Merge pull request #3798 from wallabag/update-two-factor-bundle

Enable OTP 2FA
author: Kevin Decherf <kevin@kdecherf.com> 2019-01-30 01:02:27 +0100
committer: GitHub <noreply@github.com> 2019-01-30 01:02:27 +0100
commit: 2e5b3fa361098498a9e42a65396a27e1eb487fba (patch)
tree: f20677c3d68c1ea756f0835ff179a0d7d3431a67 /src
parent: c6024246b744e411175318065f7c396bbb5a213e (diff)
parent: 4654a83b6438b88e3b7062a21d18999d9df2fb8e (diff)
download: wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.tar.gz
wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.tar.zst
wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.zip
27 files changed, 849 insertions, 206 deletions
diff --git a/src/Wallabag/CoreBundle/Command/ShowUserCommand.php b/src/Wallabag/CoreBundle/Command/ShowUserCommand.php
index a0184267..c95efbf3 100644
--- a/src/Wallabag/CoreBundle/Command/ShowUserCommand.php
+++ b/src/Wallabag/CoreBundle/Command/ShowUserCommand.php
@@ -57,7 +57,8 @@ class ShowUserCommand extends ContainerAwareCommand
            sprintf('Display name: %s', $user->getName()),
            sprintf('Creation date: %s', $user->getCreatedAt()->format('Y-m-d H:i:s')),
            sprintf('Last login: %s', null !== $user->getLastLogin() ? $user->getLastLogin()->format('Y-m-d H:i:s') : 'never'),
-            sprintf('2FA activated: %s', $user->isTwoFactorAuthentication() ? 'yes' : 'no'),
+            sprintf('2FA (email) activated: %s', $user->isEmailTwoFactor() ? 'yes' : 'no'),
+            sprintf('2FA (OTP) activated: %s', $user->isGoogleAuthenticatorEnabled() ? 'yes' : 'no'),
        ]);
    }
diff --git a/src/Wallabag/CoreBundle/Controller/ConfigController.php b/src/Wallabag/CoreBundle/Controller/ConfigController.php
index be6feb7c..9257ab18 100644
--- a/src/Wallabag/CoreBundle/Controller/ConfigController.php
+++ b/src/Wallabag/CoreBundle/Controller/ConfigController.php
@@ -2,6 +2,7 @@
 namespace Wallabag\CoreBundle\Controller;
+use PragmaRX\Recovery\Recovery as BackupCodes;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\RedirectResponse;
@@ -46,7 +47,7 @@ class ConfigController extends Controller
            $activeTheme = $this->get('liip_theme.active_theme');
            $activeTheme->setName($config->getTheme());
-            $this->get('session')->getFlashBag()->add(
+            $this->addFlash(
                'notice',
                'flashes.config.notice.config_saved'
            );
@@ -68,7 +69,7 @@ class ConfigController extends Controller
                $userManager->updateUser($user, true);
            }
-            $this->get('session')->getFlashBag()->add('notice', $message);
+            $this->addFlash('notice', $message);
            return $this->redirect($this->generateUrl('config') . '#set4');
        }
@@ -83,7 +84,7 @@ class ConfigController extends Controller
        if ($userForm->isSubmitted() && $userForm->isValid()) {
            $userManager->updateUser($user, true);
-            $this->get('session')->getFlashBag()->add(
+            $this->addFlash(
                'notice',
                'flashes.config.notice.user_updated'
            );
@@ -99,7 +100,7 @@ class ConfigController extends Controller
            $em->persist($config);
            $em->flush();
-            $this->get('session')->getFlashBag()->add(
+            $this->addFlash(
                'notice',
                'flashes.config.notice.rss_updated'
            );
@@ -131,7 +132,7 @@ class ConfigController extends Controller
            $em->persist($taggingRule);
            $em->flush();
-            $this->get('session')->getFlashBag()->add(
+            $this->addFlash(
                'notice',
                'flashes.config.notice.tagging_rules_updated'
            );
@@ -153,12 +154,124 @@ class ConfigController extends Controller
            ],
            'twofactor_auth' => $this->getParameter('twofactor_auth'),
            'wallabag_url' => $this->getParameter('domain_name'),
-            'enabled_users' => $this->get('wallabag_user.user_repository')
+            'enabled_users' => $this->get('wallabag_user.user_repository')->getSumEnabledUsers(),
-                ->getSumEnabledUsers(),
        ]);
    }
    /**
+     * Enable 2FA using email.
+     *
+     * @Route("/config/otp/email", name="config_otp_email")
+     */
+    public function otpEmailAction()
+    {
+        if (!$this->getParameter('twofactor_auth')) {
+            return $this->createNotFoundException('two_factor not enabled');
+        }
+        $user = $this->getUser();
+        $user->setGoogleAuthenticatorSecret(null);
+        $user->setBackupCodes(null);
+        $user->setEmailTwoFactor(true);
+        $this->container->get('fos_user.user_manager')->updateUser($user, true);
+        $this->addFlash(
+            'notice',
+            'flashes.config.notice.otp_enabled'
+        );
+        return $this->redirect($this->generateUrl('config') . '#set3');
+    }
+    /**
+     * Enable 2FA using OTP app, user will need to confirm the generated code from the app.
+     *
+     * @Route("/config/otp/app", name="config_otp_app")
+     */
+    public function otpAppAction()
+    {
+        if (!$this->getParameter('twofactor_auth')) {
+            return $this->createNotFoundException('two_factor not enabled');
+        }
+        $user = $this->getUser();
+        $secret = $this->get('scheb_two_factor.security.google_authenticator')->generateSecret();
+        $user->setGoogleAuthenticatorSecret($secret);
+        $user->setEmailTwoFactor(false);
+        $backupCodes = (new BackupCodes())->toArray();
+        $backupCodesHashed = array_map(
+            function ($backupCode) {
+                return password_hash($backupCode, PASSWORD_DEFAULT);
+            },
+            $backupCodes
+        );
+        $user->setBackupCodes($backupCodesHashed);
+        $this->container->get('fos_user.user_manager')->updateUser($user, true);
+        return $this->render('WallabagCoreBundle:Config:otp_app.html.twig', [
+            'backupCodes' => $backupCodes,
+            'qr_code' => $this->get('scheb_two_factor.security.google_authenticator')->getQRContent($user),
+        ]);
+    }
+    /**
+     * Cancelling 2FA using OTP app.
+     *
+     * @Route("/config/otp/app/cancel", name="config_otp_app_cancel")
+     */
+    public function otpAppCancelAction()
+    {
+        if (!$this->getParameter('twofactor_auth')) {
+            return $this->createNotFoundException('two_factor not enabled');
+        }
+        $user = $this->getUser();
+        $user->setGoogleAuthenticatorSecret(null);
+        $user->setBackupCodes(null);
+        $this->container->get('fos_user.user_manager')->updateUser($user, true);
+        return $this->redirect($this->generateUrl('config') . '#set3');
+    }
+    /**
+     * Validate OTP code.
+     *
+     * @param Request $request
+     *
+     * @Route("/config/otp/app/check", name="config_otp_app_check")
+     */
+    public function otpAppCheckAction(Request $request)
+    {
+        $isValid = $this->get('scheb_two_factor.security.google_authenticator')->checkCode(
+            $this->getUser(),
+            $request->get('_auth_code')
+        );
+        if (true === $isValid) {
+            $this->addFlash(
+                'notice',
+                'flashes.config.notice.otp_enabled'
+            );
+            return $this->redirect($this->generateUrl('config') . '#set3');
+        }
+        $this->addFlash(
+            'two_factor',
+            'scheb_two_factor.code_invalid'
+        );
+        return $this->redirect($this->generateUrl('config_otp_app'));
+    }
+    /**
     * @param Request $request
     *
     * @Route("/generate-token", name="generate_token")
@@ -178,7 +291,7 @@ class ConfigController extends Controller
            return new JsonResponse(['token' => $config->getRssToken()]);
        }
-        $this->get('session')->getFlashBag()->add(
+        $this->addFlash(
            'notice',
            'flashes.config.notice.rss_token_updated'
        );
@@ -203,7 +316,7 @@ class ConfigController extends Controller
        $em->remove($rule);
        $em->flush();
-        $this->get('session')->getFlashBag()->add(
+        $this->addFlash(
            'notice',
            'flashes.config.notice.tagging_rules_deleted'
        );
@@ -269,7 +382,7 @@ class ConfigController extends Controller
                break;
        }
-        $this->get('session')->getFlashBag()->add(
+        $this->addFlash(
            'notice',
            'flashes.config.notice.' . $type . '_reset'
        );
diff --git a/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php b/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php
index 07c99949..6e4c9154 100644
--- a/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php
+++ b/src/Wallabag/CoreBundle/Form/Type/UserInformationType.php
@@ -21,9 +21,14 @@ class UserInformationType extends AbstractType
            ->add('email', EmailType::class, [
                'label' => 'config.form_user.email_label',
            ])
-            ->add('twoFactorAuthentication', CheckboxType::class, [
+            ->add('emailTwoFactor', CheckboxType::class, [
                'required' => false,
-                'label' => 'config.form_user.twoFactorAuthentication_label',
+                'label' => 'config.form_user.emailTwoFactor_label',
+            ])
+            ->add('googleTwoFactor', CheckboxType::class, [
+                'required' => false,
+                'label' => 'config.form_user.googleTwoFactor_label',
+                'mapped' => false,
            ])
            ->add('save', SubmitType::class, [
                'label' => 'config.form.save',
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.da.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.da.yml
index 5a770dff..454f547d 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.da.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.da.yml
@@ -59,6 +59,7 @@ config:
        password: 'Adgangskode'
        # rules: 'Tagging rules'
        new_user: 'Tilføj bruger'
+        # reset: 'Reset area'
    form:
        save: 'Gem'
    form_settings:
@@ -98,11 +99,19 @@ config:
            # all: 'All'
        # rss_limit: 'Number of items in the feed'
    form_user:
-        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code on every new untrusted connexion"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Navn'
        email_label: 'Emailadresse'
-        # twoFactorAuthentication_label: 'Two factor authentication'
+        two_factor:
-        # help_twoFactorAuthentication: "If you enable 2FA, each time you want to login to wallabag, you'll receive a code by email."
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            # title: Delete my account (a.k.a danger zone)
            # description: If you remove your account, ALL your articles, ALL your tags, ALL your annotations and your account will be PERMANENTLY removed (it can't be UNDONE). You'll then be logged out.
@@ -160,6 +169,15 @@ config:
        #         and: 'One rule AND another'
        #         matches: 'Tests that a <i>subject</i> matches a <i>search</i> (case-insensitive).<br />Example: <code>title matches "football"</code>'
        #         notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    # default_title: 'Title of the entry'
@@ -532,7 +550,8 @@ user:
        email_label: 'Emailadresse'
        # enabled_label: 'Enabled'
        # last_login_label: 'Last login'
-        # twofactor_label: Two factor authentication
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        # save: Save
        # delete: Delete
        # delete_confirm: Are you sure?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.de.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.de.yml
index 2ae8f08e..dc1d4723 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.de.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.de.yml
@@ -59,6 +59,7 @@ config:
        password: 'Kennwort'
        rules: 'Tagging-Regeln'
        new_user: 'Benutzer hinzufügen'
+        reset: 'Zurücksetzen'
    form:
        save: 'Speichern'
    form_settings:
@@ -98,11 +99,19 @@ config:
            all: 'Alle'
        rss_limit: 'Anzahl der Einträge pro Feed'
    form_user:
-        two_factor_description: "Wenn du die Zwei-Faktor-Authentifizierung aktivierst, erhältst du eine E-Mail mit einem Code bei jeder nicht vertrauenswürdigen Verbindung"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Name'
        email_label: 'E-Mail-Adresse'
-        twoFactorAuthentication_label: 'Zwei-Faktor-Authentifizierung'
+        two_factor:
-        help_twoFactorAuthentication: "Wenn du 2FA aktivierst, wirst du bei jedem Login einen Code per E-Mail bekommen."
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: 'Lösche mein Konto (a.k.a Gefahrenzone)'
            description: 'Wenn du dein Konto löschst, werden ALL deine Artikel, ALL deine Tags, ALL deine Anmerkungen und dein Konto dauerhaft gelöscht (kann NICHT RÜCKGÄNGIG gemacht werden). Du wirst anschließend ausgeloggt.'
@@ -532,7 +541,8 @@ user:
        email_label: 'E-Mail-Adresse'
        enabled_label: 'Aktiviert'
        last_login_label: 'Letzter Login'
-        twofactor_label: 'Zwei-Faktor-Authentifizierung'
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: 'Speichern'
        delete: 'Löschen'
        delete_confirm: 'Bist du sicher?'
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.en.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.en.yml
index d1d74159..45145c80 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.en.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.en.yml
@@ -59,6 +59,7 @@ config:
        password: 'Password'
        rules: 'Tagging rules'
        new_user: 'Add a user'
+        reset: 'Reset area'
    form:
        save: 'Save'
    form_settings:
@@ -98,11 +99,19 @@ config:
            all: 'All'
        rss_limit: 'Number of items in the feed'
    form_user:
-        two_factor_description: "Enabling two factor authentication means you'll receive an email with a code on every new untrusted connection."
+        two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Name'
        email_label: 'Email'
-        twoFactorAuthentication_label: 'Two factor authentication'
+        two_factor:
-        help_twoFactorAuthentication: "If you enable 2FA, each time you want to login to wallabag, you'll receive a code by email."
+            emailTwoFactor_label: 'Using email (receive a code by email)'
+            googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            table_method: Method
+            table_state: State
+            table_action: Action
+            state_enabled: Enabled
+            state_disabled: Disabled
+            action_email: Use email
+            action_app: Use OTP App
        delete:
            title: Delete my account (a.k.a danger zone)
            description: If you remove your account, ALL your articles, ALL your tags, ALL your annotations and your account will be PERMANENTLY removed (it can't be UNDONE). You'll then be logged out.
@@ -160,6 +169,15 @@ config:
                and: 'One rule AND another'
                matches: 'Tests that a <i>subject</i> matches a <i>search</i> (case-insensitive).<br />Example: <code>title matches "football"</code>'
                notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        page_title: Two-factor authentication
+        app:
+            two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+            two_factor_code_description_2: 'You can scan that QR Code with your app:'
+            two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+            two_factor_code_description_4: 'Test an OTP code from your configured app:'
+            cancel: Cancel
+            enable: Enable
 entry:
    default_title: 'Title of the entry'
@@ -532,7 +550,8 @@ user:
        email_label: 'Email'
        enabled_label: 'Enabled'
        last_login_label: 'Last login'
-        twofactor_label: Two factor authentication
+        twofactor_email_label: Two factor authentication by email
+        twofactor_google_label: Two factor authentication by OTP app
        save: Save
        delete: Delete
        delete_confirm: Are you sure?
@@ -578,6 +597,7 @@ flashes:
            tags_reset: Tags reset
            entries_reset: Entries reset
            archived_reset: Archived entries deleted
+            otp_enabled: Two-factor authentication enabled
    entry:
        notice:
            entry_already_saved: 'Entry already saved on %date%'
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.es.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.es.yml
index 741d3e9f..c1047e55 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.es.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.es.yml
@@ -59,6 +59,7 @@ config:
        password: 'Contraseña'
        rules: 'Reglas de etiquetado automáticas'
        new_user: 'Añadir un usuario'
+        reset: 'Reiniciar mi cuenta'
    form:
        save: 'Guardar'
    form_settings:
@@ -98,11 +99,19 @@ config:
            # all: 'All'
        rss_limit: 'Límite de artículos en feed RSS'
    form_user:
-        two_factor_description: "Con la autenticación en dos pasos recibirá código por e-mail en cada nueva conexión que no sea de confianza."
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Nombre'
        email_label: 'Dirección de e-mail'
-        twoFactorAuthentication_label: 'Autenticación en dos pasos'
+        two_factor:
-        help_twoFactorAuthentication: "Si activas la autenticación en dos pasos, cada vez que quieras iniciar sesión en wallabag recibirás un código por e-mail."
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: Eliminar mi cuenta (Zona peligrosa)
            description: Si eliminas tu cuenta, TODOS tus artículos, TODAS tus etiquetas, TODAS tus anotaciones y tu cuenta serán eliminadas de forma PERMANENTE (no se puede deshacer). Después serás desconectado.
@@ -160,6 +169,15 @@ config:
                and: 'Una regla Y la otra'
                matches: 'Prueba si un <i>sujeto</i> corresponde a una <i>búsqueda</i> (insensible a mayusculas).<br />Ejemplo : <code>title matches "fútbol"</code>'
                # notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: 'Título del artículo'
@@ -532,7 +550,8 @@ user:
        email_label: 'E-mail'
        enabled_label: 'Activado'
        last_login_label: 'Último inicio de sesión'
-        twofactor_label: Autenticación en dos pasos
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: Guardar
        delete: Eliminar
        delete_confirm: ¿Estás seguro?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.fa.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.fa.yml
index 2ef5dd52..3042de2e 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.fa.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.fa.yml
@@ -59,6 +59,7 @@ config:
        password: 'رمز'
        rules: 'برچسب‌گذاری خودکار'
        new_user: 'افزودن کاربر'
+        # reset: 'Reset area'
    form:
        save: 'ذخیره'
    form_settings:
@@ -98,11 +99,19 @@ config:
            # all: 'All'
        rss_limit: 'محدودیت آر-اس-اس'
    form_user:
-        two_factor_description: "با فعال‌کردن تأیید ۲مرحله‌ای هر بار که اتصال تأییدنشده‌ای برقرار شد، به شما یک کد از راه ایمیل فرستاده می‌شود"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'نام'
        email_label: 'نشانی ایمیل'
-        twoFactorAuthentication_label: 'تأیید ۲مرحله‌ای'
+        two_factor:
-        # help_twoFactorAuthentication: "If you enable 2FA, each time you want to login to wallabag, you'll receive a code by email."
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            # title: Delete my account (a.k.a danger zone)
            # description: If you remove your account, ALL your articles, ALL your tags, ALL your annotations and your account will be PERMANENTLY removed (it can't be UNDONE). You'll then be logged out.
@@ -160,6 +169,15 @@ config:
        #         and: 'One rule AND another'
        #         matches: 'Tests that a <i>subject</i> matches a <i>search</i> (case-insensitive).<br />Example: <code>title matches "football"</code>'
        #         notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    # default_title: 'Title of the entry'
@@ -532,7 +550,8 @@ user:
        email_label: 'نشانی ایمیل'
        # enabled_label: 'Enabled'
        # last_login_label: 'Last login'
-        # twofactor_label: Two factor authentication
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        # save: Save
        # delete: Delete
        # delete_confirm: Are you sure?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.fr.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.fr.yml
index 7a2029b4..57740ba2 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.fr.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.fr.yml
@@ -59,6 +59,7 @@ config:
        password: "Mot de passe"
        rules: "Règles de tag automatiques"
        new_user: "Créer un compte"
+        reset: "Réinitialisation"
    form:
        save: "Enregistrer"
    form_settings:
@@ -98,11 +99,19 @@ config:
            all: "Tous"
        rss_limit: "Nombre d’articles dans le flux"
    form_user:
-        two_factor_description: "Activer l’authentification double-facteur veut dire que vous allez recevoir un code par courriel à chaque nouvelle connexion non approuvée."
+        two_factor_description: "Activer l’authentification double-facteur veut dire que vous allez recevoir un code par courriel OU que vous devriez utiliser une application de mot de passe à usage unique (comme Google Authenticator, Authy or FreeOTP) pour obtenir un code temporaire à chaque nouvelle connexion non approuvée. Vous ne pouvez pas choisir les deux options."
        name_label: "Nom"
        email_label: "Adresse courriel"
-        twoFactorAuthentication_label: "Double authentification"
+        two_factor:
-        help_twoFactorAuthentication: "Si vous activez 2FA, à chaque tentative de connexion à wallabag, vous recevrez un code par email."
+            emailTwoFactor_label: 'En utlisant l’email (recevez un code par email)'
+            googleTwoFactor_label: 'En utilisant une application de mot de passe à usage unique (ouvrez l’app, comme Google Authenticator, Authy or FreeOTP, pour obtenir un mot de passe à usage unique)'
+            table_method: Méthode
+            table_state: État
+            table_action: Action
+            state_enabled: Activé
+            state_disabled: Désactivé
+            action_email: Utiliser l'email
+            action_app: Utiliser une app OTP
        delete:
            title: "Supprimer mon compte (attention danger !)"
            description: "Si vous confirmez la suppression de votre compte, TOUS les articles, TOUS les tags, TOUTES les annotations et votre compte seront DÉFINITIVEMENT supprimé (c’est IRRÉVERSIBLE). Vous serez ensuite déconnecté."
@@ -160,6 +169,15 @@ config:
                and: "Une règle ET l’autre"
                matches: "Teste si un <i>sujet</i> correspond à une <i>recherche</i> (non sensible à la casse).<br />Exemple : <code>title matches \"football\"</code>"
                notmatches: "Teste si un <i>sujet</i> ne correspond pas à une <i>recherche</i> (non sensible à la casse).<br />Exemple : <code>title notmatches \"football\"</code>"
+    otp:
+        page_title: Authentification double-facteur
+        app:
+            two_factor_code_description_1: Vous venez d’activer l’authentification double-facteur, ouvrez votre application OTP pour configurer la génération du mot de passe à usage unique. Ces informations disparaîtront après un rechargement de la page.
+            two_factor_code_description_2: 'Vous pouvez scanner le QR code avec votre application :'
+            two_factor_code_description_3: 'N’oubliez pas de sauvegarder ces codes de secours dans un endroit sûr, vous pourrez les utiliser si vous ne pouvez plus accéder à votre application OTP :'
+            two_factor_code_description_4: 'Testez un code généré par votre application OTP :'
+            cancel: Annuler
+            enable: Activer
 entry:
    default_title: "Titre de l’article"
@@ -533,6 +551,8 @@ user:
        enabled_label: "Activé"
        last_login_label: "Dernière connexion"
        twofactor_label: "Double authentification"
+        twofactor_email_label: Double authentification par email
+        twofactor_google_label: Double authentification par OTP app
        save: "Sauvegarder"
        delete: "Supprimer"
        delete_confirm: "Êtes-vous sûr ?"
@@ -578,6 +598,7 @@ flashes:
            tags_reset: "Tags supprimés"
            entries_reset: "Articles supprimés"
            archived_reset: "Articles archivés supprimés"
+            otp_enabled: "Authentification à double-facteur activée"
    entry:
        notice:
            entry_already_saved: "Article déjà sauvegardé le %date%"
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.it.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.it.yml
index 3a459445..274e5338 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.it.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.it.yml
@@ -59,6 +59,7 @@ config:
        password: 'Password'
        rules: 'Regole di etichettatura'
        new_user: 'Aggiungi utente'
+        reset: 'Area di reset'
    form:
        save: 'Salva'
    form_settings:
@@ -98,11 +99,18 @@ config:
            # all: 'All'
        rss_limit: 'Numero di elementi nel feed'
    form_user:
-        two_factor_description: "Abilitando l'autenticazione a due fattori riceverai una e-mail con un codice per ogni nuova connesione non verificata"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Nome'
        email_label: 'E-mail'
-        twoFactorAuthentication_label: 'Autenticazione a due fattori'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        help_twoFactorAuthentication: "Se abiliti l'autenticazione a due fattori, ogni volta che vorrai connetterti a wallabag, riceverai un codice via E-mail."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: Cancella il mio account (zona pericolosa)
            description: Rimuovendo il tuo account, TUTTI i tuoi articoli, TUTTE le tue etichette, TUTTE le tue annotazioni ed il tuo account verranno rimossi PERMANENTEMENTE (impossibile da ANNULLARE). Verrai poi disconnesso.
@@ -160,6 +168,15 @@ config:
                and: "Una regola E un'altra"
                matches: 'Verifica che un <i>oggetto</i> risulti in una <i>ricerca</i> (case-insensitive).<br />Esempio: <code>titolo contiene "football"</code>'
                # notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: "Titolo del contenuto"
@@ -532,7 +549,8 @@ user:
        email_label: 'E-mail'
        enabled_label: 'Abilitato'
        last_login_label: 'Ultima connessione'
-        twofactor_label: Autenticazione a due fattori
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: Salva
        delete: Cancella
        delete_confirm: Sei sicuro?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.oc.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.oc.yml
index 9df9e645..4e5370f9 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.oc.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.oc.yml
@@ -59,6 +59,7 @@ config:
        password: 'Senhal'
        rules: "Règlas d'etiquetas automaticas"
        new_user: 'Crear un compte'
+        reset: 'Zòna de reïnicializacion'
    form:
        save: 'Enregistrar'
    form_settings:
@@ -98,11 +99,18 @@ config:
            all: 'Totes'
        rss_limit: "Nombre d'articles dins un flux RSS"
    form_user:
-        two_factor_description: "Activar l'autentificacion en dos temps vòl dire que recebretz un còdi per corrièl per cada novèla connexion pas aprovada."
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Nom'
        email_label: 'Adreça de corrièl'
-        twoFactorAuthentication_label: 'Dobla autentificacion'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        help_twoFactorAuthentication: "S'avètz activat l'autentificacion en dos temps, cada còp que volètz vos connectar a wallabag, recebretz un còdi per corrièl."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: Suprimir mon compte (Mèfi zòna perilhosa)
            description: Se confirmatz la supression de vòstre compte, TOTES vòstres articles, TOTAS vòstras etiquetas, TOTAS vòstras anotacions e vòstre compte seràn suprimits per totjorn. E aquò es IRREVERSIBLE. Puèi seretz desconnectat.
@@ -160,6 +168,15 @@ config:
                and: "Una règla E l'autra"
                matches: 'Teste se un <i>subjècte</i> correspond a una <i>recèrca</i> (non sensibla a la cassa).<br />Exemple : <code>title matches \"football\"</code>'
                notmatches: 'Teste se <i>subjècte</i> correspond pas a una <i>recèrca</i> (sensibla a la cassa).<br />Example : <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: "Títol de l'article"
@@ -532,7 +549,8 @@ user:
        email_label: 'Adreça de corrièl'
        enabled_label: 'Actiu'
        last_login_label: 'Darrièra connexion'
-        twofactor_label: 'Autentificacion doble-factor'
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: 'Enregistrar'
        delete: 'Suprimir'
        delete_confirm: 'Sètz segur ?'
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.pl.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.pl.yml
index 684c40e2..a7a4d6c3 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.pl.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.pl.yml
@@ -59,6 +59,7 @@ config:
        password: 'Hasło'
        rules: 'Zasady tagowania'
        new_user: 'Dodaj użytkownika'
+        reset: 'Reset'
    form:
        save: 'Zapisz'
    form_settings:
@@ -98,11 +99,18 @@ config:
            all: 'Wszystkie'
        rss_limit: 'Link do RSS'
    form_user:
-        two_factor_description: "Włączenie autoryzacji dwuetapowej oznacza, że będziesz otrzymywał maile z kodem przy każdym nowym, niezaufanym połączeniu"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Nazwa'
        email_label: 'Adres email'
-        twoFactorAuthentication_label: 'Autoryzacja dwuetapowa'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        help_twoFactorAuthentication: "Jeżeli włączysz autoryzację dwuetapową. Za każdym razem, kiedy będziesz chciał się zalogować, dostaniesz kod na swój e-mail."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: Usuń moje konto (niebezpieczna strefa !)
            description: Jeżeli usuniesz swoje konto, wszystkie twoje artykuły, tagi, adnotacje, oraz konto zostaną trwale usunięte (operacja jest NIEODWRACALNA). Następnie zostaniesz wylogowany.
@@ -160,6 +168,15 @@ config:
                and: 'Jedna reguła I inna'
                matches: 'Sprawdź czy <i>temat</i> pasuje <i>szukaj</i> (duże lub małe litery).<br />Przykład: <code>tytuł zawiera "piłka nożna"</code>'
                notmatches: 'Sprawdź czy <i>temat</i> nie zawiera <i>szukaj</i> (duże lub małe litery).<br />Przykład: <code>tytuł nie zawiera "piłka nożna"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: 'Tytuł wpisu'
@@ -532,7 +549,8 @@ user:
        email_label: 'Adres email'
        enabled_label: 'Włączony'
        last_login_label: 'Ostatnie logowanie'
-        twofactor_label: Autoryzacja dwuetapowa
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: Zapisz
        delete: Usuń
        delete_confirm: Jesteś pewien?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.pt.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.pt.yml
index 7932d7ab..a5483a6d 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.pt.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.pt.yml
@@ -59,6 +59,7 @@ config:
        password: 'Senha'
        rules: 'Regras de tags'
        new_user: 'Adicionar um usuário'
+        # reset: 'Reset area'
    form:
        save: 'Salvar'
    form_settings:
@@ -98,11 +99,18 @@ config:
            # all: 'All'
        rss_limit: 'Número de itens no feed'
    form_user:
-        two_factor_description: 'Habilitar autenticação de dois passos significa que você receberá um e-mail com um código a cada nova conexão desconhecida.'
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Nome'
        email_label: 'E-mail'
-        twoFactorAuthentication_label: 'Autenticação de dois passos'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        # help_twoFactorAuthentication: "If you enable 2FA, each time you want to login to wallabag, you'll receive a code by email."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            # title: Delete my account (a.k.a danger zone)
            # description: If you remove your account, ALL your articles, ALL your tags, ALL your annotations and your account will be PERMANENTLY removed (it can't be UNDONE). You'll then be logged out.
@@ -160,6 +168,15 @@ config:
                and: 'Uma regra E outra'
                matches: 'Testa que um <i>assunto</i> corresponde a uma <i>pesquisa</i> (maiúscula ou minúscula).<br />Exemplo: <code>título corresponde a "futebol"</code>'
                # notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: 'Título da entrada'
@@ -532,7 +549,8 @@ user:
        email_label: 'E-mail'
        enabled_label: 'Habilitado'
        last_login_label: 'Último login'
-        twofactor_label: 'Autenticação de dois passos'
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: 'Salvar'
        delete: 'Apagar'
        delete_confirm: 'Tem certeza?'
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.ro.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.ro.yml
index 4d091f03..3b7fbd69 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.ro.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.ro.yml
@@ -59,6 +59,7 @@ config:
        password: 'Parolă'
        # rules: 'Tagging rules'
        new_user: 'Crează un utilizator'
+        # reset: 'Reset area'
    form:
        save: 'Salvează'
    form_settings:
@@ -98,11 +99,18 @@ config:
            # all: 'All'
        rss_limit: 'Limită RSS'
    form_user:
-        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code on every new untrusted connexion"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Nume'
        email_label: 'E-mail'
-        # twoFactorAuthentication_label: 'Two factor authentication'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        # help_twoFactorAuthentication: "If you enable 2FA, each time you want to login to wallabag, you'll receive a code by email."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            # title: Delete my account (a.k.a danger zone)
            # description: If you remove your account, ALL your articles, ALL your tags, ALL your annotations and your account will be PERMANENTLY removed (it can't be UNDONE). You'll then be logged out.
@@ -160,6 +168,15 @@ config:
        #         and: 'One rule AND another'
        #         matches: 'Tests that a <i>subject</i> matches a <i>search</i> (case-insensitive).<br />Example: <code>title matches "football"</code>'
        #         notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    # default_title: 'Title of the entry'
@@ -532,7 +549,8 @@ user:
        email_label: 'E-mail'
        # enabled_label: 'Enabled'
        # last_login_label: 'Last login'
-        # twofactor_label: Two factor authentication
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        # save: Save
        # delete: Delete
        # delete_confirm: Are you sure?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.ru.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.ru.yml
index cc327ae4..92746631 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.ru.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.ru.yml
@@ -58,6 +58,7 @@ config:
        password: 'Пароль'
        rules: 'Правила настройки простановки тегов'
        new_user: 'Добавить пользователя'
+        reset: 'Сброс данных'
    form:
        save: 'Сохранить'
    form_settings:
@@ -95,11 +96,18 @@ config:
            archive: 'архивные'
        rss_limit: 'Количество записей в фиде'
    form_user:
-        two_factor_description: "Включить двухфакторную аутентификацию, Вы получите сообщение на указанный email с кодом, при каждом новом непроверенном подключении."
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'Имя'
        email_label: 'Email'
-        twoFactorAuthentication_label: 'Двухфакторная аутентификация'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        help_twoFactorAuthentication: "Если Вы включите двухфакторную аутентификацию, то Вы будете получать код на указанный ранее email, каждый раз при входе в wallabag."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: "Удалить мой аккаунт (или опасная зона)"
            description: "Если Вы удалите ваш аккаунт, ВСЕ ваши записи, теги и другие данные, будут БЕЗВОЗВРАТНО удалены (операция не может быть отменена после). Затем Вы выйдете из системы."
@@ -155,6 +163,15 @@ config:
                or: 'Одно правило ИЛИ другое'
                and: 'Одно правило И другое'
                matches: 'Тесты, в которых <i> тема </i> соответствует <i> поиску </i> (без учета регистра). Пример: <code> title matches "футбол" </code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: 'Название записи'
@@ -520,7 +537,8 @@ user:
        email_label: 'Email'
        enabled_label: 'Включить'
        last_login_label: 'Последний вход'
-        twofactor_label: "Двухфакторная аутентификация"
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: "Сохранить"
        delete: "Удалить"
        delete_confirm: "Вы уверены?"
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.th.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.th.yml
index 148aa541..1fe4fa0e 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.th.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.th.yml
@@ -59,6 +59,7 @@ config:
        password: 'รหัสผ่าน'
        rules: 'การแท็กข้อบังคับ'
        new_user: 'เพิ่มผู้ใช้'
+        reset: 'รีเซ็ตพื้นที่ '
    form:
        save: 'บันทึก'
    form_settings:
@@ -98,11 +99,18 @@ config:
            all: 'ทั้งหมด'
        rss_limit: 'จำนวนไอเทมที่เก็บ'
    form_user:
-        two_factor_description: "การเปิดใช้งาน two factor authentication คือคุณจะต้องได้รับอีเมลกับ code ที่ยังไม่ตรวจสอบในการเชื่อมต่อ"
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'ชื่อ'
        email_label: 'อีเมล'
-        twoFactorAuthentication_label: 'Two factor authentication'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        help_twoFactorAuthentication: "ถ้าคุณเปิด 2FA, ในแต่ละช่วงเวลาที่คุณต้องการลงชื่อเข้าใช wallabag, คุณจะต้องได้รับ code จากอีเมล"
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            title: ลบบัญชีของฉัน (โซนที่เป็นภัย!)
            description: ถ้าคุณลบบัญชีของคุณIf , รายการทั้งหมดของคุณ, แท็กทั้งหมดของคุณ, หมายเหตุทั้งหมดของคุณและบัญชีของคุณจะถูกลบอย่างถาวร (มันไม่สามารถยกเลิกได้) คุณจะต้องลงชื่อออก
@@ -160,6 +168,15 @@ config:
                and: 'หนึ่งข้อบังคับและอื่นๆ'
                matches: 'ทดสอบว่า <i>เรื่อง</i> นี้ตรงกับ <i>การต้นหา</i> (กรณีไม่ทราบ).<br />ตัวอย่าง: <code>หัวข้อที่ตรงกับ "football"</code>'
                notmatches: 'ทดสอบว่า <i>เรื่อง</i> นี้ไม่ตรงกับ <i>การต้นหา</i> (กรณีไม่ทราบ).<br />ตัวอย่าง: <code>หัวข้อทีไม่ตรงกับ "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: 'หัวข้อรายการ'
@@ -530,7 +547,8 @@ user:
        email_label: 'อีเมล'
        enabled_label: 'เปิดใช้งาน'
        last_login_label: 'ลงชื้อเข้าใช้ครั้งสุดท้าย'
-        twofactor_label: Two factor authentication
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        save: บันทึก
        delete: ลบ
        delete_confirm: ตุณแน่ใจหรือไม่?
diff --git a/src/Wallabag/CoreBundle/Resources/translations/messages.tr.yml b/src/Wallabag/CoreBundle/Resources/translations/messages.tr.yml
index 6fb9852a..3b8a0d59 100644
--- a/src/Wallabag/CoreBundle/Resources/translations/messages.tr.yml
+++ b/src/Wallabag/CoreBundle/Resources/translations/messages.tr.yml
@@ -59,6 +59,7 @@ config:
        password: 'Şifre'
        rules: 'Etiketleme kuralları'
        new_user: 'Bir kullanıcı ekle'
+        # reset: 'Reset area'
    form:
        save: 'Kaydet'
    form_settings:
@@ -98,11 +99,18 @@ config:
            # all: 'All'
        rss_limit: 'RSS içeriğinden talep edilecek makale limiti'
    form_user:
-        two_factor_description: "İki adımlı doğrulamayı aktifleştirdiğinizde, her yeni güvenilmeyen bağlantılarda size e-posta ile bir kod alacaksınız."
+        # two_factor_description: "Enabling two factor authentication means you'll receive an email with a code OR need to use an OTP app (like Google Authenticator, Authy or FreeOTP) to get a one time code on every new untrusted connection. You can't choose both option."
        name_label: 'İsim'
        email_label: 'E-posta'
-        twoFactorAuthentication_label: 'İki adımlı doğrulama'
+            # emailTwoFactor_label: 'Using email (receive a code by email)'
-        # help_twoFactorAuthentication: "If you enable 2FA, each time you want to login to wallabag, you'll receive a code by email."
+            # googleTwoFactor_label: 'Using an OTP app (open the app, like Google Authenticator, Authy or FreeOTP, to get a one time code)'
+            # table_method: Method
+            # table_state: State
+            # table_action: Action
+            # state_enabled: Enabled
+            # state_disabled: Disabled
+            # action_email: Use email
+            # action_app: Use OTP App
        delete:
            # title: Delete my account (a.k.a danger zone)
            # description: If you remove your account, ALL your articles, ALL your tags, ALL your annotations and your account will be PERMANENTLY removed (it can't be UNDONE). You'll then be logged out.
@@ -160,6 +168,15 @@ config:
                and: 'Bir kural ve diğeri'
                # matches: 'Tests that a <i>subject</i> matches a <i>search</i> (case-insensitive).<br />Example: <code>title matches "football"</code>'
                # notmatches: 'Tests that a <i>subject</i> doesn''t match match a <i>search</i> (case-insensitive).<br />Example: <code>title notmatches "football"</code>'
+    otp:
+        # page_title: Two-factor authentication
+        # app:
+        #     two_factor_code_description_1: You just enabled the OTP two factor authentication, open your OTP app and use that code to get a one time password. It'll disapear after a page reload.
+        #     two_factor_code_description_2: 'You can scan that QR Code with your app:'
+        #     two_factor_code_description_3: 'Also, save these backup codes in a safe place, you can use them in case you lose access to your OTP app:'
+        #     two_factor_code_description_4: 'Test an OTP code from your configured app:'
+        #     cancel: Cancel
+        #     enable: Enable
 entry:
    default_title: 'Makalenin başlığı'
@@ -530,7 +547,8 @@ user:
        email_label: 'E-posta'
        # enabled_label: 'Enabled'
        # last_login_label: 'Last login'
-        # twofactor_label: Two factor authentication
+        # twofactor_email_label: Two factor authentication by email
+        # twofactor_google_label: Two factor authentication by OTP app
        # save: Save
        # delete: Delete
        # delete_confirm: Are you sure?
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/index.html.twig
index bcc57dac..93f8ddf8 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/index.html.twig
@@ -86,8 +86,7 @@
                <br/>
                <img id="androidQrcode" />
                <script>
-                    const imgBase64 = jrQrcode.getQrBase64('wallabag://{{ app.user.username }}@{{ wallabag_url }}');
+                    document.getElementById('androidQrcode').src = jrQrcode.getQrBase64('wallabag://{{ app.user.username }}@{{ wallabag_url }}');
-                    document.getElementById('androidQrcode').src = imgBase64;
                </script>
            </div>
        </fieldset>
@@ -169,52 +168,41 @@
            </div>
        </fieldset>
+        {{ form_widget(form.user.save) }}
        {% if twofactor_auth %}
+        <h5>{{ 'config.otp.page_title'|trans }}</h5>
        <div class="row">
            {{ 'config.form_user.two_factor_description'|trans }}
        </div>
-        <fieldset class="w500p inline">
+        <table>
-            <div class="row">
+            <thead>
-                {{ form_label(form.user.twoFactorAuthentication) }}
+                <tr>
-                {{ form_errors(form.user.twoFactorAuthentication) }}
+                    <th>{{ 'config.form_user.two_factor.table_method'|trans }}</th>
-                {{ form_widget(form.user.twoFactorAuthentication) }}
+                    <th>{{ 'config.form_user.two_factor.table_state'|trans }}</th>
-            </div>
+                    <th>{{ 'config.form_user.two_factor.table_action'|trans }}</th>
-            <a href="#" title="{{ 'config.form_user.help_twoFactorAuthentication'|trans }}">
+                </tr>
-                <i class="material-icons">live_help</i>
+            </thead>
-            </a>
-        </fieldset>
-        {% endif %}
-        <h2>{{ 'config.reset.title'|trans }}</h2>
+            <tbody>
-        <fieldset class="w500p inline">
+                <tr>
-            <p>{{ 'config.reset.description'|trans }}</p>
+                    <td>{{ 'config.form_user.two_factor.emailTwoFactor_label'|trans }}</td>
-            <ul>
+                    <td>{% if app.user.isEmailTwoFactor %}<b>{{ 'config.form_user.two_factor.state_enabled'|trans }}</b>{% else %}{{ 'config.form_user.two_factor.state_disabled'|trans }}{% endif %}</td>
-                <li>
+                    <td><a href="{{ path('config_otp_email') }}" class="waves-effect waves-light btn{% if app.user.isEmailTwoFactor %} disabled{% endif %}">{{ 'config.form_user.two_factor.action_email'|trans }}</a></td>
-                    <a href="{{ path('config_reset', { type: 'annotations'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                </tr>
-                        {{ 'config.reset.annotations'|trans }}
+                <tr>
-                    </a>
+                    <td>{{ 'config.form_user.two_factor.googleTwoFactor_label'|trans }}</td>
-                </li>
+                    <td>{% if app.user.isGoogleTwoFactor %}<b>{{ 'config.form_user.two_factor.state_enabled'|trans }}</b>{% else %}{{ 'config.form_user.two_factor.state_disabled'|trans }}{% endif %}</td>
-                <li>
+                    <td><a href="{{ path('config_otp_app') }}" class="waves-effect waves-light btn{% if app.user.isGoogleTwoFactor %} disabled{% endif %}">{{ 'config.form_user.two_factor.action_app'|trans }}</a></td>
-                    <a href="{{ path('config_reset', { type: 'tags'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                </tr>
-                        {{ 'config.reset.tags'|trans }}
+            </tbody>
-                    </a>
+        </table>
-                </li>
-                <li>
+        {% endif %}
-                    <a href="{{ path('config_reset', { type: 'archived'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                        {{ 'config.reset.archived'|trans }}
-                    </a>
-                </li>
-                <li>
-                    <a href="{{ path('config_reset', { type: 'entries'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                        {{ 'config.reset.entries'|trans }}
-                    </a>
-                </li>
-            </ul>
-        </fieldset>
        {{ form_widget(form.user._token) }}
-        {{ form_widget(form.user.save) }}
    </form>
    {% if enabled_users > 1 %}
@@ -277,7 +265,7 @@
        {% endfor %}
    </ul>
-        {{ form_start(form.new_tagging_rule) }}
+    {{ form_start(form.new_tagging_rule) }}
        {{ form_errors(form.new_tagging_rule) }}
        <fieldset class="w500p inline">
@@ -382,4 +370,31 @@
            </table>
        </div>
    </div>
+    <h2>{{ 'config.reset.title'|trans }}</h2>
+    <fieldset class="w500p inline">
+        <p>{{ 'config.reset.description'|trans }}</p>
+        <ul>
+            <li>
+                <a href="{{ path('config_reset', { type: 'annotations'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                    {{ 'config.reset.annotations'|trans }}
+                </a>
+            </li>
+            <li>
+                <a href="{{ path('config_reset', { type: 'tags'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                    {{ 'config.reset.tags'|trans }}
+                </a>
+            </li>
+            <li>
+                <a href="{{ path('config_reset', { type: 'archived'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                    {{ 'config.reset.archived'|trans }}
+                </a>
+            </li>
+            <li>
+                <a href="{{ path('config_reset', { type: 'entries'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                    {{ 'config.reset.entries'|trans }}
+                </a>
+            </li>
+        </ul>
+    </fieldset>
 {% endblock %}
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig
new file mode 100644
index 00000000..0919646e
--- /dev/null
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/baggy/Config/otp_app.html.twig
@@ -0,0 +1,55 @@
+{% extends "WallabagCoreBundle::layout.html.twig" %}
+{% block title %}{{ 'config.page_title'|trans }} > {{ 'config.otp.page_title'|trans }}{% endblock %}
+{% block content %}
+    <h5>{{ 'config.otp.page_title'|trans }}</h5>
+    <ol>
+        <li>
+            <p>{{ 'config.otp.app.two_factor_code_description_1'|trans }}</p>
+            <p>{{ 'config.otp.app.two_factor_code_description_2'|trans }}</p>
+            <p>
+                <img id="2faQrcode" class="hide-on-med-and-down" />
+                <script>
+                    document.getElementById('2faQrcode').src = jrQrcode.getQrBase64('{{ qr_code }}');
+                </script>
+            </p>
+        </li>
+        <li>
+            <p>{{ 'config.otp.app.two_factor_code_description_3'|trans }}</p>
+            <p><strong>{{ backupCodes|join("\n")|nl2br }}</strong></p>
+        </li>
+        <li>
+            <p>{{ 'config.otp.app.two_factor_code_description_4'|trans }}</p>
+            {% for flashMessage in app.session.flashbag.get("two_factor") %}
+            <div class="card-panel red darken-1 black-text">
+                {{ flashMessage|trans }}
+            </div>
+            {% endfor %}
+            <form class="form" action="{{ path("config_otp_app_check") }}" method="post">
+                <div class="card-content">
+                    <div class="row">
+                        <div class="input-field col s12">
+                            <label for="_auth_code">{{ "scheb_two_factor.auth_code"|trans }}</label>
+                            <input id="_auth_code" type="text" autocomplete="off" name="_auth_code" />
+                        </div>
+                    </div>
+                </div>
+                <div class="card-action">
+                    <a href="{{ path('config_otp_app_cancel') }}" class="waves-effect waves-light grey btn">
+                        {{ 'config.otp.app.cancel'|trans }}
+                    </a>
+                    <button class="btn waves-effect waves-light" type="submit" name="send">
+                        {{ 'config.otp.app.enable'|trans }}
+                        <i class="material-icons right">send</i>
+                    </button>
+                </div>
+            </form>
+        </li>
+    </ol>
+{% endblock %}
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig
index f896fe2d..412c18f4 100644
--- a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/index.html.twig
@@ -16,6 +16,7 @@
                            <li class="tab col s12 m6 l3"><a href="#set3">{{ 'config.tab_menu.user_info'|trans }}</a></li>
                            <li class="tab col s12 m6 l3"><a href="#set4">{{ 'config.tab_menu.password'|trans }}</a></li>
                            <li class="tab col s12 m6 l3"><a href="#set5">{{ 'config.tab_menu.rules'|trans }}</a></li>
+                            <li class="tab col s12 m6 l3"><a href="#set6">{{ 'config.tab_menu.reset'|trans }}</a></li>
                        </ul>
                    </div>
@@ -111,8 +112,7 @@
                                    <img id="androidQrcode" class="hide-on-med-and-down" />
                                </div>
                                <script>
-                                    const imgBase64 = jrQrcode.getQrBase64('wallabag://{{ app.user.username }}@{{ wallabag_url }}');
+                                    document.getElementById('androidQrcode').src = jrQrcode.getQrBase64('wallabag://{{ app.user.username }}@{{ wallabag_url }}');
-                                    document.getElementById('androidQrcode').src = imgBase64;
                                </script>
                            </div>
@@ -196,59 +196,42 @@
                                </div>
                            </div>
-                            {% if twofactor_auth %}
+                            {{ form_widget(form.user.save, {'attr': {'class': 'btn waves-effect waves-light'}}) }}
-                            <div class="row">
-                                <div class="input-field col s11">
-                                    {{ 'config.form_user.two_factor_description'|trans }}
-                                    <br />
-                                    {{ form_widget(form.user.twoFactorAuthentication) }}
+                            {% if twofactor_auth %}
-                                    {{ form_label(form.user.twoFactorAuthentication) }}
+                                <br/>
-                                    {{ form_errors(form.user.twoFactorAuthentication) }}
+                                <br/>
-                                </div>
+                                <div class="row">
-                                <div class="input-field col s1">
+                                    <h5>{{ 'config.otp.page_title'|trans }}</h5>
-                                    <a href="#" class="tooltipped" data-position="left" data-delay="50" data-tooltip="{{ 'config.form_user.help_twoFactorAuthentication'|trans }}">
-                                        <i class="material-icons">live_help</i>
+                                    <p>{{ 'config.form_user.two_factor_description'|trans }}</p>
-                                    </a>
+                                    <table>
+                                        <thead>
+                                            <tr>
+                                                <th>{{ 'config.form_user.two_factor.table_method'|trans }}</th>
+                                                <th>{{ 'config.form_user.two_factor.table_state'|trans }}</th>
+                                                <th>{{ 'config.form_user.two_factor.table_action'|trans }}</th>
+                                            </tr>
+                                        </thead>
+                                        <tbody>
+                                            <tr>
+                                                <td>{{ 'config.form_user.two_factor.emailTwoFactor_label'|trans }}</td>
+                                                <td>{% if app.user.isEmailTwoFactor %}<b>{{ 'config.form_user.two_factor.state_enabled'|trans }}</b>{% else %}{{ 'config.form_user.two_factor.state_disabled'|trans }}{% endif %}</td>
+                                                <td><a href="{{ path('config_otp_email') }}" class="waves-effect waves-light btn{% if app.user.isEmailTwoFactor %} disabled{% endif %}">{{ 'config.form_user.two_factor.action_email'|trans }}</a></td>
+                                            </tr>
+                                            <tr>
+                                                <td>{{ 'config.form_user.two_factor.googleTwoFactor_label'|trans }}</td>
+                                                <td>{% if app.user.isGoogleTwoFactor %}<b>{{ 'config.form_user.two_factor.state_enabled'|trans }}</b>{% else %}{{ 'config.form_user.two_factor.state_disabled'|trans }}{% endif %}</td>
+                                                <td><a href="{{ path('config_otp_app') }}" class="waves-effect waves-light btn{% if app.user.isGoogleTwoFactor %} disabled{% endif %}">{{ 'config.form_user.two_factor.action_app'|trans }}</a></td>
+                                            </tr>
+                                        </tbody>
+                                    </table>
                                </div>
-                            </div>
                            {% endif %}
-                            {{ form_widget(form.user.save, {'attr': {'class': 'btn waves-effect waves-light'}}) }}
                            {{ form_widget(form.user._token) }}
                        </form>
-                        <br /><hr /><br />
-                        <div class="row">
-                            <h5>{{ 'config.reset.title'|trans }}</h5>
-                            <p>{{ 'config.reset.description'|trans }}</p>
-                            <a href="{{ path('config_reset', { type: 'annotations'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.annotations'|trans }}
-                            </a>
-                            <a href="{{ path('config_reset', { type: 'tags'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.tags'|trans }}
-                            </a>
-                            <a href="{{ path('config_reset', { type: 'archived'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.archived'|trans }}
-                            </a>
-                            <a href="{{ path('config_reset', { type: 'entries'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
-                                {{ 'config.reset.entries'|trans }}
-                            </a>
-                        </div>
-                        {% if enabled_users > 1 %}
-                            <br /><hr /><br />
-                            <div class="row">
-                                <h5>{{ 'config.form_user.delete.title'|trans }}</h5>
-                                <p>{{ 'config.form_user.delete.description'|trans }}</p>
-                                <a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account">
-                                    {{ 'config.form_user.delete.button'|trans }}
-                                </a>
-                            </div>
-                        {% endif %}
                    </div>
                    <div id="set4" class="col s12">
@@ -422,6 +405,37 @@
                            </div>
                        </div>
                    </div>
+                    <div id="set6" class="col s12">
+                        <div class="row">
+                            <h5>{{ 'config.reset.title'|trans }}</h5>
+                            <p>{{ 'config.reset.description'|trans }}</p>
+                            <a href="{{ path('config_reset', { type: 'annotations'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                                {{ 'config.reset.annotations'|trans }}
+                            </a>
+                            <a href="{{ path('config_reset', { type: 'tags'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                                {{ 'config.reset.tags'|trans }}
+                            </a>
+                            <a href="{{ path('config_reset', { type: 'archived'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                                {{ 'config.reset.archived'|trans }}
+                            </a>
+                            <a href="{{ path('config_reset', { type: 'entries'}) }}" onclick="return confirm('{{ 'config.reset.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red">
+                                {{ 'config.reset.entries'|trans }}
+                            </a>
+                        </div>
+                        {% if enabled_users > 1 %}
+                            <br /><hr /><br />
+                            <div class="row">
+                                <h5>{{ 'config.form_user.delete.title'|trans }}</h5>
+                                <p>{{ 'config.form_user.delete.description'|trans }}</p>
+                                <a href="{{ path('delete_account') }}" onclick="return confirm('{{ 'config.form_user.delete.confirm'|trans|escape('js') }}')" class="waves-effect waves-light btn red delete-account">
+                                    {{ 'config.form_user.delete.button'|trans }}
+                                </a>
+                            </div>
+                        {% endif %}
+                    </div>
                </div>
            </div>
diff --git a/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig
new file mode 100644
index 00000000..7875d787
--- /dev/null
+++ b/src/Wallabag/CoreBundle/Resources/views/themes/material/Config/otp_app.html.twig
@@ -0,0 +1,63 @@
+{% extends "WallabagCoreBundle::layout.html.twig" %}
+{% block title %}{{ 'config.page_title'|trans }} > {{ 'config.otp.page_title'|trans }}{% endblock %}
+{% block content %}
+    <div class="row">
+        <div class="col s12">
+            <div class="card-panel settings">
+                <div class="row">
+                    <h5>{{ 'config.otp.page_title'|trans }}</h5>
+                    <ol>
+                        <li>
+                            <p>{{ 'config.otp.app.two_factor_code_description_1'|trans }}</p>
+                            <p>{{ 'config.otp.app.two_factor_code_description_2'|trans }}</p>
+                            <p>
+                                <img id="2faQrcode" class="hide-on-med-and-down" />
+                                <script>
+                                    document.getElementById('2faQrcode').src = jrQrcode.getQrBase64('{{ qr_code }}');
+                                </script>
+                            </p>
+                        </li>
+                        <li>
+                            <p>{{ 'config.otp.app.two_factor_code_description_3'|trans }}</p>
+                            <p><strong>{{ backupCodes|join("\n")|nl2br }}</strong></p>
+                        </li>
+                        <li>
+                            <p>{{ 'config.otp.app.two_factor_code_description_4'|trans }}</p>
+                            {% for flashMessage in app.session.flashbag.get("two_factor") %}
+                            <div class="card-panel red darken-1 black-text">
+                                {{ flashMessage|trans }}
+                            </div>
+                            {% endfor %}
+                            <form class="form" action="{{ path("config_otp_app_check") }}" method="post">
+                                <div class="card-content">
+                                    <div class="row">
+                                        <div class="input-field col s12">
+                                            <label for="_auth_code">{{ "scheb_two_factor.auth_code"|trans }}</label>
+                                            <input id="_auth_code" type="text" autocomplete="off" name="_auth_code" />
+                                        </div>
+                                    </div>
+                                </div>
+                                <div class="card-action">
+                                    <a href="{{ path('config_otp_app_cancel') }}" class="waves-effect waves-light grey btn">
+                                        {{ 'config.otp.app.cancel'|trans }}
+                                    </a>
+                                    <button class="btn waves-effect waves-light" type="submit" name="send">
+                                        {{ 'config.otp.app.enable'|trans }}
+                                        <i class="material-icons right">send</i>
+                                    </button>
+                                </div>
+                            </form>
+                        </li>
+                    </ol>
+                </div>
+            </div>
+        </div>
+    </div>
+{% endblock %}
diff --git a/src/Wallabag/UserBundle/Controller/ManageController.php b/src/Wallabag/UserBundle/Controller/ManageController.php
index a9746fb4..63a06206 100644
--- a/src/Wallabag/UserBundle/Controller/ManageController.php
+++ b/src/Wallabag/UserBundle/Controller/ManageController.php
@@ -62,14 +62,29 @@ class ManageController extends Controller
     */
    public function editAction(Request $request, User $user)
    {
+        $userManager = $this->container->get('fos_user.user_manager');
        $deleteForm = $this->createDeleteForm($user);
-        $editForm = $this->createForm('Wallabag\UserBundle\Form\UserType', $user);
+        $form = $this->createForm('Wallabag\UserBundle\Form\UserType', $user);
-        $editForm->handleRequest($request);
+        $form->handleRequest($request);
-        if ($editForm->isSubmitted() && $editForm->isValid()) {
+        // `googleTwoFactor` isn't a field within the User entity, we need to define it's value in a different way
-            $em = $this->getDoctrine()->getManager();
+        if ($this->getParameter('twofactor_auth') && true === $user->isGoogleAuthenticatorEnabled() && false === $form->isSubmitted()) {
-            $em->persist($user);
+            $form->get('googleTwoFactor')->setData(true);
-            $em->flush();
+        }
+        if ($form->isSubmitted() && $form->isValid()) {
+            // handle creation / reset of the OTP secret if checkbox changed from the previous state
+            if ($this->getParameter('twofactor_auth')) {
+                if (true === $form->get('googleTwoFactor')->getData() && false === $user->isGoogleAuthenticatorEnabled()) {
+                    $user->setGoogleAuthenticatorSecret($this->get('scheb_two_factor.security.google_authenticator')->generateSecret());
+                    $user->setEmailTwoFactor(false);
+                } elseif (false === $form->get('googleTwoFactor')->getData() && true === $user->isGoogleAuthenticatorEnabled()) {
+                    $user->setGoogleAuthenticatorSecret(null);
+                }
+            }
+            $userManager->updateUser($user);
            $this->get('session')->getFlashBag()->add(
                'notice',
@@ -81,7 +96,7 @@ class ManageController extends Controller
        return $this->render('WallabagUserBundle:Manage:edit.html.twig', [
            'user' => $user,
-            'edit_form' => $editForm->createView(),
+            'edit_form' => $form->createView(),
            'delete_form' => $deleteForm->createView(),
            'twofactor_auth' => $this->getParameter('twofactor_auth'),
        ]);
@@ -131,8 +146,6 @@ class ManageController extends Controller
        $form->handleRequest($request);
        if ($form->isSubmitted() && $form->isValid()) {
-            $this->get('logger')->info('searching users');
            $searchTerm = (isset($request->get('search_user')['term']) ? $request->get('search_user')['term'] : '');
            $qb = $em->getRepository('WallabagUserBundle:User')->getQueryBuilderForSearch($searchTerm);
@@ -157,7 +170,7 @@ class ManageController extends Controller
    }
    /**
-     * Creates a form to delete a User entity.
+     * Create a form to delete a User entity.
     *
     * @param User $user The User entity
     *
diff --git a/src/Wallabag/UserBundle/Entity/User.php b/src/Wallabag/UserBundle/Entity/User.php
index 48446e3c..43fa6a80 100644
--- a/src/Wallabag/UserBundle/Entity/User.php
+++ b/src/Wallabag/UserBundle/Entity/User.php
@@ -8,8 +8,9 @@ use FOS\UserBundle\Model\User as BaseUser;
 use JMS\Serializer\Annotation\Accessor;
 use JMS\Serializer\Annotation\Groups;
 use JMS\Serializer\Annotation\XmlRoot;
-use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface;
+use Scheb\TwoFactorBundle\Model\BackupCodeInterface;
-use Scheb\TwoFactorBundle\Model\TrustedComputerInterface;
+use Scheb\TwoFactorBundle\Model\Email\TwoFactorInterface as EmailTwoFactorInterface;
+use Scheb\TwoFactorBundle\Model\Google\TwoFactorInterface as GoogleTwoFactorInterface;
 use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Wallabag\ApiBundle\Entity\Client;
@@ -28,7 +29,7 @@ use Wallabag\CoreBundle\Helper\EntityTimestampsTrait;
 * @UniqueEntity("email")
 * @UniqueEntity("username")
 */
-class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterface
+class User extends BaseUser implements EmailTwoFactorInterface, GoogleTwoFactorInterface, BackupCodeInterface
 {
    use EntityTimestampsTrait;
@@ -123,16 +124,21 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
    private $authCode;
    /**
-     * @var bool
+     * @ORM\Column(name="googleAuthenticatorSecret", type="string", nullable=true)
-     *
-     * @ORM\Column(type="boolean")
     */
-    private $twoFactorAuthentication = false;
+    private $googleAuthenticatorSecret;
    /**
     * @ORM\Column(type="json_array", nullable=true)
     */
-    private $trusted;
+    private $backupCodes;
+    /**
+     * @var bool
+     *
+     * @ORM\Column(type="boolean")
+     */
+    private $emailTwoFactor = false;
    public function __construct()
    {
@@ -233,49 +239,119 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
    /**
     * @return bool
     */
-    public function isTwoFactorAuthentication()
+    public function isEmailTwoFactor()
    {
-        return $this->twoFactorAuthentication;
+        return $this->emailTwoFactor;
    }
    /**
-     * @param bool $twoFactorAuthentication
+     * @param bool $emailTwoFactor
     */
-    public function setTwoFactorAuthentication($twoFactorAuthentication)
+    public function setEmailTwoFactor($emailTwoFactor)
    {
-        $this->twoFactorAuthentication = $twoFactorAuthentication;
+        $this->emailTwoFactor = $emailTwoFactor;
    }
-    public function isEmailAuthEnabled()
+    /**
+     * Used in the user config form to be "like" the email option.
+     */
+    public function isGoogleTwoFactor()
+    {
+        return $this->isGoogleAuthenticatorEnabled();
+    }
+    /**
+     * {@inheritdoc}
+     */
+    public function isEmailAuthEnabled(): bool
    {
-        return $this->twoFactorAuthentication;
+        return $this->emailTwoFactor;
    }
-    public function getEmailAuthCode()
+    /**
+     * {@inheritdoc}
+     */
+    public function getEmailAuthCode(): string
    {
        return $this->authCode;
    }
-    public function setEmailAuthCode($authCode)
+    /**
+     * {@inheritdoc}
+     */
+    public function setEmailAuthCode(string $authCode): void
    {
        $this->authCode = $authCode;
    }
-    public function addTrustedComputer($token, \DateTime $validUntil)
+    /**
+     * {@inheritdoc}
+     */
+    public function getEmailAuthRecipient(): string
    {
-        $this->trusted[$token] = $validUntil->format('r');
+        return $this->email;
    }
-    public function isTrustedComputer($token)
+    /**
+     * {@inheritdoc}
+     */
+    public function isGoogleAuthenticatorEnabled(): bool
    {
-        if (isset($this->trusted[$token])) {
+        return $this->googleAuthenticatorSecret ? true : false;
-            $now = new \DateTime();
+    }
-            $validUntil = new \DateTime($this->trusted[$token]);
-            return $now < $validUntil;
+    /**
-        }
+     * {@inheritdoc}
+     */
+    public function getGoogleAuthenticatorUsername(): string
+    {
+        return $this->username;
+    }
-        return false;
+    /**
+     * {@inheritdoc}
+     */
+    public function getGoogleAuthenticatorSecret(): string
+    {
+        return $this->googleAuthenticatorSecret;
+    }
+    /**
+     * {@inheritdoc}
+     */
+    public function setGoogleAuthenticatorSecret(?string $googleAuthenticatorSecret): void
+    {
+        $this->googleAuthenticatorSecret = $googleAuthenticatorSecret;
+    }
+    public function setBackupCodes(array $codes = null)
+    {
+        $this->backupCodes = $codes;
+    }
+    public function getBackupCodes()
+    {
+        return $this->backupCodes;
+    }
+    /**
+     * {@inheritdoc}
+     */
+    public function isBackupCode(string $code): bool
+    {
+        return false === $this->findBackupCode($code) ? false : true;
+    }
+    /**
+     * {@inheritdoc}
+     */
+    public function invalidateBackupCode(string $code): void
+    {
+        $key = $this->findBackupCode($code);
+        if (false !== $key) {
+            unset($this->backupCodes[$key]);
+        }
    }
    /**
@@ -309,4 +385,24 @@ class User extends BaseUser implements TwoFactorInterface, TrustedComputerInterf
            return $this->clients->first();
        }
    }
+    /**
+     * Try to find a backup code from the list of backup codes of the current user.
+     *
+     * @param string $code Given code from the user
+     *
+     * @return string|false
+     */
+    private function findBackupCode(string $code)
+    {
+        foreach ($this->backupCodes as $key => $backupCode) {
+            // backup code are hashed using `password_hash`
+            // see ConfigController->otpAppAction
+            if (password_verify($code, $backupCode)) {
+                return $key;
+            }
+        }
+        return false;
+    }
 }
diff --git a/src/Wallabag/UserBundle/Form/UserType.php b/src/Wallabag/UserBundle/Form/UserType.php
index 56fea640..026db9a2 100644
--- a/src/Wallabag/UserBundle/Form/UserType.php
+++ b/src/Wallabag/UserBundle/Form/UserType.php
@@ -35,9 +35,14 @@ class UserType extends AbstractType
                'required' => false,
                'label' => 'user.form.enabled_label',
            ])
-            ->add('twoFactorAuthentication', CheckboxType::class, [
+            ->add('emailTwoFactor', CheckboxType::class, [
                'required' => false,
-                'label' => 'user.form.twofactor_label',
+                'label' => 'user.form.twofactor_email_label',
+            ])
+            ->add('googleTwoFactor', CheckboxType::class, [
+                'required' => false,
+                'label' => 'user.form.twofactor_google_label',
+                'mapped' => false,
            ])
            ->add('save', SubmitType::class, [
                'label' => 'user.form.save',
diff --git a/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php b/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php
index aed805c9..2797efde 100644
--- a/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php
+++ b/src/Wallabag/UserBundle/Mailer/AuthCodeMailer.php
@@ -78,7 +78,7 @@ class AuthCodeMailer implements AuthCodeMailerInterface
     *
     * @param TwoFactorInterface $user
     */
-    public function sendAuthCode(TwoFactorInterface $user)
+    public function sendAuthCode(TwoFactorInterface $user): void
    {
        $template = $this->twig->loadTemplate('WallabagUserBundle:TwoFactor:email_auth_code.html.twig');
@@ -97,7 +97,7 @@ class AuthCodeMailer implements AuthCodeMailerInterface
        $message = new \Swift_Message();
        $message
-            ->setTo($user->getEmail())
+            ->setTo($user->getEmailAuthRecipient())
            ->setFrom($this->senderEmail, $this->senderName)
            ->setSubject($subject)
            ->setBody($bodyText, 'text/plain')
diff --git a/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig b/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig
index c8471bdd..47a5cb78 100644
--- a/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig
+++ b/src/Wallabag/UserBundle/Resources/views/Authentication/form.html.twig
@@ -1,7 +1,8 @@
+{# Override `vendor/scheb/two-factor-bundle/Resources/views/Authentication/form.html.twig` #}
 {% extends "WallabagUserBundle::layout.html.twig" %}
 {% block fos_user_content %}
-<form class="form" action="" method="post">
+<form class="form" action="{{ path("2fa_login_check") }}" method="post">
    <div class="card-content">
        <div class="row">
@@ -9,14 +10,19 @@
            <p class="error">{{ flashMessage|trans }}</p>
            {% endfor %}
+            {# Authentication errors #}
+            {% if authenticationError %}
+            <p class="error">{{ authenticationError|trans(authenticationErrorData) }}</p>
+            {% endif %}
            <div class="input-field col s12">
                <label for="_auth_code">{{ "scheb_two_factor.auth_code"|trans }}</label>
-                <input id="_auth_code" type="text" autocomplete="off" name="_auth_code" />
+                <input id="_auth_code" type="text" autocomplete="off" name="{{ authCodeParameterName }}" />
            </div>
-            {% if useTrustedOption %}
+            {% if displayTrustedOption %}
            <div class="input-field col s12">
-                <input id="_trusted" type="checkbox" name="_trusted" />
+                <input id="_trusted" type="checkbox" name="{{ trustedParameterName }}" />
                <label for="_trusted">{{ "scheb_two_factor.trusted"|trans }}</label>
            </div>
            {% endif %}
diff --git a/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig b/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig
index 3ffd15f5..2de8f3a5 100644
--- a/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig
+++ b/src/Wallabag/UserBundle/Resources/views/Manage/edit.html.twig
@@ -50,9 +50,14 @@
                                {% if twofactor_auth %}
                                <div class="row">
                                    <div class="input-field col s12">
-                                        {{ form_widget(edit_form.twoFactorAuthentication) }}
+                                        {{ form_widget(edit_form.emailTwoFactor) }}
-                                        {{ form_label(edit_form.twoFactorAuthentication) }}
+                                        {{ form_label(edit_form.emailTwoFactor) }}
-                                        {{ form_errors(edit_form.twoFactorAuthentication) }}
+                                        {{ form_errors(edit_form.emailTwoFactor) }}
+                                    </div>
+                                    <div class="input-field col s12">
+                                        {{ form_widget(edit_form.googleTwoFactor) }}
+                                        {{ form_label(edit_form.googleTwoFactor) }}
+                                        {{ form_errors(edit_form.googleTwoFactor) }}
                                    </div>
                                </div>
                                {% endif %}
author	Kevin Decherf <kevin@kdecherf.com>	2019-01-30 01:02:27 +0100
committer	GitHub <noreply@github.com>	2019-01-30 01:02:27 +0100
commit	2e5b3fa361098498a9e42a65396a27e1eb487fba (patch)
tree	f20677c3d68c1ea756f0835ff179a0d7d3431a67 /src
parent	c6024246b744e411175318065f7c396bbb5a213e (diff)
parent	4654a83b6438b88e3b7062a21d18999d9df2fb8e (diff)
download	wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.tar.gz wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.tar.zst wallabag-2e5b3fa361098498a9e42a65396a27e1eb487fba.zip