    tabs.push({ value: 'totp', title: 'Authenticator', icon: 'tabler-device-mobile' })
+
+  if (props.methods.includes('email' as MfaMethod))
+    tabs.push({ value: 'email', title: 'E-mailcode', icon: 'tabler-mail' })
+
+  if (props.methods.includes('backup_code' as MfaMethod))
+    tabs.push({ value: 'backup_code', title: 'Backup code', icon: 'tabler-key' })
+
+  return tabs
+})
+
+function onMethodChange(method: string) {
+  errorMessage.value = ''
+  otpCode.value = ''
+  backupCode.value = ''
+
+  if (method === 'email')
+    handleSendEmailCode()
+}
+
+async function handleSendEmailCode() {
+  try {
+    await sendEmailMutation.mutateAsync(props.mfaSessionToken)
+  }
+  catch {
+    // Rate limited or other error — user can try resend link
+  }
+}
+
+function onOtpFinish(code: string) {
+  otpCode.value = code
+  handleVerify()
+}
+
+async function handleVerify() {
+  errorMessage.value = ''
+  const code = isBackupMethod.value ? backupCode.value : otpCode.value
+
+  if (!code) return
+
+  try {
+    const data = await verifyMutation.mutateAsync({
+      mfa_session_token: props.mfaSessionToken,
+      code,
+      method: selectedMethod.value as MfaMethod,
+      trust_device: trustDevice.value || undefined,
+      device_fingerprint: trustDevice.value ? generateDeviceFingerprint() : undefined,
+      device_name: trustDevice.value ? getDeviceName() : undefined,
+    })
+
+    emit('verified', data)
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Verificatie mislukt. Probeer het opnieuw.'
+    otpCode.value = ''
+    backupCode.value = ''
+  }
+}
+</script>
+
+<template>
+  <VCard
+    class="auth-card"
+    max-width="460"
+    :class="$vuetify.display.smAndUp ? 'pa-6' : 'pa-0'"
+  >
+    <VCardText>
+      <h4 class="text-h4 mb-1">
+        Tweestapsverificatie
+      </h4>
+      <p class="mb-0">
+        Voer je verificatiecode in om in te loggen
+      </p>
+      <VChip
+        v-if="timeLeft > 0"
+        size="small"
+        color="secondary"
+        variant="tonal"
+        class="mt-2"
+      >
+        <VIcon
+          start
+          icon="tabler-clock"
+          size="14"
+        />
+        {{ formattedTimeLeft }}
+      </VChip>
+    </VCardText>
+
+    <VCardText>
+      <!-- Method tabs -->
+      <VTabs
+        v-if="methodTabs.length > 1"
+        v-model="selectedMethod"
+        class="mb-4"
+        density="comfortable"
+        @update:model-value="(v: unknown) => onMethodChange(String(v))"
+      >
+        <VTab
+          v-for="tab in methodTabs"
+          :key="tab.value"
+          :value="tab.value"
+        >
+          <VIcon
+            :icon="tab.icon"
+            size="20"
+            class="me-1"
+          />
+          {{ tab.title }}
+        </VTab>
+      </VTabs>
+
+      <VAlert
+        v-if="errorMessage"
+        type="error"
+        variant="tonal"
+        class="mb-4"
+        density="comfortable"
+      >
+        {{ errorMessage }}
+      </VAlert>
+
+      <VForm @submit.prevent="handleVerify">
+        <VRow>
+          <!-- OTP input for TOTP and email methods -->
+          <VCol
+            v-if="!isBackupMethod"
+            cols="12"
+          >
+            <p class="text-body-2 mb-2">
+              {{
+                selectedMethod === 'totp'
+                  ? 'Voer de 6-cijferige code in uit je authenticator app'
+                  : 'Voer de 6-cijferige code in die naar je e-mailadres is gestuurd'
+              }}
+            </p>
+            <VOtpInput
+              v-model="otpCode"
+              :disabled="verifyMutation.isPending.value || timeLeft <= 0"
+              type="number"
+              class="pa-0"
+              @finish="onOtpFinish"
+            />
+          </VCol>
+
+          <!-- Backup code input -->
+          <VCol
+            v-else
+            cols="12"
+          >
+            <p class="text-body-2 mb-2">
+              Voer een van je backup codes in (formaat: XXXX-XXXX)
+            </p>
+            <AppTextField
+              v-model="backupCode"
+              placeholder="XXXX-XXXX"
+              autofocus
+              class="text-center"
+            />
+          </VCol>
+
+          <!-- Trust device -->
+          <VCol cols="12">
+            <VCheckbox
+              v-model="trustDevice"
+              label="Onthoud dit apparaat voor 30 dagen"
+              density="compact"
+            />
+          </VCol>
+
+          <!-- Verify button -->
+          <VCol cols="12">
+            <VBtn
+              block
+              type="submit"
+              :loading="verifyMutation.isPending.value"
+              :disabled="timeLeft <= 0"
+            >
+              Verifi&euml;ren
+            </VBtn>
+          </VCol>
+
+          <!-- Resend email code -->
+          <VCol
+            v-if="selectedMethod === 'email'"
+            cols="12"
+            class="text-center"
+          >
+            <div class="d-flex justify-center align-center flex-wrap">
+              <span class="me-1 text-body-2">Geen code ontvangen?</span>
+              <a
+                class="text-primary text-body-2"
+                href="#"
+                @click.prevent="handleSendEmailCode"
+              >
+                Opnieuw versturen
+              </a>
+            </div>
+          </VCol>
+
+          <!-- Back to login -->
+          <VCol cols="12">
+            <a
+              class="d-flex align-center justify-center text-body-2"
+              href="#"
+              @click.prevent="emit('cancelled')"
+            >
+              <VIcon
+                icon="tabler-chevron-left"
+                size="20"
+                class="me-1 flip-in-rtl"
+              />
+              <span>Terug naar inloggen</span>
+            </a>
+          </VCol>
+        </VRow>
+      </VForm>
+    </VCardText>
+  </VCard>
+</template>
+
+<style lang="scss">
+.v-otp-input {
+  .v-otp-input__content {
+    padding-inline: 0;
+  }
+}
+</style>
diff --git a/apps/app/src/components/settings/MfaDisableDialog.vue b/apps/app/src/components/settings/MfaDisableDialog.vue
new file mode 100644
index 00000000..4b3ab61b
--- /dev/null
+++ b/apps/app/src/components/settings/MfaDisableDialog.vue
@@ -0,0 +1,115 @@
+<script setup lang="ts">
+import { useDisableMfa } from '@/composables/api/useMfa'
+
+const props = defineProps<{
+  modelValue: boolean
+  currentMethod: 'totp' | 'email' | null
+}>()
+
+const emit = defineEmits<{
+  'update:modelValue': [value: boolean]
+  disabled: []
+}>()
+
+const disableMutation = useDisableMfa()
+
+const code = ref('')
+const method = ref<string>(props.currentMethod === 'totp' ? 'totp' : 'backup_code')
+const errorMessage = ref('')
+
+const isDialogOpen = computed({
+  get: () => props.modelValue,
+  set: (val: boolean) => emit('update:modelValue', val),
+})
+
+watch(isDialogOpen, (open) => {
+  if (open) {
+    code.value = ''
+    errorMessage.value = ''
+    method.value = props.currentMethod === 'totp' ? 'totp' : 'backup_code'
+  }
+})
+
+async function handleDisable() {
+  errorMessage.value = ''
+  try {
+    await disableMutation.mutateAsync({ code: code.value, method: method.value })
+    isDialogOpen.value = false
+    emit('disabled')
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Kon MFA niet uitschakelen. Probeer het opnieuw.'
+    code.value = ''
+  }
+}
+</script>
+
+<template>
+  <VDialog
+    v-model="isDialogOpen"
+    max-width="460"
+  >
+    <VCard>
+      <VCardTitle class="d-flex align-center pt-4">
+        <VIcon
+          icon="tabler-shield-off"
+          color="error"
+          class="me-2"
+        />
+        Tweestapsverificatie uitschakelen
+      </VCardTitle>
+
+      <VCardText>
+        <VAlert
+          type="warning"
+          variant="tonal"
+          class="mb-4"
+        >
+          Weet je zeker dat je tweestapsverificatie wilt uitschakelen? Je account wordt minder veilig.
+        </VAlert>
+
+        <VAlert
+          v-if="errorMessage"
+          type="error"
+          variant="tonal"
+          class="mb-4"
+          density="comfortable"
+        >
+          {{ errorMessage }}
+        </VAlert>
+
+        <VForm @submit.prevent="handleDisable">
+          <p class="text-body-2 mb-2">
+            Voer je {{ currentMethod === 'totp' ? 'authenticator code' : 'backup code' }} in ter bevestiging
+          </p>
+
+          <AppTextField
+            v-model="code"
+            :placeholder="currentMethod === 'totp' ? '123456' : 'XXXX-XXXX'"
+            autofocus
+          />
+        </VForm>
+      </VCardText>
+
+      <VCardActions>
+        <VSpacer />
+        <VBtn
+          variant="tonal"
+          @click="isDialogOpen = false"
+        >
+          Annuleren
+        </VBtn>
+        <VBtn
+          color="error"
+          :loading="disableMutation.isPending.value"
+          :disabled="!code"
+          @click="handleDisable"
+        >
+          Uitschakelen
+        </VBtn>
+      </VCardActions>
+    </VCard>
+  </VDialog>
+</template>
diff --git a/apps/app/src/components/settings/MfaEmailSetupDialog.vue b/apps/app/src/components/settings/MfaEmailSetupDialog.vue
new file mode 100644
index 00000000..c76c481a
--- /dev/null
+++ b/apps/app/src/components/settings/MfaEmailSetupDialog.vue
@@ -0,0 +1,276 @@
+<script setup lang="ts">
+import { useSetupEmail, useConfirmEmail } from '@/composables/api/useMfa'
+
+const props = defineProps<{
+  modelValue: boolean
+  userEmail: string
+}>()
+
+const emit = defineEmits<{
+  'update:modelValue': [value: boolean]
+  completed: []
+}>()
+
+const setupMutation = useSetupEmail()
+const confirmMutation = useConfirmEmail()
+
+const step = ref(1)
+const confirmCode = ref('')
+const backupCodes = ref<string[]>([])
+const errorMessage = ref('')
+const savedBackupCodes = ref(false)
+const codeSent = ref(false)
+
+const isDialogOpen = computed({
+  get: () => props.modelValue,
+  set: (val: boolean) => emit('update:modelValue', val),
+})
+
+watch(isDialogOpen, (open) => {
+  if (open) {
+    step.value = 1
+    errorMessage.value = ''
+    confirmCode.value = ''
+    backupCodes.value = []
+    savedBackupCodes.value = false
+    codeSent.value = false
+  }
+})
+
+async function handleSendCode() {
+  errorMessage.value = ''
+  try {
+    await setupMutation.mutateAsync()
+    codeSent.value = true
+    step.value = 2
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Kon geen code versturen. Probeer het opnieuw.'
+  }
+}
+
+async function handleConfirm() {
+  errorMessage.value = ''
+  try {
+    const data = await confirmMutation.mutateAsync(confirmCode.value)
+
+    backupCodes.value = data.backup_codes
+    step.value = 3
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Ongeldige code. Probeer het opnieuw.'
+    confirmCode.value = ''
+  }
+}
+
+function copyBackupCodes() {
+  const text = backupCodes.value.join('\n')
+
+  navigator.clipboard.writeText(text)
+}
+
+function downloadBackupCodes() {
+  const text = `Crewli MFA Backup Codes\n${'='.repeat(30)}\n\n${backupCodes.value.join('\n')}\n\nBewaar deze codes op een veilige plek.\nElke code kan slechts eenmaal worden gebruikt.`
+  const blob = new Blob([text], { type: 'text/plain' })
+  const url = URL.createObjectURL(blob)
+  const a = document.createElement('a')
+
+  a.href = url
+  a.download = 'crewli-backup-codes.txt'
+  a.click()
+  URL.revokeObjectURL(url)
+}
+
+function handleComplete() {
+  isDialogOpen.value = false
+  emit('completed')
+}
+</script>
+
+<template>
+  <VDialog
+    v-model="isDialogOpen"
+    max-width="520"
+    persistent
+  >
+    <VCard>
+      <VCardTitle class="d-flex align-center pt-4">
+        <VIcon
+          icon="tabler-mail-code"
+          class="me-2"
+        />
+        E-mailverificatie instellen
+      </VCardTitle>
+
+      <!-- Step 1: Send code -->
+      <template v-if="step === 1">
+        <VCardText>
+          <p class="text-body-1 mb-4">
+            We sturen een verificatiecode naar <strong>{{ userEmail }}</strong>
+          </p>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+          >
+            {{ errorMessage }}
+          </VAlert>
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="isDialogOpen = false"
+          >
+            Annuleren
+          </VBtn>
+          <VBtn
+            color="primary"
+            :loading="setupMutation.isPending.value"
+            @click="handleSendCode"
+          >
+            Code versturen
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 2: Verify code -->
+      <template v-if="step === 2">
+        <VCardText>
+          <VAlert
+            type="success"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            Code verstuurd! Check je inbox.
+          </VAlert>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            {{ errorMessage }}
+          </VAlert>
+
+          <p class="text-body-2 mb-2">
+            Voer de 6-cijferige code in
+          </p>
+
+          <VOtpInput
+            v-model="confirmCode"
+            type="number"
+            class="pa-0"
+            :disabled="confirmMutation.isPending.value"
+            @finish="handleConfirm"
+          />
+
+          <div class="text-center mt-4">
+            <a
+              class="text-primary text-body-2"
+              href="#"
+              @click.prevent="handleSendCode"
+            >
+              Code opnieuw versturen
+            </a>
+          </div>
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="step = 1"
+          >
+            Terug
+          </VBtn>
+          <VBtn
+            color="primary"
+            :loading="confirmMutation.isPending.value"
+            :disabled="confirmCode.length < 6"
+            @click="handleConfirm"
+          >
+            Verifi&euml;ren
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 3: Backup codes (same as TOTP) -->
+      <template v-if="step === 3">
+        <VCardText>
+          <VAlert
+            type="warning"
+            variant="tonal"
+            class="mb-4"
+          >
+            Bewaar deze codes op een veilige plek. Je kunt ze gebruiken als je geen toegang hebt tot je e-mail.
+          </VAlert>
+
+          <div class="d-flex flex-wrap gap-2 mb-4">
+            <VChip
+              v-for="code in backupCodes"
+              :key="code"
+              variant="tonal"
+              label
+              class="font-weight-bold text-body-1"
+              style="font-family: monospace;"
+            >
+              {{ code }}
+            </VChip>
+          </div>
+
+          <div class="d-flex gap-2 mb-4">
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-copy"
+              @click="copyBackupCodes"
+            >
+              Kopieer
+            </VBtn>
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-download"
+              @click="downloadBackupCodes"
+            >
+              Download
+            </VBtn>
+          </div>
+
+          <VCheckbox
+            v-model="savedBackupCodes"
+            label="Ik heb mijn backup codes veilig opgeslagen"
+          />
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            color="primary"
+            :disabled="!savedBackupCodes"
+            @click="handleComplete"
+          >
+            Voltooien
+          </VBtn>
+        </VCardActions>
+      </template>
+    </VCard>
+  </VDialog>
+</template>
+
+<style lang="scss">
+.v-otp-input .v-otp-input__content {
+  padding-inline: 0;
+}
+</style>
diff --git a/apps/app/src/components/settings/MfaTotpSetupDialog.vue b/apps/app/src/components/settings/MfaTotpSetupDialog.vue
new file mode 100644
index 00000000..26462c00
--- /dev/null
+++ b/apps/app/src/components/settings/MfaTotpSetupDialog.vue
@@ -0,0 +1,291 @@
+<script setup lang="ts">
+import QRCode from 'qrcode'
+import { useSetupTotp, useConfirmTotp } from '@/composables/api/useMfa'
+
+const props = defineProps<{
+  modelValue: boolean
+}>()
+
+const emit = defineEmits<{
+  'update:modelValue': [value: boolean]
+  completed: []
+}>()
+
+const setupMutation = useSetupTotp()
+const confirmMutation = useConfirmTotp()
+
+const step = ref(1)
+const qrDataUrl = ref('')
+const secret = ref('')
+const confirmCode = ref('')
+const backupCodes = ref<string[]>([])
+const errorMessage = ref('')
+const savedBackupCodes = ref(false)
+
+const isDialogOpen = computed({
+  get: () => props.modelValue,
+  set: (val: boolean) => emit('update:modelValue', val),
+})
+
+watch(isDialogOpen, async (open) => {
+  if (open) {
+    step.value = 1
+    errorMessage.value = ''
+    confirmCode.value = ''
+    backupCodes.value = []
+    savedBackupCodes.value = false
+    await startSetup()
+  }
+})
+
+async function startSetup() {
+  try {
+    const data = await setupMutation.mutateAsync()
+
+    secret.value = data.secret
+    qrDataUrl.value = await QRCode.toDataURL(data.provisioning_uri, {
+      width: 256,
+      margin: 2,
+      color: { dark: '#000000', light: '#FFFFFF' },
+    })
+  }
+  catch {
+    errorMessage.value = 'Kon TOTP setup niet starten. Probeer het opnieuw.'
+  }
+}
+
+async function handleConfirm() {
+  errorMessage.value = ''
+  try {
+    const data = await confirmMutation.mutateAsync(confirmCode.value)
+
+    backupCodes.value = data.backup_codes
+    step.value = 3
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Ongeldige code. Probeer het opnieuw.'
+    confirmCode.value = ''
+  }
+}
+
+function copyToClipboard(text: string) {
+  navigator.clipboard.writeText(text)
+}
+
+function copyBackupCodes() {
+  const text = backupCodes.value.join('\n')
+
+  navigator.clipboard.writeText(text)
+}
+
+function downloadBackupCodes() {
+  const text = `Crewli MFA Backup Codes\n${'='.repeat(30)}\n\n${backupCodes.value.join('\n')}\n\nBewaar deze codes op een veilige plek.\nElke code kan slechts eenmaal worden gebruikt.`
+  const blob = new Blob([text], { type: 'text/plain' })
+  const url = URL.createObjectURL(blob)
+  const a = document.createElement('a')
+
+  a.href = url
+  a.download = 'crewli-backup-codes.txt'
+  a.click()
+  URL.revokeObjectURL(url)
+}
+
+function handleComplete() {
+  isDialogOpen.value = false
+  emit('completed')
+}
+</script>
+
+<template>
+  <VDialog
+    v-model="isDialogOpen"
+    max-width="520"
+    persistent
+  >
+    <VCard>
+      <VCardTitle class="d-flex align-center pt-4">
+        <VIcon
+          icon="tabler-shield-lock"
+          class="me-2"
+        />
+        Authenticator app instellen
+      </VCardTitle>
+
+      <!-- Step 1: QR Code -->
+      <template v-if="step === 1">
+        <VCardText>
+          <p class="text-body-1 mb-4">
+            Scan de QR-code met je authenticator app (Google Authenticator, Authy, etc.)
+          </p>
+
+          <div
+            v-if="qrDataUrl"
+            class="d-flex justify-center mb-4"
+          >
+            <img
+              :src="qrDataUrl"
+              alt="QR Code"
+              width="256"
+              height="256"
+              style="border-radius: 8px;"
+            >
+          </div>
+
+          <VAlert
+            v-if="setupMutation.isPending.value"
+            type="info"
+            variant="tonal"
+            class="mb-4"
+          >
+            QR-code wordt gegenereerd...
+          </VAlert>
+
+          <VExpansionPanels variant="accordion">
+            <VExpansionPanel title="Kun je niet scannen? Voer deze code handmatig in:">
+              <VExpansionPanelText>
+                <AppTextField
+                  :model-value="secret"
+                  readonly
+                  class="font-weight-bold"
+                  append-inner-icon="tabler-copy"
+                  @click:append-inner="() => copyToClipboard(secret)"
+                />
+              </VExpansionPanelText>
+            </VExpansionPanel>
+          </VExpansionPanels>
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="isDialogOpen = false"
+          >
+            Annuleren
+          </VBtn>
+          <VBtn
+            color="primary"
+            :disabled="!qrDataUrl"
+            @click="step = 2"
+          >
+            Volgende
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 2: Verify code -->
+      <template v-if="step === 2">
+        <VCardText>
+          <p class="text-body-1 mb-4">
+            Open je authenticator app en voer de 6-cijferige code in
+          </p>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            {{ errorMessage }}
+          </VAlert>
+
+          <VOtpInput
+            v-model="confirmCode"
+            type="number"
+            class="pa-0"
+            :disabled="confirmMutation.isPending.value"
+            @finish="handleConfirm"
+          />
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="step = 1"
+          >
+            Terug
+          </VBtn>
+          <VBtn
+            color="primary"
+            :loading="confirmMutation.isPending.value"
+            :disabled="confirmCode.length < 6"
+            @click="handleConfirm"
+          >
+            Verifi&euml;ren
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 3: Backup codes -->
+      <template v-if="step === 3">
+        <VCardText>
+          <VAlert
+            type="warning"
+            variant="tonal"
+            class="mb-4"
+          >
+            Bewaar deze codes op een veilige plek. Je kunt ze gebruiken als je geen toegang hebt tot je authenticator app.
+          </VAlert>
+
+          <div class="d-flex flex-wrap gap-2 mb-4">
+            <VChip
+              v-for="code in backupCodes"
+              :key="code"
+              variant="tonal"
+              label
+              class="font-weight-bold text-body-1"
+              style="font-family: monospace;"
+            >
+              {{ code }}
+            </VChip>
+          </div>
+
+          <div class="d-flex gap-2 mb-4">
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-copy"
+              @click="copyBackupCodes"
+            >
+              Kopieer
+            </VBtn>
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-download"
+              @click="downloadBackupCodes"
+            >
+              Download
+            </VBtn>
+          </div>
+
+          <VCheckbox
+            v-model="savedBackupCodes"
+            label="Ik heb mijn backup codes veilig opgeslagen"
+          />
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            color="primary"
+            :disabled="!savedBackupCodes"
+            @click="handleComplete"
+          >
+            Voltooien
+          </VBtn>
+        </VCardActions>
+      </template>
+    </VCard>
+  </VDialog>
+</template>
+
+<style lang="scss">
+.v-otp-input .v-otp-input__content {
+  padding-inline: 0;
+}
+</style>
diff --git a/apps/app/src/composables/api/useMfa.ts b/apps/app/src/composables/api/useMfa.ts
new file mode 100644
index 00000000..abb52781
--- /dev/null
+++ b/apps/app/src/composables/api/useMfa.ts
@@ -0,0 +1,188 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/vue-query'
+import { apiClient } from '@/lib/axios'
+import type {
+  MfaConfirmResponse,
+  MfaStatus,
+  MfaTotpSetup,
+  MfaVerifyPayload,
+  TrustedDevice,
+} from '@/types/mfa'
+
+interface ApiResponse<T> {
+  success: boolean
+  data: T
+  message: string
+}
+
+// ─── Setup ───
+
+export function useSetupTotp() {
+  return useMutation({
+    mutationFn: async () => {
+      const { data } = await apiClient.post<ApiResponse<MfaTotpSetup>>('/auth/mfa/setup/totp')
+
+      return data.data
+    },
+  })
+}
+
+export function useConfirmTotp() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (code: string) => {
+      const { data } = await apiClient.post<ApiResponse<MfaConfirmResponse>>('/auth/mfa/setup/totp/confirm', { code })
+
+      return data.data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+      queryClient.invalidateQueries({ queryKey: ['auth', 'me'] })
+    },
+  })
+}
+
+export function useSetupEmail() {
+  return useMutation({
+    mutationFn: async () => {
+      const { data } = await apiClient.post<ApiResponse<null>>('/auth/mfa/setup/email')
+
+      return data
+    },
+  })
+}
+
+export function useConfirmEmail() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (code: string) => {
+      const { data } = await apiClient.post<ApiResponse<MfaConfirmResponse>>('/auth/mfa/setup/email/confirm', { code })
+
+      return data.data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+      queryClient.invalidateQueries({ queryKey: ['auth', 'me'] })
+    },
+  })
+}
+
+// ─── Management ───
+
+export function useDisableMfa() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: { code: string; method: string }) => {
+      const { data } = await apiClient.post<ApiResponse<null>>('/auth/mfa/disable', payload)
+
+      return data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+      queryClient.invalidateQueries({ queryKey: ['auth', 'me'] })
+    },
+  })
+}
+
+export function useRegenerateBackupCodes() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: { code: string }) => {
+      const { data } = await apiClient.post<ApiResponse<{ backup_codes: string[] }>>('/auth/mfa/backup-codes', payload)
+
+      return data.data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+    },
+  })
+}
+
+export function useMfaStatus() {
+  return useQuery({
+    queryKey: ['mfa-status'],
+    queryFn: async () => {
+      const { data } = await apiClient.get<ApiResponse<MfaStatus>>('/auth/mfa/status')
+
+      return data.data
+    },
+  })
+}
+
+// ─── Trusted devices ───
+
+export function useTrustedDevices() {
+  return useQuery({
+    queryKey: ['trusted-devices'],
+    queryFn: async () => {
+      const { data } = await apiClient.get<ApiResponse<TrustedDevice[]>>('/auth/trusted-devices')
+
+      return data.data
+    },
+  })
+}
+
+export function useRevokeDevice() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (id: string) => {
+      await apiClient.delete(`/auth/trusted-devices/${id}`)
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['trusted-devices'] })
+    },
+  })
+}
+
+export function useRevokeAllDevices() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async () => {
+      await apiClient.delete('/auth/trusted-devices')
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['trusted-devices'] })
+    },
+  })
+}
+
+// ─── Login flow (no auth needed — uses session token) ───
+
+export function useVerifyMfa() {
+  return useMutation({
+    mutationFn: async (payload: MfaVerifyPayload) => {
+      const { data } = await apiClient.post('/auth/mfa/verify', payload)
+
+      return data
+    },
+  })
+}
+
+export function useSendMfaEmailCode() {
+  return useMutation({
+    mutationFn: async (mfaSessionToken: string) => {
+      const { data } = await apiClient.post('/auth/mfa/email/send', {
+        mfa_session_token: mfaSessionToken,
+      })
+
+      return data
+    },
+  })
+}
+
+// ─── Admin ───
+
+export function useAdminResetMfa() {
+  return useMutation({
+    mutationFn: async (userId: string) => {
+      const { data } = await apiClient.post(`/admin/users/${userId}/reset-mfa`)
+
+      return data
+    },
+  })
+}
diff --git a/apps/app/src/layouts/components/UserProfile.vue b/apps/app/src/layouts/components/UserProfile.vue
index 148bebfa..2d53703e 100644
--- a/apps/app/src/layouts/components/UserProfile.vue
+++ b/apps/app/src/layouts/components/UserProfile.vue
@@ -87,6 +87,17 @@ function handleLogout() {
           <VListItemTitle>Accountinstellingen</VListItemTitle>
         </VListItem>
 
+        <VListItem :to="{ name: 'account-settings-security' }">
+          <template #prepend>
+            <VIcon
+              class="me-2"
+              icon="tabler-shield-lock"
+              size="22"
+            />
+          </template>
+          <VListItemTitle>Beveiliging</VListItemTitle>
+        </VListItem>
+
         <VListItem
           :disabled="isLoggingOut"
           @click="handleLogout"
diff --git a/apps/app/src/pages/account-settings.vue b/apps/app/src/pages/account-settings/index.vue
similarity index 100%
rename from apps/app/src/pages/account-settings.vue
rename to apps/app/src/pages/account-settings/index.vue
diff --git a/apps/app/src/pages/account-settings/security.vue b/apps/app/src/pages/account-settings/security.vue
new file mode 100644
index 00000000..4c86e8f5
--- /dev/null
+++ b/apps/app/src/pages/account-settings/security.vue
@@ -0,0 +1,398 @@
+<script setup lang="ts">
+import { useAuthStore } from '@/stores/useAuthStore'
+import {
+  useMfaStatus,
+  useTrustedDevices,
+  useRevokeDevice,
+  useRevokeAllDevices,
+  useRegenerateBackupCodes,
+} from '@/composables/api/useMfa'
+import MfaTotpSetupDialog from '@/components/settings/MfaTotpSetupDialog.vue'
+import MfaEmailSetupDialog from '@/components/settings/MfaEmailSetupDialog.vue'
+import MfaDisableDialog from '@/components/settings/MfaDisableDialog.vue'
+
+definePage({
+  meta: {
+    navActiveLink: 'account-settings',
+  },
+})
+
+const authStore = useAuthStore()
+
+const { data: mfaStatus, refetch: refetchMfaStatus } = useMfaStatus()
+const { data: trustedDevices, refetch: refetchDevices } = useTrustedDevices()
+const revokeDeviceMutation = useRevokeDevice()
+const revokeAllMutation = useRevokeAllDevices()
+const regenerateCodesMutation = useRegenerateBackupCodes()
+
+const showTotpSetup = ref(false)
+const showEmailSetup = ref(false)
+const showDisableDialog = ref(false)
+const showRegenerateDialog = ref(false)
+const regenerateCode = ref('')
+const regeneratedCodes = ref<string[]>([])
+const regenerateError = ref('')
+
+const isEnabled = computed(() => mfaStatus.value?.enabled ?? false)
+const methodLabel = computed(() => {
+  if (mfaStatus.value?.method === 'totp') return 'Authenticator app'
+  if (mfaStatus.value?.method === 'email') return 'E-mailcode'
+
+  return null
+})
+
+function onSetupCompleted() {
+  refetchMfaStatus()
+}
+
+function onDisabled() {
+  refetchMfaStatus()
+  refetchDevices()
+}
+
+async function handleRevokeDevice(id: string) {
+  await revokeDeviceMutation.mutateAsync(id)
+  refetchDevices()
+}
+
+async function handleRevokeAllDevices() {
+  await revokeAllMutation.mutateAsync()
+  refetchDevices()
+}
+
+async function handleRegenerateBackupCodes() {
+  regenerateError.value = ''
+  try {
+    const data = await regenerateCodesMutation.mutateAsync({ code: regenerateCode.value })
+
+    regeneratedCodes.value = data.backup_codes
+    refetchMfaStatus()
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    regenerateError.value = ax.response?.data?.message ?? 'Kon codes niet genereren.'
+    regenerateCode.value = ''
+  }
+}
+
+function copyRegeneratedCodes() {
+  navigator.clipboard.writeText(regeneratedCodes.value.join('\n'))
+}
+</script>
+
+<template>
+  <VRow justify="center">
+    <VCol
+      cols="12"
+      md="8"
+      lg="6"
+    >
+      <h4 class="text-h4 mb-6">
+        Beveiliging
+      </h4>
+
+      <!-- Enforcement notice -->
+      <VAlert
+        v-if="mfaStatus?.is_required && !isEnabled"
+        type="warning"
+        variant="tonal"
+        class="mb-6"
+      >
+        Je organisatie vereist tweestapsverificatie. Stel het nu in om het platform te kunnen gebruiken.
+      </VAlert>
+
+      <!-- Section 1: Tweestapsverificatie -->
+      <VCard class="mb-6">
+        <VCardTitle class="d-flex align-center">
+          <VIcon
+            icon="tabler-shield-lock"
+            class="me-2"
+          />
+          Tweestapsverificatie
+        </VCardTitle>
+        <VCardText>
+          <!-- MFA NOT enabled -->
+          <template v-if="!isEnabled">
+            <p class="text-body-1 mb-4">
+              Bescherm je account met een extra beveiligingslaag. Kies een methode:
+            </p>
+
+            <VRow>
+              <VCol
+                cols="12"
+                sm="6"
+              >
+                <VCard
+                  variant="outlined"
+                  class="cursor-pointer pa-4"
+                  @click="showTotpSetup = true"
+                >
+                  <div class="d-flex align-center mb-2">
+                    <VIcon
+                      icon="tabler-device-mobile"
+                      size="28"
+                      color="primary"
+                      class="me-2"
+                    />
+                    <span class="text-subtitle-1 font-weight-medium">Authenticator app</span>
+                  </div>
+                  <p class="text-body-2 text-medium-emphasis mb-0">
+                    Aanbevolen. Gebruik Google Authenticator, Authy of een andere app.
+                  </p>
+                </VCard>
+              </VCol>
+              <VCol
+                cols="12"
+                sm="6"
+              >
+                <VCard
+                  variant="outlined"
+                  class="cursor-pointer pa-4"
+                  @click="showEmailSetup = true"
+                >
+                  <div class="d-flex align-center mb-2">
+                    <VIcon
+                      icon="tabler-mail"
+                      size="28"
+                      color="primary"
+                      class="me-2"
+                    />
+                    <span class="text-subtitle-1 font-weight-medium">E-mailcode</span>
+                  </div>
+                  <p class="text-body-2 text-medium-emphasis mb-0">
+                    Ontvang een code per e-mail bij elke login.
+                  </p>
+                </VCard>
+              </VCol>
+            </VRow>
+          </template>
+
+          <!-- MFA IS enabled -->
+          <template v-else>
+            <div class="d-flex align-center justify-space-between mb-4">
+              <div>
+                <VChip
+                  color="success"
+                  variant="tonal"
+                  size="small"
+                  class="me-2"
+                >
+                  Ingeschakeld
+                </VChip>
+                <span class="text-body-1">via {{ methodLabel }}</span>
+              </div>
+            </div>
+
+            <!-- Backup codes -->
+            <div class="d-flex align-center justify-space-between mb-3 pa-3 rounded" style="background: rgb(var(--v-theme-surface-variant));">
+              <div>
+                <span class="text-body-1 font-weight-medium">Backup codes</span>
+                <br>
+                <span class="text-body-2 text-medium-emphasis">
+                  {{ mfaStatus?.backup_codes_remaining ?? 0 }} van 10 resterend
+                </span>
+              </div>
+              <VBtn
+                variant="tonal"
+                size="small"
+                @click="showRegenerateDialog = true; regeneratedCodes = []; regenerateCode = ''; regenerateError = ''"
+              >
+                Nieuwe codes genereren
+              </VBtn>
+            </div>
+
+            <VBtn
+              color="error"
+              variant="tonal"
+              class="mt-2"
+              @click="showDisableDialog = true"
+            >
+              Uitschakelen
+            </VBtn>
+          </template>
+        </VCardText>
+      </VCard>
+
+      <!-- Section 2: Vertrouwde apparaten -->
+      <VCard
+        v-if="isEnabled"
+        class="mb-6"
+      >
+        <VCardTitle class="d-flex align-center justify-space-between">
+          <div class="d-flex align-center">
+            <VIcon
+              icon="tabler-devices"
+              class="me-2"
+            />
+            Vertrouwde apparaten
+          </div>
+          <VBtn
+            v-if="trustedDevices && trustedDevices.length > 1"
+            variant="tonal"
+            size="small"
+            color="error"
+            :loading="revokeAllMutation.isPending.value"
+            @click="handleRevokeAllDevices"
+          >
+            Alles intrekken
+          </VBtn>
+        </VCardTitle>
+        <VCardText>
+          <template v-if="trustedDevices && trustedDevices.length > 0">
+            <VList>
+              <VListItem
+                v-for="device in trustedDevices"
+                :key="device.id"
+                class="px-0"
+              >
+                <template #prepend>
+                  <VIcon
+                    icon="tabler-device-desktop"
+                    size="24"
+                    class="me-3"
+                  />
+                </template>
+                <VListItemTitle>{{ device.device_name ?? 'Onbekend apparaat' }}</VListItemTitle>
+                <VListItemSubtitle>
+                  IP: {{ device.ip_address }}
+                  <span v-if="device.last_used_at">
+                    &middot; Laatst gebruikt: {{ new Date(device.last_used_at).toLocaleDateString('nl-NL') }}
+                  </span>
+                </VListItemSubtitle>
+
+                <template #append>
+                  <VBtn
+                    variant="text"
+                    size="small"
+                    color="error"
+                    icon="tabler-trash"
+                    :loading="revokeDeviceMutation.isPending.value"
+                    @click="handleRevokeDevice(device.id)"
+                  />
+                </template>
+              </VListItem>
+            </VList>
+          </template>
+
+          <p
+            v-else
+            class="text-body-2 text-medium-emphasis"
+          >
+            Geen vertrouwde apparaten. Wanneer je inlogt met MFA kun je ervoor kiezen een apparaat te onthouden.
+          </p>
+        </VCardText>
+      </VCard>
+
+      <!-- Setup dialogs -->
+      <MfaTotpSetupDialog
+        v-model="showTotpSetup"
+        @completed="onSetupCompleted"
+      />
+
+      <MfaEmailSetupDialog
+        v-model="showEmailSetup"
+        :user-email="authStore.user?.email ?? ''"
+        @completed="onSetupCompleted"
+      />
+
+      <MfaDisableDialog
+        v-model="showDisableDialog"
+        :current-method="mfaStatus?.method ?? null"
+        @disabled="onDisabled"
+      />
+
+      <!-- Regenerate backup codes dialog -->
+      <VDialog
+        v-model="showRegenerateDialog"
+        max-width="460"
+      >
+        <VCard>
+          <VCardTitle class="pt-4">
+            Nieuwe backup codes genereren
+          </VCardTitle>
+
+          <VCardText v-if="regeneratedCodes.length === 0">
+            <VAlert
+              type="info"
+              variant="tonal"
+              class="mb-4"
+            >
+              Dit vervangt al je huidige backup codes. Oude codes werken niet meer.
+            </VAlert>
+
+            <VAlert
+              v-if="regenerateError"
+              type="error"
+              variant="tonal"
+              class="mb-4"
+              density="comfortable"
+            >
+              {{ regenerateError }}
+            </VAlert>
+
+            <p class="text-body-2 mb-2">
+              Voer je authenticator code in ter bevestiging
+            </p>
+            <AppTextField
+              v-model="regenerateCode"
+              placeholder="123456"
+              autofocus
+            />
+          </VCardText>
+
+          <VCardText v-else>
+            <VAlert
+              type="success"
+              variant="tonal"
+              class="mb-4"
+            >
+              Nieuwe backup codes gegenereerd. Bewaar ze veilig.
+            </VAlert>
+
+            <div class="d-flex flex-wrap gap-2 mb-4">
+              <VChip
+                v-for="code in regeneratedCodes"
+                :key="code"
+                variant="tonal"
+                label
+                class="font-weight-bold"
+                style="font-family: monospace;"
+              >
+                {{ code }}
+              </VChip>
+            </div>
+
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-copy"
+              @click="copyRegeneratedCodes"
+            >
+              Kopieer
+            </VBtn>
+          </VCardText>
+
+          <VCardActions>
+            <VSpacer />
+            <VBtn
+              variant="tonal"
+              @click="showRegenerateDialog = false"
+            >
+              {{ regeneratedCodes.length > 0 ? 'Sluiten' : 'Annuleren' }}
+            </VBtn>
+            <VBtn
+              v-if="regeneratedCodes.length === 0"
+              color="primary"
+              :loading="regenerateCodesMutation.isPending.value"
+              :disabled="!regenerateCode"
+              @click="handleRegenerateBackupCodes"
+            >
+              Genereren
+            </VBtn>
+          </VCardActions>
+        </VCard>
+      </VDialog>
+    </VCol>
+  </VRow>
+</template>
diff --git a/apps/app/src/pages/login.vue b/apps/app/src/pages/login.vue
index 8d7e81fd..1bf8f410 100644
--- a/apps/app/src/pages/login.vue
+++ b/apps/app/src/pages/login.vue
@@ -1,6 +1,5 @@
 <script setup lang="ts">
 import { VForm } from 'vuetify/components/VForm'
-import AuthProvider from '@/views/pages/authentication/AuthProvider.vue'
 import { useGenerateImageVariant } from '@core/composable/useGenerateImageVariant'
 import authV2LoginIllustrationBorderedDark from '@images/pages/auth-v2-login-illustration-bordered-dark.png'
 import authV2LoginIllustrationBorderedLight from '@images/pages/auth-v2-login-illustration-bordered-light.png'
@@ -10,9 +9,12 @@ import authV2MaskDark from '@images/pages/misc-mask-dark.png'
 import authV2MaskLight from '@images/pages/misc-mask-light.png'
 import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
 import { themeConfig } from '@themeConfig'
-import { useLogin } from '@/composables/api/useAuth'
+import { apiClient } from '@/lib/axios'
+import { useAuthStore } from '@/stores/useAuthStore'
 import { emailValidator, requiredValidator } from '@core/utils/validators'
-import type { LoginCredentials } from '@/types/auth'
+import { generateDeviceFingerprint } from '@/utils/deviceFingerprint'
+import type { LoginCredentials, LoginResponse } from '@/types/auth'
+import type { MfaMethod } from '@/types/mfa'
 
 definePage({
   meta: {
@@ -23,6 +25,7 @@ definePage({
 
 const route = useRoute()
 const router = useRouter()
+const authStore = useAuthStore()
 
 const passwordResetDone = computed(() => route.query.reset === '1')
 
@@ -35,8 +38,14 @@ const form = ref<LoginCredentials & { remember: boolean }>({
 const isPasswordVisible = ref(false)
 const errors = ref<Record<string, string>>({})
 const refVForm = ref<VForm>()
+const isPending = ref(false)
 
-const { mutate: login, isPending } = useLogin()
+// MFA challenge state
+const showMfaChallenge = ref(false)
+const mfaSessionToken = ref('')
+const mfaMethods = ref<MfaMethod[]>([])
+const mfaPreferredMethod = ref<string>('')
+const mfaExpiresIn = ref(0)
 
 const authThemeImg = useGenerateImageVariant(
   authV2LoginIllustrationLight,
@@ -47,36 +56,77 @@ const authThemeImg = useGenerateImageVariant(
 
 const authThemeMask = useGenerateImageVariant(authV2MaskLight, authV2MaskDark)
 
-function handleLogin() {
+async function handleLogin() {
   errors.value = {}
+  isPending.value = true
 
-  login(
-    { email: form.value.email, password: form.value.password },
-    {
-      onSuccess: () => {
-        const rawTo = route.query.to ? String(route.query.to) : ''
-        const redirectTo = rawTo.startsWith('/') ? rawTo : '/dashboard'
+  try {
+    const fingerprint = generateDeviceFingerprint()
 
-        router.replace(redirectTo)
-      },
-      onError: (err: any) => {
-        const errorData = err.response?.data
+    const { data } = await apiClient.post<LoginResponse>('/auth/login', {
+      email: form.value.email,
+      password: form.value.password,
+    }, {
+      headers: { 'X-Device-Fingerprint': fingerprint },
+    })
 
-        if (errorData?.errors) {
-          errors.value = {
-            email: errorData.errors.email?.[0] ?? '',
-            password: errorData.errors.password?.[0] ?? '',
-          }
-        }
-        else if (errorData?.message) {
-          errors.value = { email: errorData.message }
-        }
-        else {
-          errors.value = { email: 'An error occurred. Please try again.' }
-        }
-      },
-    },
-  )
+    if (data.mfa_required) {
+      mfaSessionToken.value = data.mfa_session_token!
+      mfaMethods.value = (data.methods ?? []) as MfaMethod[]
+      mfaPreferredMethod.value = data.preferred_method ?? 'totp'
+      mfaExpiresIn.value = data.expires_in ?? 600
+      showMfaChallenge.value = true
+
+      return
+    }
+
+    // Normal login success
+    authStore.setUser(data.data.user)
+
+    if (data.mfa_setup_required) {
+      router.replace('/account-settings/security')
+
+      return
+    }
+
+    const rawTo = route.query.to ? String(route.query.to) : ''
+    const redirectTo = rawTo.startsWith('/') ? rawTo : '/dashboard'
+
+    router.replace(redirectTo)
+  }
+  catch (err: unknown) {
+    const errorData = (err as { response?: { data?: { message?: string; errors?: Record<string, string[]> } } }).response?.data
+
+    if (errorData?.errors) {
+      errors.value = {
+        email: errorData.errors.email?.[0] ?? '',
+        password: errorData.errors.password?.[0] ?? '',
+      }
+    }
+    else if (errorData?.message) {
+      errors.value = { email: errorData.message }
+    }
+    else {
+      errors.value = { email: 'Er is een fout opgetreden. Probeer het opnieuw.' }
+    }
+  }
+  finally {
+    isPending.value = false
+  }
+}
+
+function onMfaVerified() {
+  authStore.initialize().then(() => {
+    const rawTo = route.query.to ? String(route.query.to) : ''
+    const redirectTo = rawTo.startsWith('/') ? rawTo : '/dashboard'
+
+    router.replace(redirectTo)
+  })
+}
+
+function onMfaCancelled() {
+  showMfaChallenge.value = false
+  mfaSessionToken.value = ''
 }
 
 function onSubmit() {
@@ -90,16 +140,33 @@ function onSubmit() {
 </script>
 
 <template>
-  <a href="javascript:void(0)">
+  <RouterLink to="/">
     <div class="auth-logo d-flex align-center gap-x-3">
       <VNodeRenderer :nodes="themeConfig.app.logo" />
       <h1 class="auth-title">
         {{ themeConfig.app.title }}
       </h1>
     </div>
-  </a>
+  </RouterLink>
 
+  <!-- MFA Challenge Screen -->
+  <div
+    v-if="showMfaChallenge"
+    class="auth-wrapper d-flex align-center justify-center bg-surface"
+  >
+    <MfaChallengeCard
+      :mfa-session-token="mfaSessionToken"
+      :methods="mfaMethods"
+      :preferred-method="mfaPreferredMethod"
+      :expires-in="mfaExpiresIn"
+      @verified="onMfaVerified"
+      @cancelled="onMfaCancelled"
+    />
+  </div>
+
+  <!-- Login Form -->
   <VRow
+    v-else
     no-gutters
     class="auth-wrapper bg-surface"
   >
@@ -163,27 +230,25 @@ function onSubmit() {
             @submit.prevent="onSubmit"
           >
             <VRow>
-              <!-- email -->
               <VCol cols="12">
                 <AppTextField
                   v-model="form.email"
                   autofocus
-                  label="Email"
+                  label="E-mailadres"
                   type="email"
-                  placeholder="johndoe@email.com"
+                  placeholder="naam@voorbeeld.nl"
                   :rules="[requiredValidator, emailValidator]"
                   :error-messages="errors.email"
                 />
               </VCol>
 
-              <!-- password -->
               <VCol cols="12">
                 <AppTextField
                   v-model="form.password"
-                  label="Password"
+                  label="Wachtwoord"
                   placeholder="············"
                   :type="isPasswordVisible ? 'text' : 'password'"
-                  autocomplete="password"
+                  autocomplete="current-password"
                   :rules="[requiredValidator]"
                   :error-messages="errors.password"
                   :append-inner-icon="isPasswordVisible ? 'tabler-eye-off' : 'tabler-eye'"
@@ -208,41 +273,17 @@ function onSubmit() {
                   type="submit"
                   :loading="isPending"
                 >
-                  Login
+                  Inloggen
                 </VBtn>
               </VCol>
 
-              <!-- create account -->
               <VCol
                 cols="12"
                 class="text-body-1 text-center"
               >
-                <span class="d-inline-block">
-                  New on our platform?
+                <span class="d-inline-block text-medium-emphasis">
+                  Nog geen account? Neem contact op met je organisatie.
                 </span>
-                <a
-                  class="text-primary ms-1 d-inline-block text-body-1"
-                  href="javascript:void(0)"
-                >
-                  Create an account
-                </a>
-              </VCol>
-
-              <VCol
-                cols="12"
-                class="d-flex align-center"
-              >
-                <VDivider />
-                <span class="mx-4">or</span>
-                <VDivider />
-              </VCol>
-
-              <!-- auth providers -->
-              <VCol
-                cols="12"
-                class="text-center"
-              >
-                <AuthProvider />
               </VCol>
             </VRow>
           </VForm>
diff --git a/apps/app/src/pages/platform/users/[id].vue b/apps/app/src/pages/platform/users/[id].vue
index ec486afe..3022e84b 100644
--- a/apps/app/src/pages/platform/users/[id].vue
+++ b/apps/app/src/pages/platform/users/[id].vue
@@ -4,6 +4,7 @@ import {
   useUpdateAdminUser,
   useStartImpersonation,
 } from '@/composables/api/useAdmin'
+import { useAdminResetMfa } from '@/composables/api/useMfa'
 import { useImpersonationStore } from '@/stores/useImpersonationStore'
 import type { AdminUser, UpdateAdminUserPayload } from '@/types/admin'
 
@@ -86,6 +87,21 @@ function confirmImpersonate() {
   })
 }
 
+// MFA Reset
+const isMfaResetDialogOpen = ref(false)
+const { mutate: resetMfa, isPending: isResettingMfa } = useAdminResetMfa()
+const showMfaResetSuccess = ref(false)
+
+function confirmMfaReset() {
+  resetMfa(userId.value, {
+    onSuccess: () => {
+      isMfaResetDialogOpen.value = false
+      showMfaResetSuccess.value = true
+      refetch()
+    },
+  })
+}
+
 function formatDate(iso: string): string {
   return new Date(iso).toLocaleDateString('nl-NL', {
     day: '2-digit',
@@ -253,6 +269,30 @@ function getInitials(name: string): string {
                     {{ user.email_verified_at ? formatDate(user.email_verified_at) : 'Niet geverifieerd' }}
                   </p>
                 </VCol>
+                <VCol cols="6">
+                  <p class="text-body-2 text-disabled mb-1">
+                    Tweestapsverificatie
+                  </p>
+                  <p class="text-body-1">
+                    <VChip
+                      :color="user.mfa_enabled ? 'success' : 'default'"
+                      size="small"
+                      variant="tonal"
+                    >
+                      {{ user.mfa_enabled ? 'Ingeschakeld' : 'Uitgeschakeld' }}
+                    </VChip>
+                    <VBtn
+                      v-if="user.mfa_enabled"
+                      variant="tonal"
+                      color="error"
+                      size="small"
+                      class="ms-2"
+                      @click="isMfaResetDialogOpen = true"
+                    >
+                      MFA resetten
+                    </VBtn>
+                  </p>
+                </VCol>
               </VRow>
             </VCardText>
           </VCard>
@@ -404,6 +444,41 @@ function getInitials(name: string): string {
       </VCard>
     </VDialog>
 
+    <!-- MFA Reset Dialog -->
+    <VDialog
+      v-model="isMfaResetDialogOpen"
+      max-width="460"
+    >
+      <VCard title="MFA resetten">
+        <VCardText>
+          <VAlert
+            type="warning"
+            variant="tonal"
+            class="mb-4"
+          >
+            Weet je zeker dat je de tweestapsverificatie van <strong>{{ user?.full_name }}</strong> wilt uitschakelen?
+            De gebruiker moet MFA opnieuw instellen bij de volgende login.
+          </VAlert>
+        </VCardText>
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="isMfaResetDialogOpen = false"
+          >
+            Annuleren
+          </VBtn>
+          <VBtn
+            color="error"
+            :loading="isResettingMfa"
+            @click="confirmMfaReset"
+          >
+            MFA resetten
+          </VBtn>
+        </VCardActions>
+      </VCard>
+    </VDialog>
+
     <!-- Success snackbar -->
     <VSnackbar
       v-model="showEditSuccess"
@@ -412,5 +487,13 @@ function getInitials(name: string): string {
     >
       Gebruiker bijgewerkt
     </VSnackbar>
+
+    <VSnackbar
+      v-model="showMfaResetSuccess"
+      color="success"
+      :timeout="3000"
+    >
+      MFA is gereset voor deze gebruiker
+    </VSnackbar>
   </div>
 </template>
diff --git a/apps/app/src/plugins/1.router/guards.ts b/apps/app/src/plugins/1.router/guards.ts
index f00e7ea5..c61f62c4 100644
--- a/apps/app/src/plugins/1.router/guards.ts
+++ b/apps/app/src/plugins/1.router/guards.ts
@@ -44,6 +44,12 @@ export function setupGuards(router: Router) {
       return { path: '/login', query: { to: to.fullPath } }
     }
 
+    // MFA enforcement — redirect to security settings if MFA setup is required
+    if (authStore.mfaSetupRequired && to.path !== '/account-settings/security') {
+      if (import.meta.env.DEV) console.log('🔒 MFA setup required, redirecting to security settings')
+      return { path: '/account-settings/security' }
+    }
+
     // Platform admin routes — require super_admin role
     if (to.path.startsWith('/platform')) {
       if (!authStore.isSuperAdmin) {
diff --git a/apps/app/src/stores/useAuthStore.ts b/apps/app/src/stores/useAuthStore.ts
index 151f8869..f7ef2c14 100644
--- a/apps/app/src/stores/useAuthStore.ts
+++ b/apps/app/src/stores/useAuthStore.ts
@@ -11,6 +11,8 @@ export const useAuthStore = defineStore('auth', () => {
   const permissions = ref<string[]>([])
   const isInitialized = ref(false)
 
+  const mfaSetupRequired = ref(false)
+
   const isAuthenticated = computed(() => !!user.value)
   const isSuperAdmin = computed(() => appRoles.value?.includes('super_admin') ?? false)
 
@@ -35,6 +37,7 @@ export const useAuthStore = defineStore('auth', () => {
     organisations.value = me.organisations
     appRoles.value = me.app_roles
     permissions.value = me.permissions
+    mfaSetupRequired.value = me.mfa?.setup_required ?? false
 
     // Auto-select first organisation if none is active
     const orgStore = useOrganisationStore()
@@ -53,6 +56,7 @@ export const useAuthStore = defineStore('auth', () => {
     organisations.value = []
     appRoles.value = []
     permissions.value = []
+    mfaSetupRequired.value = false
 
     const orgStore = useOrganisationStore()
     orgStore.clear()
@@ -120,6 +124,7 @@ export const useAuthStore = defineStore('auth', () => {
     isInitialized,
     isSuperAdmin,
     currentOrganisation,
+    mfaSetupRequired,
     setUser,
     setActiveOrganisation,
     logout,
diff --git a/apps/app/src/types/admin.ts b/apps/app/src/types/admin.ts
index 67a2136f..8b3d2d19 100644
--- a/apps/app/src/types/admin.ts
+++ b/apps/app/src/types/admin.ts
@@ -27,6 +27,7 @@ export interface AdminUser {
   email_verified_at: string | null
   created_at: string
   is_super_admin: boolean
+  mfa_enabled: boolean
   roles: string[]
   organisations: Array<{
     id: string
diff --git a/apps/app/src/types/auth.ts b/apps/app/src/types/auth.ts
index add34524..a7a8305f 100644
--- a/apps/app/src/types/auth.ts
+++ b/apps/app/src/types/auth.ts
@@ -16,6 +16,13 @@ export interface Organisation {
   role: string
 }
 
+export interface MfaUserInfo {
+  enabled: boolean
+  method: 'totp' | 'email' | null
+  confirmed_at: string | null
+  setup_required: boolean
+}
+
 export interface MeResponse {
   id: string
   first_name: string
@@ -28,6 +35,7 @@ export interface MeResponse {
   organisations: Organisation[]
   app_roles: string[]
   permissions: string[]
+  mfa?: MfaUserInfo
 }
 
 export interface LoginCredentials {
@@ -41,6 +49,12 @@ export interface LoginResponse {
     user: MeResponse
   }
   message: string
+  mfa_required?: boolean
+  mfa_session_token?: string
+  methods?: string[]
+  preferred_method?: string
+  expires_in?: number
+  mfa_setup_required?: boolean
 }
 
 export interface ApiErrorResponse {
diff --git a/apps/app/src/types/mfa.ts b/apps/app/src/types/mfa.ts
new file mode 100644
index 00000000..905cdd8f
--- /dev/null
+++ b/apps/app/src/types/mfa.ts
@@ -0,0 +1,61 @@
+export const MfaMethod = {
+  TOTP: 'totp',
+  EMAIL: 'email',
+  BACKUP_CODE: 'backup_code',
+} as const
+
+export type MfaMethod = typeof MfaMethod[keyof typeof MfaMethod]
+
+export interface MfaStatus {
+  enabled: boolean
+  method: 'totp' | 'email' | null
+  confirmed_at: string | null
+  backup_codes_remaining: number
+  is_required: boolean
+}
+
+export interface MfaUserStatus {
+  enabled: boolean
+  method: 'totp' | 'email' | null
+  confirmed_at: string | null
+  setup_required: boolean
+}
+
+export interface MfaTotpSetup {
+  secret: string
+  qr_code_url: string
+  provisioning_uri: string
+}
+
+export interface MfaSessionResponse {
+  success: true
+  mfa_required: true
+  mfa_session_token: string
+  methods: MfaMethod[]
+  preferred_method: 'totp' | 'email'
+  expires_in: number
+}
+
+export interface MfaConfirmResponse {
+  mfa_enabled: boolean
+  method: 'totp' | 'email'
+  backup_codes: string[]
+}
+
+export interface TrustedDevice {
+  id: string
+  device_name: string | null
+  ip_address: string
+  trusted_until: string
+  last_used_at: string | null
+  created_at: string
+}
+
+export interface MfaVerifyPayload {
+  mfa_session_token: string
+  code: string
+  method: MfaMethod
+  trust_device?: boolean
+  device_fingerprint?: string
+  device_name?: string
+}
diff --git a/apps/app/src/utils/deviceFingerprint.ts b/apps/app/src/utils/deviceFingerprint.ts
new file mode 100644
index 00000000..89f86154
--- /dev/null
+++ b/apps/app/src/utils/deviceFingerprint.ts
@@ -0,0 +1,49 @@
+export function generateDeviceFingerprint(): string {
+  const components = [
+    navigator.userAgent,
+    `${screen.width}x${screen.height}`,
+    Intl.DateTimeFormat().resolvedOptions().timeZone,
+    navigator.language,
+    navigator.hardwareConcurrency?.toString() ?? '',
+  ]
+
+  const str = components.join('|')
+  let hash = 0
+
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i)
+
+    hash = ((hash << 5) - hash) + char
+    hash = hash & hash
+  }
+
+  return Math.abs(hash).toString(36)
+}
+
+export function getDeviceName(): string {
+  const ua = navigator.userAgent
+  let browser = 'Onbekend'
+  let os = 'Onbekend'
+
+  if (ua.includes('Chrome') && !ua.includes('Edg'))
+    browser = 'Chrome'
+  else if (ua.includes('Firefox'))
+    browser = 'Firefox'
+  else if (ua.includes('Safari') && !ua.includes('Chrome'))
+    browser = 'Safari'
+  else if (ua.includes('Edg'))
+    browser = 'Edge'
+
+  if (ua.includes('Mac OS'))
+    os = 'macOS'
+  else if (ua.includes('Windows'))
+    os = 'Windows'
+  else if (ua.includes('Linux'))
+    os = 'Linux'
+  else if (ua.includes('Android'))
+    os = 'Android'
+  else if (ua.includes('iPhone') || ua.includes('iPad'))
+    os = 'iOS'
+
+  return `${browser} op ${os}`
+}
diff --git a/apps/app/typed-router.d.ts b/apps/app/typed-router.d.ts
index 166ffce4..fc772e45 100644
--- a/apps/app/typed-router.d.ts
+++ b/apps/app/typed-router.d.ts
@@ -21,6 +21,7 @@ declare module 'vue-router/auto-routes' {
     'root': RouteRecordInfo<'root', '/', Record<never, never>, Record<never, never>>,
     '$error': RouteRecordInfo<'$error', '/:error(.*)', { error: ParamValue<true> }, { error: ParamValue<false> }>,
     'account-settings': RouteRecordInfo<'account-settings', '/account-settings', Record<never, never>, Record<never, never>>,
+    'account-settings-security': RouteRecordInfo<'account-settings-security', '/account-settings/security', Record<never, never>, Record<never, never>>,
     'dashboard': RouteRecordInfo<'dashboard', '/dashboard', Record<never, never>, Record<never, never>>,
     'events': RouteRecordInfo<'events', '/events', Record<never, never>, Record<never, never>>,
     'events-id': RouteRecordInfo<'events-id', '/events/:id', { id: ParamValue<true> }, { id: ParamValue<false> }>,
diff --git a/apps/portal/components.d.ts b/apps/portal/components.d.ts
index 8f719db0..3533a4a5 100644
--- a/apps/portal/components.d.ts
+++ b/apps/portal/components.d.ts
@@ -36,6 +36,10 @@ declare module 'vue' {
     EventCard: typeof import('./src/components/portal/EventCard.vue')['default']
     I18n: typeof import('./src/@core/components/I18n.vue')['default']
     InformatieTab: typeof import('./src/components/event/InformatieTab.vue')['default']
+    MfaChallengeCard: typeof import('./src/components/auth/MfaChallengeCard.vue')['default']
+    MfaDisableDialog: typeof import('./src/components/settings/MfaDisableDialog.vue')['default']
+    MfaEmailSetupDialog: typeof import('./src/components/settings/MfaEmailSetupDialog.vue')['default']
+    MfaTotpSetupDialog: typeof import('./src/components/settings/MfaTotpSetupDialog.vue')['default']
     MoreBtn: typeof import('./src/@core/components/MoreBtn.vue')['default']
     Notifications: typeof import('./src/@core/components/Notifications.vue')['default']
     OverzichtTab: typeof import('./src/components/event/OverzichtTab.vue')['default']
diff --git a/apps/portal/package.json b/apps/portal/package.json
index 3bdbc79c..d44bb7e1 100644
--- a/apps/portal/package.json
+++ b/apps/portal/package.json
@@ -41,6 +41,7 @@
     "ofetch": "1.5.0",
     "pinia": "3.0.3",
     "prismjs": "1.30.0",
+    "qrcode": "^1.5.4",
     "roboto-fontface": "0.10.0",
     "shepherd.js": "13.0.3",
     "swiper": "11.2.10",
@@ -84,6 +85,7 @@
     "@tiptap/extension-underline": "^2.27.1",
     "@types/mapbox-gl": "3.4.1",
     "@types/node": "24.9.2",
+    "@types/qrcode": "^1.5.6",
     "@types/webfontloader": "1.6.38",
     "@typescript-eslint/eslint-plugin": "7.18.0",
     "@typescript-eslint/parser": "7.18.0",
diff --git a/apps/portal/pnpm-lock.yaml b/apps/portal/pnpm-lock.yaml
index 22852b6d..d250b930 100644
--- a/apps/portal/pnpm-lock.yaml
+++ b/apps/portal/pnpm-lock.yaml
@@ -93,6 +93,9 @@ importers:
       prismjs:
         specifier: 1.30.0
         version: 1.30.0
+      qrcode:
+        specifier: ^1.5.4
+        version: 1.5.4
       roboto-fontface:
         specifier: 0.10.0
         version: 0.10.0
@@ -217,6 +220,9 @@ importers:
       '@types/node':
         specifier: 24.9.2
         version: 24.9.2
+      '@types/qrcode':
+        specifier: ^1.5.6
+        version: 1.5.6
       '@types/webfontloader':
         specifier: 1.6.38
         version: 1.6.38
@@ -1435,6 +1441,9 @@ packages:
   '@types/pbf@3.0.5':
     resolution: {integrity: sha512-j3pOPiEcWZ34R6a6mN07mUkM4o4Lwf6hPNt8eilOeZhTFbxFXmKhvXl9Y28jotFPaI1bpPDJsbCprUoNke6OrA==}
 
+  '@types/qrcode@1.5.6':
+    resolution: {integrity: sha512-te7NQcV2BOvdj2b1hCAHzAoMNuj65kNBMz0KBaxM6c3VGBOhU0dURQKOtH8CFNI/dsKkwlv32p26qYQTWoB5bw==}
+
   '@types/semver@7.7.1':
     resolution: {integrity: sha512-FmgJfu+MOcQ370SD0ev7EI8TlCAfKYU+B4m5T3yXc1CiRN94g/SZPtsCkk506aUDtlMnFZvasDwHHUcZUEaYuA==}
 
@@ -2058,6 +2067,10 @@ packages:
     resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==}
     engines: {node: '>=6'}
 
+  camelcase@5.3.1:
+    resolution: {integrity: sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==}
+    engines: {node: '>=6'}
+
   caniuse-lite@1.0.30001752:
     resolution: {integrity: sha512-vKUk7beoukxE47P5gcVNKkDRzXdVofotshHwfR9vmpeFKxmI5PBpgOMC18LUJUA/DvJ70Y7RveasIBraqsyO/g==}
 
@@ -2125,6 +2138,9 @@ packages:
     resolution: {integrity: sha512-ouuZd4/dm2Sw5Gmqy6bGyNNNe1qt9RpmxveLSO7KcgsTnU7RXfsw+/bukWGo1abgBiMAic068rclZsO4IWmmxQ==}
     engines: {node: '>= 12'}
 
+  cliui@6.0.0:
+    resolution: {integrity: sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==}
+
   cliui@8.0.1:
     resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
     engines: {node: '>=12'}
@@ -2266,6 +2282,10 @@ packages:
       supports-color:
         optional: true
 
+  decamelize@1.2.0:
+    resolution: {integrity: sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==}
+    engines: {node: '>=0.10.0'}
+
   deep-is@0.1.4:
     resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==}
 
@@ -2315,6 +2335,9 @@ packages:
     resolution: {integrity: sha512-k1gCAXAsNgLwEL+Y8Wvl+M6oEFj5bgazfZULpS5CneoPPXRaCCW7dm+q21Ky2VEE5X+VeRDBVg1Pcvvsr4TtNQ==}
     engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0}
 
+  dijkstrajs@1.0.3:
+    resolution: {integrity: sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==}
+
   dir-glob@3.0.1:
     resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==}
     engines: {node: '>=8'}
@@ -3719,6 +3742,10 @@ packages:
     resolution: {integrity: sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==}
     engines: {node: '>=4'}
 
+  pngjs@5.0.0:
+    resolution: {integrity: sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==}
+    engines: {node: '>=10.13.0'}
+
   possible-typed-array-names@1.1.0:
     resolution: {integrity: sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg==}
     engines: {node: '>= 0.4'}
@@ -3871,6 +3898,11 @@ packages:
     resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
     engines: {node: '>=6'}
 
+  qrcode@1.5.4:
+    resolution: {integrity: sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==}
+    engines: {node: '>=10.13.0'}
+    hasBin: true
+
   quansync@0.2.11:
     resolution: {integrity: sha512-AifT7QEbW9Nri4tAwR5M/uzpBuqfZf+zwaEM/QkzEjj7NBuFD2rBuy0K3dE+8wltbezDV7JMA0WfnCPYRSYbXA==}
 
@@ -3939,6 +3971,9 @@ packages:
     resolution: {integrity: sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==}
     engines: {node: '>=0.10.0'}
 
+  require-main-filename@2.0.0:
+    resolution: {integrity: sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==}
+
   requires-port@1.0.0:
     resolution: {integrity: sha512-KigOCHcocU3XODJxsu8i/j8T9tzT4adHiecwORRQ0ZZFcp7ahwXuRU1m+yuO90C5ZUyGeGfocHDI14M3L3yDAQ==}
 
@@ -4053,6 +4088,9 @@ packages:
     resolution: {integrity: sha512-owllqNuDDEimQat7EPG0tH7JjO090xKNzUtYz6X+Sk2BXDnOCilDdNLwjWeFywG9xkJul1ULvtUQa9O4pUaY0w==}
     engines: {node: '>=4.0.0'}
 
+  set-blocking@2.0.0:
+    resolution: {integrity: sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==}
+
   set-function-length@1.2.2:
     resolution: {integrity: sha512-pgRc4hJ4/sNjWCSS9AmnS40x3bNMDTknHgL5UaMBTMyJnU90EgWh1Rz+MC9eFu4BuN/UwZjKQuY/1v3rM7HMfg==}
     engines: {node: '>= 0.4'}
@@ -4811,6 +4849,9 @@ packages:
     resolution: {integrity: sha512-K4jVyjnBdgvc86Y6BkaLZEN933SwYOuBFkdmBu9ZfkcAbdVbpITnDmjvZ/aQjRXQrv5EPkTnD1s39GiiqbngCw==}
     engines: {node: '>= 0.4'}
 
+  which-module@2.0.1:
+    resolution: {integrity: sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==}
+
   which-typed-array@1.1.19:
     resolution: {integrity: sha512-rEvr90Bck4WZt9HHFC4DJMsjvu7x+r6bImz0/BrbWb7A2djJ8hnZMrWnHo9F8ssv0OMErasDhftrfROTyqSDrw==}
     engines: {node: '>= 0.4'}
@@ -4851,6 +4892,9 @@ packages:
     resolution: {integrity: sha512-ICP2e+jsHvAj2E2lIHxa5tjXRlKDJo4IdvPvCXbXQGdzSfmSpNVyIKMvoZHjDY9DP0zV17iI85o90vRFXNccRw==}
     engines: {node: '>=12'}
 
+  y18n@4.0.3:
+    resolution: {integrity: sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==}
+
   y18n@5.0.8:
     resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==}
     engines: {node: '>=10'}
@@ -4870,10 +4914,18 @@ packages:
     engines: {node: '>= 14.6'}
     hasBin: true
 
+  yargs-parser@18.1.3:
+    resolution: {integrity: sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==}
+    engines: {node: '>=6'}
+
   yargs-parser@21.1.1:
     resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==}
     engines: {node: '>=12'}
 
+  yargs@15.4.1:
+    resolution: {integrity: sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==}
+    engines: {node: '>=8'}
+
   yargs@17.7.2:
     resolution: {integrity: sha512-7dSzzRQ++CKnNI/krKnYRV7JKKPUXMEh61soaHKg9mrWEhzFWhFnxPxGl+69cD1Ou63C13NUPCnmIcrvqCuM6w==}
     engines: {node: '>=12'}
@@ -6047,6 +6099,10 @@ snapshots:
 
   '@types/pbf@3.0.5': {}
 
+  '@types/qrcode@1.5.6':
+    dependencies:
+      '@types/node': 24.9.2
+
   '@types/semver@7.7.1': {}
 
   '@types/statuses@2.0.6': {}
@@ -6822,6 +6878,8 @@ snapshots:
 
   callsites@3.1.0: {}
 
+  camelcase@5.3.1: {}
+
   caniuse-lite@1.0.30001752: {}
 
   case-police@0.6.1: {}
@@ -6896,6 +6954,12 @@ snapshots:
 
   cli-width@4.1.0: {}
 
+  cliui@6.0.0:
+    dependencies:
+      string-width: 4.2.3
+      strip-ansi: 6.0.1
+      wrap-ansi: 6.2.0
+
   cliui@8.0.1:
     dependencies:
       string-width: 4.2.3
@@ -7022,6 +7086,8 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
+  decamelize@1.2.0: {}
+
   deep-is@0.1.4: {}
 
   deepmerge-ts@5.1.0: {}
@@ -7061,6 +7127,8 @@ snapshots:
 
   diff-sequences@27.5.1: {}
 
+  dijkstrajs@1.0.3: {}
+
   dir-glob@3.0.1:
     dependencies:
       path-type: 4.0.0
@@ -8752,6 +8820,8 @@ snapshots:
 
   pluralize@8.0.0: {}
 
+  pngjs@5.0.0: {}
+
   possible-typed-array-names@1.1.0: {}
 
   postcss-html@1.8.0:
@@ -8933,6 +9003,12 @@ snapshots:
 
   punycode@2.3.1: {}
 
+  qrcode@1.5.4:
+    dependencies:
+      dijkstrajs: 1.0.3
+      pngjs: 5.0.0
+      yargs: 15.4.1
+
   quansync@0.2.11: {}
 
   querystringify@2.2.0: {}
@@ -9010,6 +9086,8 @@ snapshots:
 
   require-from-string@2.0.2: {}
 
+  require-main-filename@2.0.0: {}
+
   requires-port@1.0.0: {}
 
   resolve-from@4.0.0: {}
@@ -9137,6 +9215,8 @@ snapshots:
 
   serialize-to-js@3.1.2: {}
 
+  set-blocking@2.0.0: {}
+
   set-function-length@1.2.2:
     dependencies:
       define-data-property: 1.1.4
@@ -10065,6 +10145,8 @@ snapshots:
       is-weakmap: 2.0.2
       is-weakset: 2.0.4
 
+  which-module@2.0.1: {}
+
   which-typed-array@1.1.19:
     dependencies:
       available-typed-arrays: 1.0.7
@@ -10110,6 +10192,8 @@ snapshots:
 
   xml-name-validator@4.0.0: {}
 
+  y18n@4.0.3: {}
+
   y18n@5.0.8: {}
 
   yallist@3.1.1: {}
@@ -10123,8 +10207,27 @@ snapshots:
 
   yaml@2.8.1: {}
 
+  yargs-parser@18.1.3:
+    dependencies:
+      camelcase: 5.3.1
+      decamelize: 1.2.0
+
   yargs-parser@21.1.1: {}
 
+  yargs@15.4.1:
+    dependencies:
+      cliui: 6.0.0
+      decamelize: 1.2.0
+      find-up: 4.1.0
+      get-caller-file: 2.0.5
+      require-directory: 2.1.1
+      require-main-filename: 2.0.0
+      set-blocking: 2.0.0
+      string-width: 4.2.3
+      which-module: 2.0.1
+      y18n: 4.0.3
+      yargs-parser: 18.1.3
+
   yargs@17.7.2:
     dependencies:
       cliui: 8.0.1
diff --git a/apps/portal/src/components/auth/MfaChallengeCard.vue b/apps/portal/src/components/auth/MfaChallengeCard.vue
new file mode 100644
index 00000000..7345e59f
--- /dev/null
+++ b/apps/portal/src/components/auth/MfaChallengeCard.vue
@@ -0,0 +1,283 @@
+<script setup lang="ts">
+import { useVerifyMfa, useSendMfaEmailCode } from '@/composables/api/useMfa'
+import { generateDeviceFingerprint, getDeviceName } from '@/utils/deviceFingerprint'
+import type { MfaMethod } from '@/types/mfa'
+
+const props = defineProps<{
+  mfaSessionToken: string
+  methods: MfaMethod[]
+  preferredMethod: string
+  expiresIn: number
+}>()
+
+const emit = defineEmits<{
+  verified: [data: unknown]
+  cancelled: []
+}>()
+
+const verifyMutation = useVerifyMfa()
+const sendEmailMutation = useSendMfaEmailCode()
+
+const selectedMethod = ref<string>(props.preferredMethod)
+const otpCode = ref('')
+const backupCode = ref('')
+const trustDevice = ref(false)
+const errorMessage = ref('')
+const timeLeft = ref(props.expiresIn)
+
+const isBackupMethod = computed(() => selectedMethod.value === 'backup_code')
+
+// Countdown timer
+const countdownInterval = setInterval(() => {
+  timeLeft.value--
+  if (timeLeft.value <= 0) {
+    clearInterval(countdownInterval)
+    errorMessage.value = 'MFA-sessie verlopen. Log opnieuw in.'
+  }
+}, 1000)
+
+onUnmounted(() => {
+  clearInterval(countdownInterval)
+})
+
+const formattedTimeLeft = computed(() => {
+  const minutes = Math.floor(timeLeft.value / 60)
+  const seconds = timeLeft.value % 60
+
+  return `${minutes}:${seconds.toString().padStart(2, '0')}`
+})
+
+const methodTabs = computed(() => {
+  const tabs: Array<{ value: string; title: string; icon: string }> = []
+
+  if (props.methods.includes('totp' as MfaMethod))
+    tabs.push({ value: 'totp', title: 'Authenticator', icon: 'tabler-device-mobile' })
+
+  if (props.methods.includes('email' as MfaMethod))
+    tabs.push({ value: 'email', title: 'E-mailcode', icon: 'tabler-mail' })
+
+  if (props.methods.includes('backup_code' as MfaMethod))
+    tabs.push({ value: 'backup_code', title: 'Backup code', icon: 'tabler-key' })
+
+  return tabs
+})
+
+function onMethodChange(method: string) {
+  errorMessage.value = ''
+  otpCode.value = ''
+  backupCode.value = ''
+
+  if (method === 'email')
+    handleSendEmailCode()
+}
+
+async function handleSendEmailCode() {
+  try {
+    await sendEmailMutation.mutateAsync(props.mfaSessionToken)
+  }
+  catch {
+    // Rate limited or other error — user can try resend link
+  }
+}
+
+function onOtpFinish(code: string) {
+  otpCode.value = code
+  handleVerify()
+}
+
+async function handleVerify() {
+  errorMessage.value = ''
+  const code = isBackupMethod.value ? backupCode.value : otpCode.value
+
+  if (!code) return
+
+  try {
+    const data = await verifyMutation.mutateAsync({
+      mfa_session_token: props.mfaSessionToken,
+      code,
+      method: selectedMethod.value as MfaMethod,
+      trust_device: trustDevice.value || undefined,
+      device_fingerprint: trustDevice.value ? generateDeviceFingerprint() : undefined,
+      device_name: trustDevice.value ? getDeviceName() : undefined,
+    })
+
+    emit('verified', data)
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Verificatie mislukt. Probeer het opnieuw.'
+    otpCode.value = ''
+    backupCode.value = ''
+  }
+}
+</script>
+
+<template>
+  <VCard
+    class="auth-card"
+    max-width="460"
+    :class="$vuetify.display.smAndUp ? 'pa-6' : 'pa-0'"
+  >
+    <VCardText>
+      <h4 class="text-h4 mb-1">
+        Tweestapsverificatie
+      </h4>
+      <p class="mb-0">
+        Voer je verificatiecode in om in te loggen
+      </p>
+      <VChip
+        v-if="timeLeft > 0"
+        size="small"
+        color="secondary"
+        variant="tonal"
+        class="mt-2"
+      >
+        <VIcon
+          start
+          icon="tabler-clock"
+          size="14"
+        />
+        {{ formattedTimeLeft }}
+      </VChip>
+    </VCardText>
+
+    <VCardText>
+      <!-- Method tabs -->
+      <VTabs
+        v-if="methodTabs.length > 1"
+        v-model="selectedMethod"
+        class="mb-4"
+        density="comfortable"
+        @update:model-value="(v: unknown) => onMethodChange(String(v))"
+      >
+        <VTab
+          v-for="tab in methodTabs"
+          :key="tab.value"
+          :value="tab.value"
+        >
+          <VIcon
+            :icon="tab.icon"
+            size="20"
+            class="me-1"
+          />
+          {{ tab.title }}
+        </VTab>
+      </VTabs>
+
+      <VAlert
+        v-if="errorMessage"
+        type="error"
+        variant="tonal"
+        class="mb-4"
+        density="comfortable"
+      >
+        {{ errorMessage }}
+      </VAlert>
+
+      <VForm @submit.prevent="handleVerify">
+        <VRow>
+          <!-- OTP input for TOTP and email methods -->
+          <VCol
+            v-if="!isBackupMethod"
+            cols="12"
+          >
+            <p class="text-body-2 mb-2">
+              {{
+                selectedMethod === 'totp'
+                  ? 'Voer de 6-cijferige code in uit je authenticator app'
+                  : 'Voer de 6-cijferige code in die naar je e-mailadres is gestuurd'
+              }}
+            </p>
+            <VOtpInput
+              v-model="otpCode"
+              :disabled="verifyMutation.isPending.value || timeLeft <= 0"
+              type="number"
+              class="pa-0"
+              @finish="onOtpFinish"
+            />
+          </VCol>
+
+          <!-- Backup code input -->
+          <VCol
+            v-else
+            cols="12"
+          >
+            <p class="text-body-2 mb-2">
+              Voer een van je backup codes in (formaat: XXXX-XXXX)
+            </p>
+            <AppTextField
+              v-model="backupCode"
+              placeholder="XXXX-XXXX"
+              autofocus
+              class="text-center"
+            />
+          </VCol>
+
+          <!-- Trust device -->
+          <VCol cols="12">
+            <VCheckbox
+              v-model="trustDevice"
+              label="Onthoud dit apparaat voor 30 dagen"
+              density="compact"
+            />
+          </VCol>
+
+          <!-- Verify button -->
+          <VCol cols="12">
+            <VBtn
+              block
+              type="submit"
+              :loading="verifyMutation.isPending.value"
+              :disabled="timeLeft <= 0"
+            >
+              Verifi&euml;ren
+            </VBtn>
+          </VCol>
+
+          <!-- Resend email code -->
+          <VCol
+            v-if="selectedMethod === 'email'"
+            cols="12"
+            class="text-center"
+          >
+            <div class="d-flex justify-center align-center flex-wrap">
+              <span class="me-1 text-body-2">Geen code ontvangen?</span>
+              <a
+                class="text-primary text-body-2"
+                href="#"
+                @click.prevent="handleSendEmailCode"
+              >
+                Opnieuw versturen
+              </a>
+            </div>
+          </VCol>
+
+          <!-- Back to login -->
+          <VCol cols="12">
+            <a
+              class="d-flex align-center justify-center text-body-2"
+              href="#"
+              @click.prevent="emit('cancelled')"
+            >
+              <VIcon
+                icon="tabler-chevron-left"
+                size="20"
+                class="me-1 flip-in-rtl"
+              />
+              <span>Terug naar inloggen</span>
+            </a>
+          </VCol>
+        </VRow>
+      </VForm>
+    </VCardText>
+  </VCard>
+</template>
+
+<style lang="scss">
+.v-otp-input {
+  .v-otp-input__content {
+    padding-inline: 0;
+  }
+}
+</style>
diff --git a/apps/portal/src/components/settings/MfaDisableDialog.vue b/apps/portal/src/components/settings/MfaDisableDialog.vue
new file mode 100644
index 00000000..4b3ab61b
--- /dev/null
+++ b/apps/portal/src/components/settings/MfaDisableDialog.vue
@@ -0,0 +1,115 @@
+<script setup lang="ts">
+import { useDisableMfa } from '@/composables/api/useMfa'
+
+const props = defineProps<{
+  modelValue: boolean
+  currentMethod: 'totp' | 'email' | null
+}>()
+
+const emit = defineEmits<{
+  'update:modelValue': [value: boolean]
+  disabled: []
+}>()
+
+const disableMutation = useDisableMfa()
+
+const code = ref('')
+const method = ref<string>(props.currentMethod === 'totp' ? 'totp' : 'backup_code')
+const errorMessage = ref('')
+
+const isDialogOpen = computed({
+  get: () => props.modelValue,
+  set: (val: boolean) => emit('update:modelValue', val),
+})
+
+watch(isDialogOpen, (open) => {
+  if (open) {
+    code.value = ''
+    errorMessage.value = ''
+    method.value = props.currentMethod === 'totp' ? 'totp' : 'backup_code'
+  }
+})
+
+async function handleDisable() {
+  errorMessage.value = ''
+  try {
+    await disableMutation.mutateAsync({ code: code.value, method: method.value })
+    isDialogOpen.value = false
+    emit('disabled')
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Kon MFA niet uitschakelen. Probeer het opnieuw.'
+    code.value = ''
+  }
+}
+</script>
+
+<template>
+  <VDialog
+    v-model="isDialogOpen"
+    max-width="460"
+  >
+    <VCard>
+      <VCardTitle class="d-flex align-center pt-4">
+        <VIcon
+          icon="tabler-shield-off"
+          color="error"
+          class="me-2"
+        />
+        Tweestapsverificatie uitschakelen
+      </VCardTitle>
+
+      <VCardText>
+        <VAlert
+          type="warning"
+          variant="tonal"
+          class="mb-4"
+        >
+          Weet je zeker dat je tweestapsverificatie wilt uitschakelen? Je account wordt minder veilig.
+        </VAlert>
+
+        <VAlert
+          v-if="errorMessage"
+          type="error"
+          variant="tonal"
+          class="mb-4"
+          density="comfortable"
+        >
+          {{ errorMessage }}
+        </VAlert>
+
+        <VForm @submit.prevent="handleDisable">
+          <p class="text-body-2 mb-2">
+            Voer je {{ currentMethod === 'totp' ? 'authenticator code' : 'backup code' }} in ter bevestiging
+          </p>
+
+          <AppTextField
+            v-model="code"
+            :placeholder="currentMethod === 'totp' ? '123456' : 'XXXX-XXXX'"
+            autofocus
+          />
+        </VForm>
+      </VCardText>
+
+      <VCardActions>
+        <VSpacer />
+        <VBtn
+          variant="tonal"
+          @click="isDialogOpen = false"
+        >
+          Annuleren
+        </VBtn>
+        <VBtn
+          color="error"
+          :loading="disableMutation.isPending.value"
+          :disabled="!code"
+          @click="handleDisable"
+        >
+          Uitschakelen
+        </VBtn>
+      </VCardActions>
+    </VCard>
+  </VDialog>
+</template>
diff --git a/apps/portal/src/components/settings/MfaEmailSetupDialog.vue b/apps/portal/src/components/settings/MfaEmailSetupDialog.vue
new file mode 100644
index 00000000..c76c481a
--- /dev/null
+++ b/apps/portal/src/components/settings/MfaEmailSetupDialog.vue
@@ -0,0 +1,276 @@
+<script setup lang="ts">
+import { useSetupEmail, useConfirmEmail } from '@/composables/api/useMfa'
+
+const props = defineProps<{
+  modelValue: boolean
+  userEmail: string
+}>()
+
+const emit = defineEmits<{
+  'update:modelValue': [value: boolean]
+  completed: []
+}>()
+
+const setupMutation = useSetupEmail()
+const confirmMutation = useConfirmEmail()
+
+const step = ref(1)
+const confirmCode = ref('')
+const backupCodes = ref<string[]>([])
+const errorMessage = ref('')
+const savedBackupCodes = ref(false)
+const codeSent = ref(false)
+
+const isDialogOpen = computed({
+  get: () => props.modelValue,
+  set: (val: boolean) => emit('update:modelValue', val),
+})
+
+watch(isDialogOpen, (open) => {
+  if (open) {
+    step.value = 1
+    errorMessage.value = ''
+    confirmCode.value = ''
+    backupCodes.value = []
+    savedBackupCodes.value = false
+    codeSent.value = false
+  }
+})
+
+async function handleSendCode() {
+  errorMessage.value = ''
+  try {
+    await setupMutation.mutateAsync()
+    codeSent.value = true
+    step.value = 2
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Kon geen code versturen. Probeer het opnieuw.'
+  }
+}
+
+async function handleConfirm() {
+  errorMessage.value = ''
+  try {
+    const data = await confirmMutation.mutateAsync(confirmCode.value)
+
+    backupCodes.value = data.backup_codes
+    step.value = 3
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Ongeldige code. Probeer het opnieuw.'
+    confirmCode.value = ''
+  }
+}
+
+function copyBackupCodes() {
+  const text = backupCodes.value.join('\n')
+
+  navigator.clipboard.writeText(text)
+}
+
+function downloadBackupCodes() {
+  const text = `Crewli MFA Backup Codes\n${'='.repeat(30)}\n\n${backupCodes.value.join('\n')}\n\nBewaar deze codes op een veilige plek.\nElke code kan slechts eenmaal worden gebruikt.`
+  const blob = new Blob([text], { type: 'text/plain' })
+  const url = URL.createObjectURL(blob)
+  const a = document.createElement('a')
+
+  a.href = url
+  a.download = 'crewli-backup-codes.txt'
+  a.click()
+  URL.revokeObjectURL(url)
+}
+
+function handleComplete() {
+  isDialogOpen.value = false
+  emit('completed')
+}
+</script>
+
+<template>
+  <VDialog
+    v-model="isDialogOpen"
+    max-width="520"
+    persistent
+  >
+    <VCard>
+      <VCardTitle class="d-flex align-center pt-4">
+        <VIcon
+          icon="tabler-mail-code"
+          class="me-2"
+        />
+        E-mailverificatie instellen
+      </VCardTitle>
+
+      <!-- Step 1: Send code -->
+      <template v-if="step === 1">
+        <VCardText>
+          <p class="text-body-1 mb-4">
+            We sturen een verificatiecode naar <strong>{{ userEmail }}</strong>
+          </p>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+          >
+            {{ errorMessage }}
+          </VAlert>
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="isDialogOpen = false"
+          >
+            Annuleren
+          </VBtn>
+          <VBtn
+            color="primary"
+            :loading="setupMutation.isPending.value"
+            @click="handleSendCode"
+          >
+            Code versturen
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 2: Verify code -->
+      <template v-if="step === 2">
+        <VCardText>
+          <VAlert
+            type="success"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            Code verstuurd! Check je inbox.
+          </VAlert>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            {{ errorMessage }}
+          </VAlert>
+
+          <p class="text-body-2 mb-2">
+            Voer de 6-cijferige code in
+          </p>
+
+          <VOtpInput
+            v-model="confirmCode"
+            type="number"
+            class="pa-0"
+            :disabled="confirmMutation.isPending.value"
+            @finish="handleConfirm"
+          />
+
+          <div class="text-center mt-4">
+            <a
+              class="text-primary text-body-2"
+              href="#"
+              @click.prevent="handleSendCode"
+            >
+              Code opnieuw versturen
+            </a>
+          </div>
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="step = 1"
+          >
+            Terug
+          </VBtn>
+          <VBtn
+            color="primary"
+            :loading="confirmMutation.isPending.value"
+            :disabled="confirmCode.length < 6"
+            @click="handleConfirm"
+          >
+            Verifi&euml;ren
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 3: Backup codes (same as TOTP) -->
+      <template v-if="step === 3">
+        <VCardText>
+          <VAlert
+            type="warning"
+            variant="tonal"
+            class="mb-4"
+          >
+            Bewaar deze codes op een veilige plek. Je kunt ze gebruiken als je geen toegang hebt tot je e-mail.
+          </VAlert>
+
+          <div class="d-flex flex-wrap gap-2 mb-4">
+            <VChip
+              v-for="code in backupCodes"
+              :key="code"
+              variant="tonal"
+              label
+              class="font-weight-bold text-body-1"
+              style="font-family: monospace;"
+            >
+              {{ code }}
+            </VChip>
+          </div>
+
+          <div class="d-flex gap-2 mb-4">
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-copy"
+              @click="copyBackupCodes"
+            >
+              Kopieer
+            </VBtn>
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-download"
+              @click="downloadBackupCodes"
+            >
+              Download
+            </VBtn>
+          </div>
+
+          <VCheckbox
+            v-model="savedBackupCodes"
+            label="Ik heb mijn backup codes veilig opgeslagen"
+          />
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            color="primary"
+            :disabled="!savedBackupCodes"
+            @click="handleComplete"
+          >
+            Voltooien
+          </VBtn>
+        </VCardActions>
+      </template>
+    </VCard>
+  </VDialog>
+</template>
+
+<style lang="scss">
+.v-otp-input .v-otp-input__content {
+  padding-inline: 0;
+}
+</style>
diff --git a/apps/portal/src/components/settings/MfaTotpSetupDialog.vue b/apps/portal/src/components/settings/MfaTotpSetupDialog.vue
new file mode 100644
index 00000000..26462c00
--- /dev/null
+++ b/apps/portal/src/components/settings/MfaTotpSetupDialog.vue
@@ -0,0 +1,291 @@
+<script setup lang="ts">
+import QRCode from 'qrcode'
+import { useSetupTotp, useConfirmTotp } from '@/composables/api/useMfa'
+
+const props = defineProps<{
+  modelValue: boolean
+}>()
+
+const emit = defineEmits<{
+  'update:modelValue': [value: boolean]
+  completed: []
+}>()
+
+const setupMutation = useSetupTotp()
+const confirmMutation = useConfirmTotp()
+
+const step = ref(1)
+const qrDataUrl = ref('')
+const secret = ref('')
+const confirmCode = ref('')
+const backupCodes = ref<string[]>([])
+const errorMessage = ref('')
+const savedBackupCodes = ref(false)
+
+const isDialogOpen = computed({
+  get: () => props.modelValue,
+  set: (val: boolean) => emit('update:modelValue', val),
+})
+
+watch(isDialogOpen, async (open) => {
+  if (open) {
+    step.value = 1
+    errorMessage.value = ''
+    confirmCode.value = ''
+    backupCodes.value = []
+    savedBackupCodes.value = false
+    await startSetup()
+  }
+})
+
+async function startSetup() {
+  try {
+    const data = await setupMutation.mutateAsync()
+
+    secret.value = data.secret
+    qrDataUrl.value = await QRCode.toDataURL(data.provisioning_uri, {
+      width: 256,
+      margin: 2,
+      color: { dark: '#000000', light: '#FFFFFF' },
+    })
+  }
+  catch {
+    errorMessage.value = 'Kon TOTP setup niet starten. Probeer het opnieuw.'
+  }
+}
+
+async function handleConfirm() {
+  errorMessage.value = ''
+  try {
+    const data = await confirmMutation.mutateAsync(confirmCode.value)
+
+    backupCodes.value = data.backup_codes
+    step.value = 3
+  }
+  catch (err: unknown) {
+    const ax = err as { response?: { data?: { message?: string } } }
+
+    errorMessage.value = ax.response?.data?.message ?? 'Ongeldige code. Probeer het opnieuw.'
+    confirmCode.value = ''
+  }
+}
+
+function copyToClipboard(text: string) {
+  navigator.clipboard.writeText(text)
+}
+
+function copyBackupCodes() {
+  const text = backupCodes.value.join('\n')
+
+  navigator.clipboard.writeText(text)
+}
+
+function downloadBackupCodes() {
+  const text = `Crewli MFA Backup Codes\n${'='.repeat(30)}\n\n${backupCodes.value.join('\n')}\n\nBewaar deze codes op een veilige plek.\nElke code kan slechts eenmaal worden gebruikt.`
+  const blob = new Blob([text], { type: 'text/plain' })
+  const url = URL.createObjectURL(blob)
+  const a = document.createElement('a')
+
+  a.href = url
+  a.download = 'crewli-backup-codes.txt'
+  a.click()
+  URL.revokeObjectURL(url)
+}
+
+function handleComplete() {
+  isDialogOpen.value = false
+  emit('completed')
+}
+</script>
+
+<template>
+  <VDialog
+    v-model="isDialogOpen"
+    max-width="520"
+    persistent
+  >
+    <VCard>
+      <VCardTitle class="d-flex align-center pt-4">
+        <VIcon
+          icon="tabler-shield-lock"
+          class="me-2"
+        />
+        Authenticator app instellen
+      </VCardTitle>
+
+      <!-- Step 1: QR Code -->
+      <template v-if="step === 1">
+        <VCardText>
+          <p class="text-body-1 mb-4">
+            Scan de QR-code met je authenticator app (Google Authenticator, Authy, etc.)
+          </p>
+
+          <div
+            v-if="qrDataUrl"
+            class="d-flex justify-center mb-4"
+          >
+            <img
+              :src="qrDataUrl"
+              alt="QR Code"
+              width="256"
+              height="256"
+              style="border-radius: 8px;"
+            >
+          </div>
+
+          <VAlert
+            v-if="setupMutation.isPending.value"
+            type="info"
+            variant="tonal"
+            class="mb-4"
+          >
+            QR-code wordt gegenereerd...
+          </VAlert>
+
+          <VExpansionPanels variant="accordion">
+            <VExpansionPanel title="Kun je niet scannen? Voer deze code handmatig in:">
+              <VExpansionPanelText>
+                <AppTextField
+                  :model-value="secret"
+                  readonly
+                  class="font-weight-bold"
+                  append-inner-icon="tabler-copy"
+                  @click:append-inner="() => copyToClipboard(secret)"
+                />
+              </VExpansionPanelText>
+            </VExpansionPanel>
+          </VExpansionPanels>
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="isDialogOpen = false"
+          >
+            Annuleren
+          </VBtn>
+          <VBtn
+            color="primary"
+            :disabled="!qrDataUrl"
+            @click="step = 2"
+          >
+            Volgende
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 2: Verify code -->
+      <template v-if="step === 2">
+        <VCardText>
+          <p class="text-body-1 mb-4">
+            Open je authenticator app en voer de 6-cijferige code in
+          </p>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            {{ errorMessage }}
+          </VAlert>
+
+          <VOtpInput
+            v-model="confirmCode"
+            type="number"
+            class="pa-0"
+            :disabled="confirmMutation.isPending.value"
+            @finish="handleConfirm"
+          />
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            variant="tonal"
+            @click="step = 1"
+          >
+            Terug
+          </VBtn>
+          <VBtn
+            color="primary"
+            :loading="confirmMutation.isPending.value"
+            :disabled="confirmCode.length < 6"
+            @click="handleConfirm"
+          >
+            Verifi&euml;ren
+          </VBtn>
+        </VCardActions>
+      </template>
+
+      <!-- Step 3: Backup codes -->
+      <template v-if="step === 3">
+        <VCardText>
+          <VAlert
+            type="warning"
+            variant="tonal"
+            class="mb-4"
+          >
+            Bewaar deze codes op een veilige plek. Je kunt ze gebruiken als je geen toegang hebt tot je authenticator app.
+          </VAlert>
+
+          <div class="d-flex flex-wrap gap-2 mb-4">
+            <VChip
+              v-for="code in backupCodes"
+              :key="code"
+              variant="tonal"
+              label
+              class="font-weight-bold text-body-1"
+              style="font-family: monospace;"
+            >
+              {{ code }}
+            </VChip>
+          </div>
+
+          <div class="d-flex gap-2 mb-4">
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-copy"
+              @click="copyBackupCodes"
+            >
+              Kopieer
+            </VBtn>
+            <VBtn
+              variant="tonal"
+              size="small"
+              prepend-icon="tabler-download"
+              @click="downloadBackupCodes"
+            >
+              Download
+            </VBtn>
+          </div>
+
+          <VCheckbox
+            v-model="savedBackupCodes"
+            label="Ik heb mijn backup codes veilig opgeslagen"
+          />
+        </VCardText>
+
+        <VCardActions>
+          <VSpacer />
+          <VBtn
+            color="primary"
+            :disabled="!savedBackupCodes"
+            @click="handleComplete"
+          >
+            Voltooien
+          </VBtn>
+        </VCardActions>
+      </template>
+    </VCard>
+  </VDialog>
+</template>
+
+<style lang="scss">
+.v-otp-input .v-otp-input__content {
+  padding-inline: 0;
+}
+</style>
diff --git a/apps/portal/src/composables/api/useMfa.ts b/apps/portal/src/composables/api/useMfa.ts
new file mode 100644
index 00000000..6cac3623
--- /dev/null
+++ b/apps/portal/src/composables/api/useMfa.ts
@@ -0,0 +1,173 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/vue-query'
+import { apiClient } from '@/lib/axios'
+import type {
+  MfaConfirmResponse,
+  MfaStatus,
+  MfaTotpSetup,
+  MfaVerifyPayload,
+  TrustedDevice,
+} from '@/types/mfa'
+
+interface ApiResponse<T> {
+  success: boolean
+  data: T
+  message: string
+}
+
+// ─── Setup ───
+
+export function useSetupTotp() {
+  return useMutation({
+    mutationFn: async () => {
+      const { data } = await apiClient.post<ApiResponse<MfaTotpSetup>>('/auth/mfa/setup/totp')
+
+      return data.data
+    },
+  })
+}
+
+export function useConfirmTotp() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (code: string) => {
+      const { data } = await apiClient.post<ApiResponse<MfaConfirmResponse>>('/auth/mfa/setup/totp/confirm', { code })
+
+      return data.data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+    },
+  })
+}
+
+export function useSetupEmail() {
+  return useMutation({
+    mutationFn: async () => {
+      const { data } = await apiClient.post<ApiResponse<null>>('/auth/mfa/setup/email')
+
+      return data
+    },
+  })
+}
+
+export function useConfirmEmail() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (code: string) => {
+      const { data } = await apiClient.post<ApiResponse<MfaConfirmResponse>>('/auth/mfa/setup/email/confirm', { code })
+
+      return data.data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+    },
+  })
+}
+
+// ─── Management ───
+
+export function useDisableMfa() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: { code: string; method: string }) => {
+      const { data } = await apiClient.post<ApiResponse<null>>('/auth/mfa/disable', payload)
+
+      return data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+    },
+  })
+}
+
+export function useRegenerateBackupCodes() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (payload: { code: string }) => {
+      const { data } = await apiClient.post<ApiResponse<{ backup_codes: string[] }>>('/auth/mfa/backup-codes', payload)
+
+      return data.data
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['mfa-status'] })
+    },
+  })
+}
+
+export function useMfaStatus() {
+  return useQuery({
+    queryKey: ['mfa-status'],
+    queryFn: async () => {
+      const { data } = await apiClient.get<ApiResponse<MfaStatus>>('/auth/mfa/status')
+
+      return data.data
+    },
+  })
+}
+
+// ─── Trusted devices ───
+
+export function useTrustedDevices() {
+  return useQuery({
+    queryKey: ['trusted-devices'],
+    queryFn: async () => {
+      const { data } = await apiClient.get<ApiResponse<TrustedDevice[]>>('/auth/trusted-devices')
+
+      return data.data
+    },
+  })
+}
+
+export function useRevokeDevice() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async (id: string) => {
+      await apiClient.delete(`/auth/trusted-devices/${id}`)
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['trusted-devices'] })
+    },
+  })
+}
+
+export function useRevokeAllDevices() {
+  const queryClient = useQueryClient()
+
+  return useMutation({
+    mutationFn: async () => {
+      await apiClient.delete('/auth/trusted-devices')
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ['trusted-devices'] })
+    },
+  })
+}
+
+// ─── Login flow (no auth needed — uses session token) ───
+
+export function useVerifyMfa() {
+  return useMutation({
+    mutationFn: async (payload: MfaVerifyPayload) => {
+      const { data } = await apiClient.post('/auth/mfa/verify', payload)
+
+      return data
+    },
+  })
+}
+
+export function useSendMfaEmailCode() {
+  return useMutation({
+    mutationFn: async (mfaSessionToken: string) => {
+      const { data } = await apiClient.post('/auth/mfa/email/send', {
+        mfa_session_token: mfaSessionToken,
+      })
+
+      return data
+    },
+  })
+}
diff --git a/apps/portal/src/pages/login.vue b/apps/portal/src/pages/login.vue
index 9f1748b7..53728686 100644
--- a/apps/portal/src/pages/login.vue
+++ b/apps/portal/src/pages/login.vue
@@ -1,6 +1,13 @@
 <script setup lang="ts">
+import authV1BottomShape from '@images/svg/auth-v1-bottom-shape.svg?raw'
+import authV1TopShape from '@images/svg/auth-v1-top-shape.svg?raw'
+import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
+import { themeConfig } from '@themeConfig'
 import { useAuthStore } from '@/stores/useAuthStore'
 import { usePortalStore } from '@/stores/usePortalStore'
+import { apiClient } from '@/lib/axios'
+import { generateDeviceFingerprint } from '@/utils/deviceFingerprint'
+import type { MfaMethod } from '@/types/mfa'
 
 definePage({
   name: 'login',
@@ -26,6 +33,13 @@ const isSubmitting = ref(false)
 
 const passwordResetDone = computed(() => route.query.reset === '1')
 
+// MFA challenge state
+const showMfaChallenge = ref(false)
+const mfaSessionToken = ref('')
+const mfaMethods = ref<MfaMethod[]>([])
+const mfaPreferredMethod = ref<string>('')
+const mfaExpiresIn = ref(0)
+
 function mapLoginErrorMessage(message: string | undefined): string {
   if (!message) return 'Inloggen mislukt. Controleer je gegevens.'
   if (message === 'Invalid credentials' || message.toLowerCase().includes('invalid credentials'))
@@ -37,8 +51,29 @@ function mapLoginErrorMessage(message: string | undefined): string {
 async function onSubmit(): Promise<void> {
   errorMessage.value = ''
   isSubmitting.value = true
+
   try {
-    await authStore.login(form.value.email.trim(), form.value.password)
+    const fingerprint = generateDeviceFingerprint()
+
+    const { data } = await apiClient.post('/auth/login', {
+      email: form.value.email.trim(),
+      password: form.value.password,
+    }, {
+      headers: { 'X-Device-Fingerprint': fingerprint },
+    })
+
+    if (data.mfa_required) {
+      mfaSessionToken.value = data.mfa_session_token
+      mfaMethods.value = (data.methods ?? []) as MfaMethod[]
+      mfaPreferredMethod.value = data.preferred_method ?? 'totp'
+      mfaExpiresIn.value = data.expires_in ?? 600
+      showMfaChallenge.value = true
+
+      return
+    }
+
+    // Normal login
+    authStore.setUser(data.data.user)
     await portalStore.hydrateAfterAuth()
   }
   catch (error: unknown) {
@@ -56,144 +91,175 @@ async function onSubmit(): Promise<void> {
     isSubmitting.value = false
   }
 
-  // Navigate after login — outside try/catch so navigation errors
-  // (e.g. stale dynamic imports) don't mask a successful login.
+  navigateAfterLogin()
+}
+
+function navigateAfterLogin() {
   const rawRedirect = typeof route.query.to === 'string' ? route.query.to : ''
   let redirect = rawRedirect.startsWith('/') ? rawRedirect : ''
 
-  // Smart redirect based on number of events
   if (!redirect) {
     const events = portalStore.userEvents
-    if (events.length === 1) {
+
+    if (events.length === 1)
       redirect = `/evenementen/${events[0]!.event_id}`
-    }
-    else {
+    else
       redirect = '/evenementen'
-    }
   }
 
   router.replace(redirect).catch(() => {
-    // Dynamic import can fail after Vite HMR; a full reload recovers.
     window.location.href = redirect
   })
 }
+
+async function onMfaVerified() {
+  await authStore.fetchUser()
+  await portalStore.hydrateAfterAuth()
+  navigateAfterLogin()
+}
+
+function onMfaCancelled() {
+  showMfaChallenge.value = false
+  mfaSessionToken.value = ''
+}
 </script>
 
 <template>
-  <div class="login-page d-flex align-center justify-center" style="min-height: 100vh; background: #f5f5f5;">
-    <VCard
-      :max-width="440"
-      class="pa-6 pa-sm-8"
-      style="width: 100%;"
-    >
-      <!-- Crewli branding -->
-      <div class="text-center mb-6">
-        <RouterLink
-          to="/"
-          class="d-inline-flex align-center gap-x-2 text-decoration-none"
-        >
-          <VIcon
-            icon="tabler-users-group"
-            size="32"
-            color="primary"
-          />
-          <span class="text-h4 font-weight-bold text-high-emphasis">
-            Crewli
-          </span>
-        </RouterLink>
-      </div>
+  <div class="auth-wrapper d-flex align-center justify-center pa-4">
+    <div class="position-relative my-sm-16">
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1TopShape })"
+        class="text-primary auth-v1-top-shape d-none d-sm-block"
+      />
 
-      <VCardText class="pa-0">
-        <h4 class="text-h5 mb-1">
-          Welkom terug!
-        </h4>
-        <p class="text-body-2 text-medium-emphasis mb-6">
-          Log in om je rooster en diensten te bekijken
-        </p>
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1BottomShape })"
+        class="text-primary auth-v1-bottom-shape d-none d-sm-block"
+      />
 
-        <VAlert
-          v-if="passwordResetDone"
-          type="success"
-          variant="tonal"
-          class="mb-4"
-          density="comfortable"
-        >
-          Wachtwoord gewijzigd. Je kunt nu inloggen.
-        </VAlert>
+      <!-- MFA Challenge -->
+      <MfaChallengeCard
+        v-if="showMfaChallenge"
+        :mfa-session-token="mfaSessionToken"
+        :methods="mfaMethods"
+        :preferred-method="mfaPreferredMethod"
+        :expires-in="mfaExpiresIn"
+        @verified="onMfaVerified"
+        @cancelled="onMfaCancelled"
+      />
 
-        <VAlert
-          v-if="errorMessage"
-          type="error"
-          variant="tonal"
-          class="mb-4"
-          density="comfortable"
-        >
-          {{ errorMessage }}
-        </VAlert>
-
-        <VForm @submit.prevent="onSubmit">
-          <VRow>
-            <VCol cols="12">
-              <VTextField
-                v-model="form.email"
-                autofocus
-                label="E-mailadres"
-                type="email"
-                placeholder="je@email.nl"
-                autocomplete="email"
-                variant="outlined"
-                density="comfortable"
-                hide-details="auto"
-                required
-              />
-            </VCol>
-
-            <VCol cols="12">
-              <VTextField
-                v-model="form.password"
-                label="Wachtwoord"
-                placeholder="Je wachtwoord"
-                autocomplete="current-password"
-                variant="outlined"
-                density="comfortable"
-                hide-details="auto"
-                :type="isPasswordVisible ? 'text' : 'password'"
-                :append-inner-icon="isPasswordVisible ? 'tabler-eye-off' : 'tabler-eye'"
-                required
-                @click:append-inner="isPasswordVisible = !isPasswordVisible"
-              />
-
-              <div class="d-flex align-center flex-wrap justify-end my-4">
-                <RouterLink
-                  to="/wachtwoord-vergeten"
-                  class="text-primary text-body-2"
-                >
-                  Wachtwoord vergeten?
-                </RouterLink>
+      <!-- Login Card -->
+      <VCard
+        v-else
+        class="auth-card"
+        max-width="460"
+        :class="$vuetify.display.smAndUp ? 'pa-6' : 'pa-0'"
+      >
+        <VCardItem class="justify-center">
+          <VCardTitle>
+            <RouterLink to="/">
+              <div class="app-logo">
+                <VNodeRenderer :nodes="themeConfig.app.logo" />
+                <h1 class="app-logo-title">
+                  {{ themeConfig.app.title }}
+                </h1>
               </div>
+            </RouterLink>
+          </VCardTitle>
+        </VCardItem>
 
-              <VBtn
-                block
-                type="submit"
-                color="primary"
-                :loading="isSubmitting"
-              >
-                Inloggen
-              </VBtn>
-            </VCol>
-          </VRow>
-        </VForm>
+        <VCardText>
+          <h4 class="text-h4 mb-1">
+            Welkom terug!
+          </h4>
+          <p class="mb-0">
+            Log in om je rooster en diensten te bekijken
+          </p>
+        </VCardText>
 
-        <p class="text-body-2 text-center text-medium-emphasis mt-6 mb-0">
-          Nog geen account?
-          <RouterLink
-            to="/registreren"
-            class="text-primary font-weight-medium"
+        <VCardText>
+          <VAlert
+            v-if="passwordResetDone"
+            type="success"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
           >
-            Meld je aan als vrijwilliger
-          </RouterLink>
-        </p>
-      </VCardText>
-    </VCard>
+            Wachtwoord gewijzigd. Je kunt nu inloggen.
+          </VAlert>
+
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
+            class="mb-4"
+            density="comfortable"
+          >
+            {{ errorMessage }}
+          </VAlert>
+
+          <VForm @submit.prevent="onSubmit">
+            <VRow>
+              <VCol cols="12">
+                <AppTextField
+                  v-model="form.email"
+                  autofocus
+                  label="E-mailadres"
+                  type="email"
+                  placeholder="je@email.nl"
+                  autocomplete="email"
+                />
+              </VCol>
+
+              <VCol cols="12">
+                <AppTextField
+                  v-model="form.password"
+                  label="Wachtwoord"
+                  placeholder="············"
+                  :type="isPasswordVisible ? 'text' : 'password'"
+                  autocomplete="current-password"
+                  :append-inner-icon="isPasswordVisible ? 'tabler-eye-off' : 'tabler-eye'"
+                  @click:append-inner="isPasswordVisible = !isPasswordVisible"
+                />
+
+                <div class="d-flex align-center flex-wrap justify-end my-6">
+                  <RouterLink
+                    class="text-primary"
+                    to="/wachtwoord-vergeten"
+                  >
+                    Wachtwoord vergeten?
+                  </RouterLink>
+                </div>
+
+                <VBtn
+                  block
+                  type="submit"
+                  :loading="isSubmitting"
+                >
+                  Inloggen
+                </VBtn>
+              </VCol>
+
+              <VCol
+                cols="12"
+                class="text-body-1 text-center"
+              >
+                <span class="d-inline-block">Nog geen account? </span>
+                <RouterLink
+                  class="text-primary ms-1 d-inline-block text-body-1"
+                  to="/registreren"
+                >
+                  Meld je aan als vrijwilliger
+                </RouterLink>
+              </VCol>
+            </VRow>
+          </VForm>
+        </VCardText>
+      </VCard>
+    </div>
   </div>
 </template>
+
+<style lang="scss">
+@use "@core/scss/template/pages/page-auth";
+</style>
diff --git a/apps/portal/src/pages/profiel.vue b/apps/portal/src/pages/profiel.vue
index ed0df2bc..223755fa 100644
--- a/apps/portal/src/pages/profiel.vue
+++ b/apps/portal/src/pages/profiel.vue
@@ -2,7 +2,11 @@
 import { useAuthStore } from '@/stores/useAuthStore'
 import { usePortalStore } from '@/stores/usePortalStore'
 import { useUpdateProfile, useUpdatePassword } from '@/composables/api/usePortalProfile'
+import { useMfaStatus, useTrustedDevices, useRevokeDevice, useRevokeAllDevices } from '@/composables/api/useMfa'
 import { apiClient } from '@/lib/axios'
+import MfaTotpSetupDialog from '@/components/settings/MfaTotpSetupDialog.vue'
+import MfaEmailSetupDialog from '@/components/settings/MfaEmailSetupDialog.vue'
+import MfaDisableDialog from '@/components/settings/MfaDisableDialog.vue'
 
 definePage({
   name: 'portal-profiel',
@@ -89,6 +93,36 @@ const showCurrentPassword = ref(false)
 const showNewPassword = ref(false)
 const showConfirmPassword = ref(false)
 
+// MFA
+const { data: mfaStatus, refetch: refetchMfaStatus } = useMfaStatus()
+const { data: trustedDevices, refetch: refetchDevices } = useTrustedDevices()
+const revokeDeviceMutation = useRevokeDevice()
+const revokeAllMutation = useRevokeAllDevices()
+
+const showTotpSetup = ref(false)
+const showEmailSetup = ref(false)
+const showDisableDialog = ref(false)
+const isMfaEnabled = computed(() => mfaStatus.value?.enabled ?? false)
+const mfaMethodLabel = computed(() => {
+  if (mfaStatus.value?.method === 'totp') return 'Authenticator app'
+  if (mfaStatus.value?.method === 'email') return 'E-mailcode'
+
+  return null
+})
+
+function onMfaSetupCompleted() { refetchMfaStatus() }
+function onMfaDisabled() { refetchMfaStatus(); refetchDevices() }
+
+async function handleRevokeDevice(id: string) {
+  await revokeDeviceMutation.mutateAsync(id)
+  refetchDevices()
+}
+
+async function handleRevokeAllDevices() {
+  await revokeAllMutation.mutateAsync()
+  refetchDevices()
+}
+
 // Populate profile form from auth user / current person data
 watch(
   [() => authStore.user, () => portal.currentPerson],
@@ -477,6 +511,123 @@ async function savePassword() {
         </VCardText>
       </VCard>
 
+      <!-- Security / MFA -->
+      <VCard class="mb-4">
+        <VCardTitle class="d-flex align-center">
+          <VIcon
+            icon="tabler-shield-lock"
+            class="me-2"
+          />
+          Beveiliging
+        </VCardTitle>
+        <VCardText>
+          <template v-if="!isMfaEnabled">
+            <p class="text-body-2 text-medium-emphasis mb-4">
+              Bescherm je account met tweestapsverificatie.
+            </p>
+            <div class="d-flex gap-2 flex-wrap">
+              <VBtn
+                variant="tonal"
+                prepend-icon="tabler-device-mobile"
+                @click="showTotpSetup = true"
+              >
+                Authenticator app
+              </VBtn>
+              <VBtn
+                variant="tonal"
+                prepend-icon="tabler-mail"
+                @click="showEmailSetup = true"
+              >
+                E-mailcode
+              </VBtn>
+            </div>
+          </template>
+
+          <template v-else>
+            <div class="d-flex align-center justify-space-between mb-3">
+              <div>
+                <VChip
+                  color="success"
+                  variant="tonal"
+                  size="small"
+                  class="me-2"
+                >
+                  Ingeschakeld
+                </VChip>
+                <span class="text-body-2">via {{ mfaMethodLabel }}</span>
+              </div>
+              <VBtn
+                color="error"
+                variant="tonal"
+                size="small"
+                @click="showDisableDialog = true"
+              >
+                Uitschakelen
+              </VBtn>
+            </div>
+
+            <!-- Trusted devices -->
+            <template v-if="trustedDevices && trustedDevices.length > 0">
+              <p class="text-subtitle-2 mt-4 mb-2">
+                Vertrouwde apparaten
+              </p>
+              <VList density="compact">
+                <VListItem
+                  v-for="device in trustedDevices"
+                  :key="device.id"
+                  class="px-0"
+                >
+                  <VListItemTitle class="text-body-2">
+                    {{ device.device_name ?? 'Onbekend apparaat' }}
+                  </VListItemTitle>
+                  <VListItemSubtitle class="text-caption">
+                    IP: {{ device.ip_address }}
+                  </VListItemSubtitle>
+
+                  <template #append>
+                    <VBtn
+                      variant="text"
+                      size="small"
+                      color="error"
+                      icon="tabler-trash"
+                      @click="handleRevokeDevice(device.id)"
+                    />
+                  </template>
+                </VListItem>
+              </VList>
+              <VBtn
+                v-if="trustedDevices.length > 1"
+                variant="tonal"
+                size="small"
+                color="error"
+                class="mt-2"
+                @click="handleRevokeAllDevices"
+              >
+                Alle apparaten intrekken
+              </VBtn>
+            </template>
+          </template>
+        </VCardText>
+      </VCard>
+
+      <!-- MFA setup dialogs -->
+      <MfaTotpSetupDialog
+        v-model="showTotpSetup"
+        @completed="onMfaSetupCompleted"
+      />
+
+      <MfaEmailSetupDialog
+        v-model="showEmailSetup"
+        :user-email="authStore.user?.email ?? ''"
+        @completed="onMfaSetupCompleted"
+      />
+
+      <MfaDisableDialog
+        v-model="showDisableDialog"
+        :current-method="mfaStatus?.method ?? null"
+        @disabled="onMfaDisabled"
+      />
+
       <!-- My events -->
       <VCard v-if="portal.userEvents.length > 0">
         <VCardTitle>Mijn evenementen</VCardTitle>
diff --git a/apps/portal/src/pages/verify-email-change.vue b/apps/portal/src/pages/verify-email-change.vue
index 0c66e767..80cbbd8a 100644
--- a/apps/portal/src/pages/verify-email-change.vue
+++ b/apps/portal/src/pages/verify-email-change.vue
@@ -1,4 +1,8 @@
 <script setup lang="ts">
+import authV1BottomShape from '@images/svg/auth-v1-bottom-shape.svg?raw'
+import authV1TopShape from '@images/svg/auth-v1-top-shape.svg?raw'
+import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
+import { themeConfig } from '@themeConfig'
 import { apiClient } from '@/lib/axios'
 import { useAuthStore } from '@/stores/useAuthStore'
 
@@ -19,9 +23,11 @@ const errorMessage = ref('')
 
 onMounted(async () => {
   const token = route.query.token as string
+
   if (!token) {
     errorMessage.value = 'Geen verificatietoken gevonden.'
     isVerifying.value = false
+
     return
   }
   try {
@@ -31,6 +37,7 @@ onMounted(async () => {
   }
   catch (error: unknown) {
     const ax = error as { response?: { data?: { errors?: Record<string, string[]>; message?: string } } }
+
     errorMessage.value = ax.response?.data?.errors?.token?.[0]
       ?? ax.response?.data?.errors?.new_email?.[0]
       ?? ax.response?.data?.message
@@ -43,72 +50,90 @@ onMounted(async () => {
 </script>
 
 <template>
-  <div class="d-flex align-center justify-center pa-4" style="min-height: 100vh; background: #f5f5f5;">
-    <VCard
-      :max-width="450"
-      width="100%"
-      class="pa-6"
-    >
-      <div class="text-center mb-4">
-        <VIcon
-          icon="tabler-users-group"
-          size="32"
-          color="primary"
-        />
-        <span class="text-h5 font-weight-bold text-high-emphasis ms-2">
-          Crewli
-        </span>
-      </div>
+  <div class="auth-wrapper d-flex align-center justify-center pa-4">
+    <div class="position-relative my-sm-16">
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1TopShape })"
+        class="text-primary auth-v1-top-shape d-none d-sm-block"
+      />
 
-      <VCardText class="text-center">
-        <template v-if="isVerifying">
-          <VProgressCircular
-            indeterminate
-            color="primary"
-            class="mb-4"
-          />
-          <p>E-mailadres wordt geverifieerd...</p>
-        </template>
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1BottomShape })"
+        class="text-primary auth-v1-bottom-shape d-none d-sm-block"
+      />
 
-        <template v-else-if="success">
-          <VIcon
-            size="64"
-            color="success"
-            class="mb-4"
-          >
-            tabler-circle-check
-          </VIcon>
-          <h4 class="text-h5 mb-2">
-            E-mailadres gewijzigd!
-          </h4>
-          <p class="text-body-2 text-medium-emphasis mb-4">
-            Je e-mailadres is succesvol gewijzigd.
-            Log opnieuw in met je nieuwe e-mailadres.
-          </p>
-          <VBtn
-            color="primary"
-            to="/login"
-          >
-            Ga naar inloggen
-          </VBtn>
-        </template>
+      <VCard
+        class="auth-card"
+        max-width="460"
+        :class="$vuetify.display.smAndUp ? 'pa-6' : 'pa-2'"
+      >
+        <VCardItem class="justify-center">
+          <VCardTitle>
+            <RouterLink to="/">
+              <div class="app-logo">
+                <VNodeRenderer :nodes="themeConfig.app.logo" />
+                <h1 class="app-logo-title">
+                  {{ themeConfig.app.title }}
+                </h1>
+              </div>
+            </RouterLink>
+          </VCardTitle>
+        </VCardItem>
 
-        <template v-else>
-          <VIcon
-            size="64"
-            color="error"
-            class="mb-4"
-          >
-            tabler-circle-x
-          </VIcon>
-          <h4 class="text-h5 mb-2">
-            Verificatie mislukt
-          </h4>
-          <p class="text-body-2 text-medium-emphasis">
-            {{ errorMessage }}
-          </p>
-        </template>
-      </VCardText>
-    </VCard>
+        <VCardText class="text-center">
+          <template v-if="isVerifying">
+            <VProgressCircular
+              indeterminate
+              color="primary"
+              class="mb-4"
+            />
+            <p>E-mailadres wordt geverifieerd...</p>
+          </template>
+
+          <template v-else-if="success">
+            <VIcon
+              size="64"
+              color="success"
+              class="mb-4"
+            >
+              tabler-circle-check
+            </VIcon>
+            <h4 class="text-h4 mb-2">
+              E-mailadres gewijzigd!
+            </h4>
+            <p class="text-body-1 mb-5">
+              Je e-mailadres is succesvol gewijzigd.
+              Log opnieuw in met je nieuwe e-mailadres.
+            </p>
+            <VBtn
+              block
+              to="/login"
+            >
+              Ga naar inloggen
+            </VBtn>
+          </template>
+
+          <template v-else>
+            <VIcon
+              size="64"
+              color="error"
+              class="mb-4"
+            >
+              tabler-circle-x
+            </VIcon>
+            <h4 class="text-h4 mb-2">
+              Verificatie mislukt
+            </h4>
+            <p class="text-body-1 text-medium-emphasis">
+              {{ errorMessage }}
+            </p>
+          </template>
+        </VCardText>
+      </VCard>
+    </div>
   </div>
 </template>
+
+<style lang="scss">
+@use "@core/scss/template/pages/page-auth";
+</style>
diff --git a/apps/portal/src/pages/wachtwoord-resetten.vue b/apps/portal/src/pages/wachtwoord-resetten.vue
index 6f2f51e9..fc06362c 100644
--- a/apps/portal/src/pages/wachtwoord-resetten.vue
+++ b/apps/portal/src/pages/wachtwoord-resetten.vue
@@ -1,4 +1,8 @@
 <script setup lang="ts">
+import authV1BottomShape from '@images/svg/auth-v1-bottom-shape.svg?raw'
+import authV1TopShape from '@images/svg/auth-v1-top-shape.svg?raw'
+import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
+import { themeConfig } from '@themeConfig'
 import { apiClient } from '@/lib/axios'
 
 definePage({
@@ -41,6 +45,7 @@ async function onSubmit(): Promise<void> {
   }
   catch (error: unknown) {
     const ax = error as { response?: { status?: number; data?: { message?: string } } }
+
     if (ax.response?.status === 404 || ax.response?.status === 422)
       errorMessage.value = ax.response?.data?.message ?? 'Resetlink ongeldig of verlopen. Vraag een nieuwe link aan.'
     else
@@ -53,87 +58,113 @@ async function onSubmit(): Promise<void> {
 </script>
 
 <template>
-  <div class="auth-wrapper d-flex align-center justify-center pa-4 bg-surface">
-    <VCard
-      flat
-      :max-width="480"
-      width="100%"
-      class="pa-6"
-    >
-      <VCardTitle class="text-h5 px-0 pt-0">
-        Nieuw wachtwoord
-      </VCardTitle>
-      <VCardSubtitle class="px-0">
-        Kies een nieuw wachtwoord voor je account.
-      </VCardSubtitle>
+  <div class="auth-wrapper d-flex align-center justify-center pa-4">
+    <div class="position-relative my-sm-16">
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1TopShape })"
+        class="text-primary auth-v1-top-shape d-none d-sm-block"
+      />
 
-      <VCardText class="px-0">
-        <VAlert
-          v-if="errorMessage"
-          type="error"
-          variant="tonal"
-          class="mb-4"
-        >
-          {{ errorMessage }}
-        </VAlert>
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1BottomShape })"
+        class="text-primary auth-v1-bottom-shape d-none d-sm-block"
+      />
 
-        <VForm @submit.prevent="onSubmit">
-          <VTextField
-            v-model="email"
-            label="E-mailadres"
-            type="email"
-            variant="outlined"
-            density="comfortable"
-            class="mb-3"
-            autocomplete="email"
-            hide-details="auto"
-            required
-          />
-          <VTextField
-            v-model="password"
-            label="Nieuw wachtwoord"
-            variant="outlined"
-            density="comfortable"
-            class="mb-3"
-            :type="showPassword ? 'text' : 'password'"
-            :append-inner-icon="showPassword ? 'tabler-eye-off' : 'tabler-eye'"
-            hide-details="auto"
-            autocomplete="new-password"
-            required
-            @click:append-inner="showPassword = !showPassword"
-          />
-          <VTextField
-            v-model="passwordConfirmation"
-            label="Bevestig wachtwoord"
-            variant="outlined"
-            density="comfortable"
+      <VCard
+        class="auth-card"
+        max-width="460"
+        :class="$vuetify.display.smAndUp ? 'pa-6' : 'pa-2'"
+      >
+        <VCardItem class="justify-center">
+          <VCardTitle>
+            <RouterLink to="/">
+              <div class="app-logo">
+                <VNodeRenderer :nodes="themeConfig.app.logo" />
+                <h1 class="app-logo-title">
+                  {{ themeConfig.app.title }}
+                </h1>
+              </div>
+            </RouterLink>
+          </VCardTitle>
+        </VCardItem>
+
+        <VCardText>
+          <h4 class="text-h4 mb-1">
+            Nieuw wachtwoord instellen
+          </h4>
+          <p class="mb-0">
+            Kies een nieuw wachtwoord voor je account.
+          </p>
+        </VCardText>
+
+        <VCardText>
+          <VAlert
+            v-if="errorMessage"
+            type="error"
+            variant="tonal"
             class="mb-4"
-            :type="showPasswordConfirmation ? 'text' : 'password'"
-            :append-inner-icon="showPasswordConfirmation ? 'tabler-eye-off' : 'tabler-eye'"
-            hide-details="auto"
-            autocomplete="new-password"
-            required
-            @click:append-inner="showPasswordConfirmation = !showPasswordConfirmation"
-          />
-          <VBtn
-            type="submit"
-            color="primary"
-            block
-            :loading="isSubmitting"
           >
-            Wachtwoord opslaan
-          </VBtn>
-        </VForm>
+            {{ errorMessage }}
+          </VAlert>
 
-        <div class="text-center mt-4">
-          <RouterLink
-            to="/login"
-            class="text-body-2 text-primary"
-          >
-            Terug naar inloggen
-          </RouterLink>
-        </div>
-      </VCardText>
-    </VCard>
+          <VForm @submit.prevent="onSubmit">
+            <VRow>
+              <VCol cols="12">
+                <AppTextField
+                  v-model="password"
+                  autofocus
+                  label="Nieuw wachtwoord"
+                  placeholder="············"
+                  :type="showPassword ? 'text' : 'password'"
+                  autocomplete="new-password"
+                  :append-inner-icon="showPassword ? 'tabler-eye-off' : 'tabler-eye'"
+                  @click:append-inner="showPassword = !showPassword"
+                />
+              </VCol>
+
+              <VCol cols="12">
+                <AppTextField
+                  v-model="passwordConfirmation"
+                  label="Bevestig wachtwoord"
+                  placeholder="············"
+                  :type="showPasswordConfirmation ? 'text' : 'password'"
+                  autocomplete="new-password"
+                  :append-inner-icon="showPasswordConfirmation ? 'tabler-eye-off' : 'tabler-eye'"
+                  @click:append-inner="showPasswordConfirmation = !showPasswordConfirmation"
+                />
+              </VCol>
+
+              <VCol cols="12">
+                <VBtn
+                  block
+                  type="submit"
+                  :loading="isSubmitting"
+                >
+                  Wachtwoord opslaan
+                </VBtn>
+              </VCol>
+
+              <VCol cols="12">
+                <RouterLink
+                  class="d-flex align-center justify-center"
+                  to="/login"
+                >
+                  <VIcon
+                    icon="tabler-chevron-left"
+                    size="20"
+                    class="me-1 flip-in-rtl"
+                  />
+                  <span>Terug naar inloggen</span>
+                </RouterLink>
+              </VCol>
+            </VRow>
+          </VForm>
+        </VCardText>
+      </VCard>
+    </div>
   </div>
 </template>
+
+<style lang="scss">
+@use "@core/scss/template/pages/page-auth";
+</style>
diff --git a/apps/portal/src/pages/wachtwoord-vergeten.vue b/apps/portal/src/pages/wachtwoord-vergeten.vue
index 51eeb2ed..3fd64f1c 100644
--- a/apps/portal/src/pages/wachtwoord-vergeten.vue
+++ b/apps/portal/src/pages/wachtwoord-vergeten.vue
@@ -1,4 +1,8 @@
 <script setup lang="ts">
+import authV1BottomShape from '@images/svg/auth-v1-bottom-shape.svg?raw'
+import authV1TopShape from '@images/svg/auth-v1-top-shape.svg?raw'
+import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
+import { themeConfig } from '@themeConfig'
 import { apiClient } from '@/lib/axios'
 
 definePage({
@@ -19,7 +23,7 @@ async function onSubmit(): Promise<void> {
     await apiClient.post('/auth/forgot-password', { email: email.value.trim(), app: 'portal' })
   }
   catch {
-    // Endpoint may not exist yet — still show generic success (no email enumeration)
+    // Always show generic success (no email enumeration)
   }
   finally {
     isSubmitting.value = false
@@ -29,64 +33,101 @@ async function onSubmit(): Promise<void> {
 </script>
 
 <template>
-  <div class="auth-wrapper d-flex align-center justify-center pa-4 bg-surface">
-    <VCard
-      flat
-      :max-width="480"
-      width="100%"
-      class="pa-6"
-    >
-      <VCardTitle class="text-h5 px-0 pt-0">
-        Wachtwoord vergeten
-      </VCardTitle>
-      <VCardSubtitle class="px-0 text-wrap">
-        Vul je e-mailadres in. Als dit adres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.
-      </VCardSubtitle>
+  <div class="auth-wrapper d-flex align-center justify-center pa-4">
+    <div class="position-relative my-sm-16">
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1TopShape })"
+        class="text-primary auth-v1-top-shape d-none d-sm-block"
+      />
 
-      <VCardText class="px-0">
-        <VAlert
-          v-if="done"
-          type="success"
-          variant="tonal"
-          class="mb-4"
-        >
-          Als dit e-mailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.
-        </VAlert>
+      <VNodeRenderer
+        :nodes="h('div', { innerHTML: authV1BottomShape })"
+        class="text-primary auth-v1-bottom-shape d-none d-sm-block"
+      />
 
-        <VForm
-          v-else
-          @submit.prevent="onSubmit"
-        >
-          <VTextField
-            v-model="email"
-            label="E-mailadres"
-            type="email"
-            variant="outlined"
-            density="comfortable"
+      <VCard
+        class="auth-card"
+        max-width="460"
+        :class="$vuetify.display.smAndUp ? 'pa-6' : 'pa-0'"
+      >
+        <VCardItem class="justify-center">
+          <VCardTitle>
+            <RouterLink to="/">
+              <div class="app-logo">
+                <VNodeRenderer :nodes="themeConfig.app.logo" />
+                <h1 class="app-logo-title">
+                  {{ themeConfig.app.title }}
+                </h1>
+              </div>
+            </RouterLink>
+          </VCardTitle>
+        </VCardItem>
+
+        <VCardText>
+          <h4 class="text-h4 mb-1">
+            Wachtwoord vergeten?
+          </h4>
+          <p class="mb-0">
+            Vul je e-mailadres in en we sturen je een link om je wachtwoord te herstellen.
+          </p>
+        </VCardText>
+
+        <VCardText>
+          <VAlert
+            v-if="done"
+            type="success"
+            variant="tonal"
             class="mb-4"
-            autocomplete="email"
-            hide-details="auto"
-            required
-          />
-          <VBtn
-            type="submit"
-            color="primary"
-            block
-            :loading="isSubmitting"
           >
-            Versturen
-          </VBtn>
-        </VForm>
+            Als dit e-mailadres bij ons bekend is, ontvang je een link om je wachtwoord te resetten.
+          </VAlert>
 
-        <div class="text-center mt-4">
-          <RouterLink
-            to="/login"
-            class="text-body-2 text-primary"
+          <VForm
+            v-if="!done"
+            @submit.prevent="onSubmit"
           >
-            Terug naar inloggen
-          </RouterLink>
-        </div>
-      </VCardText>
-    </VCard>
+            <VRow>
+              <VCol cols="12">
+                <AppTextField
+                  v-model="email"
+                  autofocus
+                  label="E-mailadres"
+                  type="email"
+                  placeholder="je@email.nl"
+                />
+              </VCol>
+
+              <VCol cols="12">
+                <VBtn
+                  block
+                  type="submit"
+                  :loading="isSubmitting"
+                >
+                  Verstuur herstelmail
+                </VBtn>
+              </VCol>
+
+              <VCol cols="12">
+                <RouterLink
+                  class="d-flex align-center justify-center"
+                  to="/login"
+                >
+                  <VIcon
+                    icon="tabler-chevron-left"
+                    size="20"
+                    class="me-1 flip-in-rtl"
+                  />
+                  <span>Terug naar inloggen</span>
+                </RouterLink>
+              </VCol>
+            </VRow>
+          </VForm>
+        </VCardText>
+      </VCard>
+    </div>
   </div>
 </template>
+
+<style lang="scss">
+@use "@core/scss/template/pages/page-auth";
+</style>
diff --git a/apps/portal/src/types/mfa.ts b/apps/portal/src/types/mfa.ts
new file mode 100644
index 00000000..905cdd8f
--- /dev/null
+++ b/apps/portal/src/types/mfa.ts
@@ -0,0 +1,61 @@
+export const MfaMethod = {
+  TOTP: 'totp',
+  EMAIL: 'email',
+  BACKUP_CODE: 'backup_code',
+} as const
+
+export type MfaMethod = typeof MfaMethod[keyof typeof MfaMethod]
+
+export interface MfaStatus {
+  enabled: boolean
+  method: 'totp' | 'email' | null
+  confirmed_at: string | null
+  backup_codes_remaining: number
+  is_required: boolean
+}
+
+export interface MfaUserStatus {
+  enabled: boolean
+  method: 'totp' | 'email' | null
+  confirmed_at: string | null
+  setup_required: boolean
+}
+
+export interface MfaTotpSetup {
+  secret: string
+  qr_code_url: string
+  provisioning_uri: string
+}
+
+export interface MfaSessionResponse {
+  success: true
+  mfa_required: true
+  mfa_session_token: string
+  methods: MfaMethod[]
+  preferred_method: 'totp' | 'email'
+  expires_in: number
+}
+
+export interface MfaConfirmResponse {
+  mfa_enabled: boolean
+  method: 'totp' | 'email'
+  backup_codes: string[]
+}
+
+export interface TrustedDevice {
+  id: string
+  device_name: string | null
+  ip_address: string
+  trusted_until: string
+  last_used_at: string | null
+  created_at: string
+}
+
+export interface MfaVerifyPayload {
+  mfa_session_token: string
+  code: string
+  method: MfaMethod
+  trust_device?: boolean
+  device_fingerprint?: string
+  device_name?: string
+}
diff --git a/apps/portal/src/types/portal.ts b/apps/portal/src/types/portal.ts
index b230da84..acfadd84 100644
--- a/apps/portal/src/types/portal.ts
+++ b/apps/portal/src/types/portal.ts
@@ -37,6 +37,12 @@ export interface AuthMeUser {
   roles?: string[]
   permissions?: string[]
   portal_events?: PortalEvent[]
+  mfa?: {
+    enabled: boolean
+    method: 'totp' | 'email' | null
+    confirmed_at: string | null
+    setup_required: boolean
+  }
 }
 
 /** GET /portal/me?event_id= — person payload (subset used by dashboard) */
diff --git a/apps/portal/src/utils/deviceFingerprint.ts b/apps/portal/src/utils/deviceFingerprint.ts
new file mode 100644
index 00000000..89f86154
--- /dev/null
+++ b/apps/portal/src/utils/deviceFingerprint.ts
@@ -0,0 +1,49 @@
+export function generateDeviceFingerprint(): string {
+  const components = [
+    navigator.userAgent,
+    `${screen.width}x${screen.height}`,
+    Intl.DateTimeFormat().resolvedOptions().timeZone,
+    navigator.language,
+    navigator.hardwareConcurrency?.toString() ?? '',
+  ]
+
+  const str = components.join('|')
+  let hash = 0
+
+  for (let i = 0; i < str.length; i++) {
+    const char = str.charCodeAt(i)
+
+    hash = ((hash << 5) - hash) + char
+    hash = hash & hash
+  }
+
+  return Math.abs(hash).toString(36)
+}
+
+export function getDeviceName(): string {
+  const ua = navigator.userAgent
+  let browser = 'Onbekend'
+  let os = 'Onbekend'
+
+  if (ua.includes('Chrome') && !ua.includes('Edg'))
+    browser = 'Chrome'
+  else if (ua.includes('Firefox'))
+    browser = 'Firefox'
+  else if (ua.includes('Safari') && !ua.includes('Chrome'))
+    browser = 'Safari'
+  else if (ua.includes('Edg'))
+    browser = 'Edge'
+
+  if (ua.includes('Mac OS'))
+    os = 'macOS'
+  else if (ua.includes('Windows'))
+    os = 'Windows'
+  else if (ua.includes('Linux'))
+    os = 'Linux'
+  else if (ua.includes('Android'))
+    os = 'Android'
+  else if (ua.includes('iPhone') || ua.includes('iPad'))
+    os = 'iOS'
+
+  return `${browser} op ${os}`
+}