diff --git a/docker/backend/Dockerfile b/docker/backend/Dockerfile
index d3f7de93..67a2bc25 100644
--- a/docker/backend/Dockerfile
+++ b/docker/backend/Dockerfile
@@ -71,6 +71,7 @@ RUN pip install --no-cache-dir \
     opentelemetry-instrumentation-httpx==0.50b0 \
     opentelemetry-instrumentation-redis==0.50b0 \
     python-magic==0.4.27 \
+    pyotp==2.9.0 \
     twilio==9.10.5 \
     "audioop-lts; python_version >= '3.13'"
 
diff --git a/docs/memory/architecture.md b/docs/memory/architecture.md
index 3cd7d970..afd1f33f 100644
--- a/docs/memory/architecture.md
+++ b/docs/memory/architecture.md
@@ -698,6 +698,7 @@ Open-core seam: enterprise backend code lives in the private `trinity-enterprise
 | `audit` | (#941) | Entitlement only — flips the OSS audit-log dashboard route visible; `/api/audit-log/*` stays OSS |
 | `user_management` | `enterprise/backend/user_management/` (#995) | Org lifecycle: invite (whitelist + email), deactivate/reactivate (over the OSS `users.suspended_at` primitive), per-user activity view (reads OSS `audit_log`). `/api/enterprise/user-management/*`; Settings → User Management UI |
 | `siem` | `enterprise/backend/siem/` (#997) | SIEM log export — ships OSS `audit_log` to a customer SIEM over HTTP/JSON webhook. Private `enterprise_siem_config` (destination + AES-encrypted token + export cursor); Redis-lock-serialised background pusher; at-least-once (cursor advances only on successful POST). `/api/enterprise/siem/*`; no OSS/UI surface |
+| `2fa` | `enterprise/backend/two_factor/` (#5) | Two-factor auth via **TOTP** (RFC 6238; Google Authenticator is one compatible app — chosen over Google-OIDC to avoid a runtime IdP dependency). Private `enterprise_user_2fa` (AES-256-GCM secret + monotonic `last_used_step` replay guard), `enterprise_2fa_recovery_codes` (single-use, SHA-256-hashed), `enterprise_2fa_config` (per-role policy). `/api/enterprise/2fa/*` — self-service enroll/confirm/disable/recovery + admin policy + the `login/*` challenge-completion endpoints. Login seam is edition-agnostic: `services/mfa_gate.py` (no provider in OSS → no-op, fail-open) + `create_mfa_challenge_token`/`decode_mfa_challenge` in `dependencies.py`; on a required second factor the OSS auth routers (`/token`, `/api/auth/email/verify`) return a short-lived challenge token instead of an access token. Settings → Security UI |
 
 ---
 
diff --git a/src/backend/dependencies.py b/src/backend/dependencies.py
index c6b1d34b..7c15d5a2 100644
--- a/src/backend/dependencies.py
+++ b/src/backend/dependencies.py
@@ -65,6 +65,47 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None, m
     return encoded_jwt
 
 
+# Scope marker for the short-lived token issued between password/email
+# verification and second-factor completion (enterprise 2FA, #5). A token
+# carrying this scope is NOT a valid access token — it only authorizes the
+# /api/enterprise/2fa/login/* endpoints.
+MFA_CHALLENGE_SCOPE = "mfa_challenge"
+MFA_CHALLENGE_EXPIRE_MINUTES = 5
+
+
+def create_mfa_challenge_token(username: str, mode: str = "prod") -> str:
+    """Mint a short-lived challenge token binding a half-authenticated session
+    to its eventual login ``mode``. Generic (OSS) — the enterprise module
+    decides *whether* to require it; this only encodes it. The carried ``mode``
+    is replayed into the final access token so admin/email tokens keep their
+    original mode after the second factor."""
+    return create_access_token(
+        data={"sub": username, "scope": MFA_CHALLENGE_SCOPE},
+        expires_delta=timedelta(minutes=MFA_CHALLENGE_EXPIRE_MINUTES),
+        mode=mode,
+    )
+
+
+def decode_mfa_challenge(token: str) -> Optional[dict]:
+    """Validate a challenge token. Returns ``{"username", "mode"}`` if the
+    token is a non-expired challenge token for an existing, non-suspended
+    user; ``None`` otherwise. Used by the enterprise 2FA login endpoints to
+    resolve the half-authenticated identity before minting the real token."""
+    try:
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+    except JWTError:
+        return None
+    if payload.get("scope") != MFA_CHALLENGE_SCOPE:
+        return None
+    username = payload.get("sub")
+    if not username:
+        return None
+    user = db.get_user_by_username(username)
+    if not user or user.get("suspended_at"):
+        return None
+    return {"username": username, "mode": payload.get("mode", "prod")}
+
+
 def decode_token(token: str) -> Optional[dict]:
     """
     Decode a JWT token without FastAPI dependency.
@@ -82,6 +123,10 @@ def decode_token(token: str) -> Optional[dict]:
         if not username:
             return None
 
+        # #5 — a half-authenticated 2FA challenge token is not a session token.
+        if payload.get("scope") == MFA_CHALLENGE_SCOPE:
+            return None
+
         # Get full user record from database
         user = db.get_user_by_username(username)
         if not user:
@@ -117,6 +162,12 @@ async def get_current_user(request: Request, token: str = Depends(oauth2_scheme)
         if username is None:
             raise credentials_exception
 
+        # #5 — reject a 2FA challenge token used as a session token. It only
+        # authorizes /api/enterprise/2fa/login/*; the second factor must be
+        # completed there to obtain a real access token.
+        if payload.get("scope") == MFA_CHALLENGE_SCOPE:
+            raise credentials_exception
+
         user = db.get_user_by_username(username)
         if user is None:
             raise credentials_exception
diff --git a/src/backend/models.py b/src/backend/models.py
index e567f4a8..27f61957 100644
--- a/src/backend/models.py
+++ b/src/backend/models.py
@@ -65,9 +65,20 @@ class User(BaseModel):
 
 
 class Token(BaseModel):
-    """JWT token response."""
-    access_token: str
-    token_type: str
+    """JWT token response.
+
+    Normally carries ``access_token``. When enterprise 2FA (#5) requires a
+    second factor, the login endpoint instead returns ``mfa_required`` +
+    ``challenge_token`` and no ``access_token`` — the client completes the
+    flow at ``/api/enterprise/2fa/login/*`` to obtain the real token. The 2FA
+    fields are always absent in OSS-only builds.
+    """
+    access_token: Optional[str] = None
+    token_type: str = "bearer"
+    mfa_required: Optional[bool] = None
+    mfa_enrolled: Optional[bool] = None
+    enrollment_required: Optional[bool] = None
+    challenge_token: Optional[str] = None
 
 
 class ChatMessageRequest(BaseModel):
diff --git a/src/backend/routers/auth.py b/src/backend/routers/auth.py
index 7e6140b7..9cf6d7d1 100644
--- a/src/backend/routers/auth.py
+++ b/src/backend/routers/auth.py
@@ -289,6 +289,26 @@ async def login(request: Request, form_data: OAuth2PasswordRequestForm = Depends
     # Update last login timestamp
     db.update_last_login(user["username"])
 
+    # #5 — enterprise 2FA gate. Password is the first factor; if a second
+    # factor is required (user enrolled OR policy mandates it for the role)
+    # return a challenge instead of an access token. OSS-only builds have no
+    # provider registered → returns None → unchanged behaviour.
+    from services import mfa_gate
+    challenge = mfa_gate.gate_login(user, mode="admin")
+    if challenge:
+        await platform_audit_service.log(
+            event_type=AuditEventType.AUTHENTICATION,
+            event_action="mfa_challenge_issued",
+            source="api",
+            actor_ip=client_ip,
+            target_type="user",
+            target_id=user["username"],
+            endpoint=str(request.url.path),
+            request_id=getattr(request.state, "request_id", None),
+            details={"method": "admin"},
+        )
+        return challenge
+
     access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
     access_token = create_access_token(
         data={"sub": user["username"]},
@@ -506,6 +526,25 @@ async def verify_email_login_code(request: Request):
     # Update last login
     db.update_last_login(user["username"])
 
+    # #5 — enterprise 2FA gate. The verified email code is the first factor;
+    # if a second factor is required, return a challenge instead of a token.
+    # OSS-only builds have no provider → returns None → unchanged behaviour.
+    from services import mfa_gate
+    challenge = mfa_gate.gate_login(user, mode="email")
+    if challenge:
+        await platform_audit_service.log(
+            event_type=AuditEventType.AUTHENTICATION,
+            event_action="mfa_challenge_issued",
+            source="api",
+            actor_ip=client_ip,
+            target_type="user",
+            target_id=user["username"],
+            endpoint=str(request.url.path),
+            request_id=getattr(request.state, "request_id", None),
+            details={"method": "email", "email": email},
+        )
+        return challenge
+
     # Create JWT token
     access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
     access_token = create_access_token(
diff --git a/src/backend/services/mfa_gate.py b/src/backend/services/mfa_gate.py
new file mode 100644
index 00000000..161960d6
--- /dev/null
+++ b/src/backend/services/mfa_gate.py
@@ -0,0 +1,90 @@
+"""MFA gate — the OSS seam the enterprise 2FA module (#5) plugs into.
+
+The login path (``routers/auth.py``) must stay edition-agnostic: OSS-only
+builds have no second factor and behave exactly as before. This module is the
+single hook point. An enterprise module registers a *provider* at startup; the
+auth routers call :func:`gate_login` after primary credentials are verified.
+
+* OSS-only build → no provider registered → :func:`gate_login` returns ``None``
+  → the router issues the JWT normally. Zero behavioural change.
+* Enterprise build with 2FA entitled → the provider decides whether this user
+  must complete a second factor; if so, :func:`gate_login` returns a *challenge
+  response* (a short-lived challenge token + flags) and the router returns that
+  instead of an access token. The frontend then completes the flow against
+  ``/api/enterprise/2fa/login/*``, which mints the real access token.
+
+The provider holds all the IP (TOTP verify, policy). This module only knows
+the *protocol*:
+
+    provider.gate_decision(user: dict) -> {"enrolled": bool, "required": bool}
+
+``user`` is the OSS user row dict (``id``, ``username``, ``role``, ``email``).
+"""
+from __future__ import annotations
+
+import logging
+from typing import Any, Optional, Protocol
+
+logger = logging.getLogger(__name__)
+
+
+class MfaProvider(Protocol):
+    def gate_decision(self, user: dict) -> dict:  # {"enrolled": bool, "required": bool}
+        ...
+
+
+_provider: Optional[MfaProvider] = None
+
+
+def register_provider(provider: MfaProvider) -> None:
+    """Register the enterprise MFA provider. Idempotent (last wins)."""
+    global _provider
+    _provider = provider
+    logger.info("[mfa_gate] provider registered: %s", type(provider).__name__)
+
+
+def get_provider() -> Optional[MfaProvider]:
+    return _provider
+
+
+def clear_provider() -> None:
+    """Drop the provider — used by tests to restore the OSS no-op path."""
+    global _provider
+    _provider = None
+
+
+def gate_login(user: dict, mode: str) -> Optional[dict[str, Any]]:
+    """Decide whether ``user`` must complete a second factor before a token
+    is issued. Returns ``None`` to proceed normally, or a challenge response.
+
+    Fail-open by design (consistent with Trinity's availability bias for
+    cross-cutting gates): if the provider errors we log and let the password
+    factor stand rather than locking everyone out. This is a deliberate
+    tradeoff documented for #5 — a hard fail-closed would turn any 2FA bug
+    into a full-platform login outage.
+    """
+    provider = _provider
+    if provider is None:
+        return None  # OSS-only build — no second factor
+    try:
+        decision = provider.gate_decision(user) or {}
+    except Exception:  # noqa: BLE001 — never let a 2FA bug block all logins
+        logger.exception("[mfa_gate] provider.gate_decision failed; failing open")
+        return None
+
+    enrolled = bool(decision.get("enrolled"))
+    required = bool(decision.get("required"))
+    if not enrolled and not required:
+        return None  # user has no 2FA and policy doesn't force it
+
+    # Late import: keeps this module importable without the full auth stack
+    # (e.g. isolated unit tests of the registry).
+    from dependencies import create_mfa_challenge_token
+
+    challenge = create_mfa_challenge_token(user["username"], mode)
+    return {
+        "mfa_required": True,
+        "mfa_enrolled": enrolled,
+        "enrollment_required": required and not enrolled,
+        "challenge_token": challenge,
+    }
diff --git a/src/frontend/package.json b/src/frontend/package.json
index 77868f89..f57fb452 100644
--- a/src/frontend/package.json
+++ b/src/frontend/package.json
@@ -31,6 +31,7 @@
     "mermaid": "^11.15.0",
     "monaco-editor": "^0.55.1",
     "pinia": "^3.0.4",
+    "qrcode": "^1.5.4",
     "uplot": "^1.6.32",
     "vue": "^3.5.35",
     "vue-chartjs": "^5.3.2",
diff --git a/src/frontend/src/components/QrCode.vue b/src/frontend/src/components/QrCode.vue
new file mode 100644
index 00000000..52ed16cb
--- /dev/null
+++ b/src/frontend/src/components/QrCode.vue
@@ -0,0 +1,50 @@
+<template>
+  <div class="flex flex-col items-center">
+    <img
+      v-if="dataUrl"
+      :src="dataUrl"
+      :alt="alt"
+      class="rounded-lg border border-gray-200 dark:border-gray-700 bg-white p-2"
+      width="200"
+      height="200"
+    />
+    <div
+      v-else
+      class="w-[200px] h-[200px] flex items-center justify-center rounded-lg border border-dashed border-gray-300 dark:border-gray-600 text-xs text-gray-500 dark:text-gray-400 text-center px-3"
+    >
+      {{ error ? 'QR unavailable — use the manual code below' : 'Generating QR…' }}
+    </div>
+  </div>
+</template>
+
+<script setup>
+// Renders a QR for a TOTP otpauth:// URI (#5). The `qrcode` package is
+// imported dynamically and best-effort: if it isn't installed yet the
+// component degrades to a hint and the caller's manual-entry secret carries
+// the enrollment. The secret never leaves the browser — no external QR service.
+import { ref, watch, onMounted } from 'vue'
+
+const props = defineProps({
+  value: { type: String, required: true },
+  alt: { type: String, default: 'Authenticator QR code' },
+})
+
+const dataUrl = ref('')
+const error = ref(false)
+
+const render = async () => {
+  dataUrl.value = ''
+  error.value = false
+  if (!props.value) return
+  try {
+    const QR = await import('qrcode')
+    dataUrl.value = await (QR.default || QR).toDataURL(props.value, { width: 200, margin: 1 })
+  } catch (e) {
+    console.warn('[QrCode] render failed:', e?.message || e)
+    error.value = true
+  }
+}
+
+onMounted(render)
+watch(() => props.value, render)
+</script>
diff --git a/src/frontend/src/components/settings/TwoFactorPanel.vue b/src/frontend/src/components/settings/TwoFactorPanel.vue
new file mode 100644
index 00000000..9c3ba9d1
--- /dev/null
+++ b/src/frontend/src/components/settings/TwoFactorPanel.vue
@@ -0,0 +1,209 @@
+<template>
+  <div class="bg-white dark:bg-gray-800 shadow dark:shadow-gray-900 rounded-lg">
+    <div class="px-6 py-5 border-b border-gray-200 dark:border-gray-700">
+      <h2 class="text-lg font-medium text-gray-900 dark:text-white">Two-Factor Authentication</h2>
+      <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+        Add a TOTP second factor (Google Authenticator, 1Password, Authy…) to your account.
+      </p>
+    </div>
+
+    <div class="px-6 py-5 space-y-5">
+      <div v-if="loading" class="text-sm text-gray-500 dark:text-gray-400">Loading…</div>
+
+      <template v-else>
+        <!-- Enrolled state -->
+        <div v-if="status.enrolled" class="space-y-4">
+          <div class="flex items-center gap-2 text-sm">
+            <span class="inline-flex items-center px-2 py-0.5 rounded-full text-xs font-medium bg-green-100 text-green-800 dark:bg-green-900/40 dark:text-green-300">
+              ✓ Enabled
+            </span>
+            <span class="text-gray-500 dark:text-gray-400">
+              {{ status.recovery_codes_remaining }} recovery code(s) remaining
+            </span>
+          </div>
+
+          <div class="flex flex-wrap gap-3">
+            <button
+              @click="regenerate"
+              :disabled="busy"
+              class="px-3 py-2 text-sm rounded-lg border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300 hover:bg-gray-50 dark:hover:bg-gray-700 disabled:opacity-50"
+            >Regenerate recovery codes</button>
+            <button
+              @click="showDisable = true"
+              class="px-3 py-2 text-sm rounded-lg border border-red-300 dark:border-red-700 text-red-700 dark:text-red-300 hover:bg-red-50 dark:hover:bg-red-900/30"
+            >Disable 2FA</button>
+          </div>
+
+          <!-- Disable confirm -->
+          <div v-if="showDisable" class="p-4 rounded-lg bg-red-50 dark:bg-red-900/20 border border-red-200 dark:border-red-800 space-y-3">
+            <p class="text-sm text-red-800 dark:text-red-300">Enter a current code (or a recovery code) to confirm disabling 2FA.</p>
+            <input v-model="disableCode" type="text" inputmode="numeric" placeholder="123456"
+              class="block w-40 px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-700 text-gray-900 dark:text-gray-100" />
+            <div class="flex gap-2">
+              <button @click="disable" :disabled="busy || !disableCode"
+                class="px-3 py-2 text-sm rounded-lg text-white bg-red-600 hover:bg-red-700 disabled:opacity-50">Confirm disable</button>
+              <button @click="showDisable = false; disableCode = ''"
+                class="px-3 py-2 text-sm rounded-lg border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300">Cancel</button>
+            </div>
+          </div>
+        </div>
+
+        <!-- Not enrolled: enable flow -->
+        <div v-else class="space-y-4">
+          <div v-if="!enroll">
+            <button @click="startEnroll" :disabled="busy"
+              class="px-4 py-2 text-sm rounded-lg text-white bg-blue-600 hover:bg-blue-700 disabled:opacity-50">
+              {{ busy ? 'Starting…' : 'Enable 2FA' }}
+            </button>
+          </div>
+
+          <div v-else class="space-y-4">
+            <p class="text-sm text-gray-600 dark:text-gray-400">
+              Scan the QR with your authenticator app, then enter the 6-digit code to confirm.
+            </p>
+            <QrCode :value="enroll.otpauth_uri" />
+            <div class="text-xs text-gray-500 dark:text-gray-400">
+              Can't scan? Enter this key manually:
+              <code class="block mt-1 select-all font-mono text-sm text-gray-800 dark:text-gray-200 break-all">{{ enroll.secret }}</code>
+            </div>
+            <div class="flex items-end gap-2">
+              <div>
+                <label class="block text-sm font-medium text-gray-700 dark:text-gray-300">Verification code</label>
+                <input v-model="confirmCode" type="text" inputmode="numeric" maxlength="6" placeholder="123456"
+                  class="mt-1 block w-40 px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-700 text-gray-900 dark:text-gray-100" />
+              </div>
+              <button @click="confirmEnroll" :disabled="busy || confirmCode.length < 6"
+                class="px-4 py-2 text-sm rounded-lg text-white bg-blue-600 hover:bg-blue-700 disabled:opacity-50">Confirm</button>
+              <button @click="enroll = null; confirmCode = ''"
+                class="px-3 py-2 text-sm rounded-lg border border-gray-300 dark:border-gray-600 text-gray-700 dark:text-gray-300">Cancel</button>
+            </div>
+          </div>
+        </div>
+
+        <!-- Recovery codes (shown once) -->
+        <div v-if="recoveryCodes.length" class="p-4 rounded-lg bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800 space-y-2">
+          <p class="text-sm font-medium text-amber-800 dark:text-amber-300">
+            Save these recovery codes now — they won't be shown again.
+          </p>
+          <div class="grid grid-cols-2 gap-1 font-mono text-sm text-gray-800 dark:text-gray-200">
+            <code v-for="c in recoveryCodes" :key="c" class="select-all">{{ c }}</code>
+          </div>
+          <button @click="recoveryCodes = []" class="text-xs text-amber-700 dark:text-amber-400 underline">I've saved them</button>
+        </div>
+
+        <p v-if="error" class="text-sm text-red-600 dark:text-red-400">{{ error }}</p>
+
+        <!-- Admin policy -->
+        <div v-if="isAdmin" class="pt-5 mt-2 border-t border-gray-200 dark:border-gray-700 space-y-3">
+          <h3 class="text-sm font-medium text-gray-900 dark:text-white">Organization policy</h3>
+          <label class="flex items-center gap-2 text-sm text-gray-700 dark:text-gray-300">
+            <input type="checkbox" v-model="policy.require_for_admin" @change="savePolicy" />
+            Require 2FA for admins
+          </label>
+          <label class="flex items-center gap-2 text-sm text-gray-700 dark:text-gray-300">
+            <input type="checkbox" v-model="policy.require_for_creator" @change="savePolicy" />
+            Require 2FA for creators
+          </label>
+          <p class="text-xs text-gray-500 dark:text-gray-400">
+            Users in a required role who haven't enrolled will be prompted to set up 2FA at their next login.
+          </p>
+        </div>
+      </template>
+    </div>
+  </div>
+</template>
+
+<script setup>
+// Settings → Security self-service 2FA panel (#5). Rendered only when the
+// `2fa` enterprise feature is entitled (gated by the parent Settings view).
+import { ref, reactive, computed, onMounted } from 'vue'
+import axios from 'axios'
+import { useAuthStore } from '../../stores/auth'
+import QrCode from '../QrCode.vue'
+
+const authStore = useAuthStore()
+const isAdmin = computed(() => authStore.role === 'admin')
+
+const loading = ref(true)
+const busy = ref(false)
+const error = ref('')
+const status = reactive({ enrolled: false, pending: false, recovery_codes_remaining: 0 })
+const enroll = ref(null)            // { secret, otpauth_uri }
+const confirmCode = ref('')
+const recoveryCodes = ref([])
+const showDisable = ref(false)
+const disableCode = ref('')
+const policy = reactive({ require_for_admin: false, require_for_creator: false })
+
+const cfg = () => ({ headers: authStore.authHeader })
+
+const loadStatus = async () => {
+  try {
+    const r = await axios.get('/api/enterprise/2fa/status', cfg())
+    Object.assign(status, r.data)
+  } catch (e) { error.value = e.response?.data?.detail || 'Failed to load status' }
+}
+
+const loadPolicy = async () => {
+  if (!isAdmin.value) return
+  try {
+    const r = await axios.get('/api/enterprise/2fa/policy', cfg())
+    Object.assign(policy, r.data)
+  } catch (e) { /* non-fatal */ }
+}
+
+onMounted(async () => {
+  await Promise.all([loadStatus(), loadPolicy()])
+  loading.value = false
+})
+
+const startEnroll = async () => {
+  busy.value = true; error.value = ''
+  try {
+    const r = await axios.post('/api/enterprise/2fa/enroll/start', {}, cfg())
+    enroll.value = r.data
+  } catch (e) { error.value = e.response?.data?.detail || 'Failed to start enrollment' }
+  finally { busy.value = false }
+}
+
+const confirmEnroll = async () => {
+  busy.value = true; error.value = ''
+  try {
+    const r = await axios.post('/api/enterprise/2fa/enroll/confirm', { code: confirmCode.value }, cfg())
+    recoveryCodes.value = r.data.recovery_codes || []
+    enroll.value = null; confirmCode.value = ''
+    await loadStatus()
+  } catch (e) { error.value = e.response?.data?.detail || 'Invalid code' }
+  finally { busy.value = false }
+}
+
+const regenerate = async () => {
+  busy.value = true; error.value = ''
+  try {
+    const r = await axios.post('/api/enterprise/2fa/recovery-codes', {}, cfg())
+    recoveryCodes.value = r.data.recovery_codes || []
+    await loadStatus()
+  } catch (e) { error.value = e.response?.data?.detail || 'Failed to regenerate' }
+  finally { busy.value = false }
+}
+
+const disable = async () => {
+  busy.value = true; error.value = ''
+  try {
+    await axios.post('/api/enterprise/2fa/disable', { code: disableCode.value }, cfg())
+    showDisable.value = false; disableCode.value = ''
+    recoveryCodes.value = []
+    await loadStatus()
+  } catch (e) { error.value = e.response?.data?.detail || 'Invalid code' }
+  finally { busy.value = false }
+}
+
+const savePolicy = async () => {
+  try {
+    await axios.put('/api/enterprise/2fa/policy', {
+      require_for_admin: policy.require_for_admin,
+      require_for_creator: policy.require_for_creator,
+    }, cfg())
+  } catch (e) { error.value = e.response?.data?.detail || 'Failed to save policy' }
+}
+</script>
diff --git a/src/frontend/src/stores/auth.js b/src/frontend/src/stores/auth.js
index 43451b70..3b095060 100644
--- a/src/frontend/src/stores/auth.js
+++ b/src/frontend/src/stores/auth.js
@@ -11,6 +11,10 @@ export const useAuthStore = defineStore('auth', {
     // Runtime mode detection (from backend)
     emailAuthEnabled: null,  // Email-based authentication
     modeDetected: false,
+    // Enterprise 2FA (#5): set when a login returns an MFA challenge instead
+    // of a token. { token, enrolled, enrollmentRequired }. The Login view
+    // switches to the second-factor step while this is non-null.
+    mfaChallenge: null,
     // Promise that resolves when initializeAuth() completes (PERF-269)
     _initResolve: null,
     _initPromise: null
@@ -185,7 +189,12 @@ export const useAuthStore = defineStore('auth', {
         formData.append('password', password)
 
         const response = await axios.post('/api/token', formData)
-        this.token = response.data.access_token
+
+        // Enterprise 2FA (#5): a second factor is required — defer the token.
+        if (response.data?.mfa_required) {
+          this._setMfaChallenge(response.data)
+          return false
+        }
 
         // Create a dev user profile
         const devUser = {
@@ -195,16 +204,7 @@ export const useAuthStore = defineStore('auth', {
           email_verified: true
         }
 
-        this.user = devUser
-        this.isAuthenticated = true
-
-        localStorage.setItem('token', this.token)
-        localStorage.setItem('auth0_user', JSON.stringify(devUser))
-        this.setupAxiosAuth()
-
-        // Pull the canonical role from the backend (#302).
-        await this.fetchUserProfile()
-
+        await this._finalizeLogin(response.data.access_token, devUser)
         console.log('🔐 Admin login: authenticated as', username)
         return true
       } catch (error) {
@@ -251,15 +251,14 @@ export const useAuthStore = defineStore('auth', {
       try {
         const response = await axios.post('/api/auth/email/verify', { email, code })
 
-        this.token = response.data.access_token
-        this.user = response.data.user
-        this.isAuthenticated = true
-
-        localStorage.setItem('token', this.token)
-        localStorage.setItem('auth0_user', JSON.stringify(this.user))
-        this.setupAxiosAuth()
+        // Enterprise 2FA (#5): a second factor is required — defer the token.
+        if (response.data?.mfa_required) {
+          this._setMfaChallenge(response.data)
+          return false
+        }
 
-        console.log('📧 Email auth: authenticated as', this.user.email)
+        await this._finalizeLogin(response.data.access_token, response.data.user)
+        console.log('📧 Email auth: authenticated as', this.user?.email)
         return true
       } catch (error) {
         console.error('Verify email code failed:', error)
@@ -269,12 +268,96 @@ export const useAuthStore = defineStore('auth', {
       }
     },
 
+    // =========================================================================
+    // Enterprise Two-Factor Authentication (#5)
+    // =========================================================================
+
+    // Shared finalize step: persist the real access token, hydrate the user,
+    // and pull the canonical role. Used by every login path (admin, email,
+    // post-2FA). `seedUser` is an optimistic profile overwritten by
+    // fetchUserProfile().
+    async _finalizeLogin(token, seedUser = null) {
+      this.token = token
+      if (seedUser) this.user = seedUser
+      this.isAuthenticated = true
+      this.mfaChallenge = null
+      localStorage.setItem('token', token)
+      if (seedUser) localStorage.setItem('auth0_user', JSON.stringify(seedUser))
+      this.setupAxiosAuth()
+      // Pull the canonical profile/role from the backend (#302).
+      await this.fetchUserProfile()
+    },
+
+    _setMfaChallenge(data) {
+      this.mfaChallenge = {
+        token: data.challenge_token,
+        enrolled: !!data.mfa_enrolled,
+        enrollmentRequired: !!data.enrollment_required,
+      }
+    },
+
+    cancelMfa() {
+      this.mfaChallenge = null
+    },
+
+    // Complete login by verifying a TOTP or recovery code against the
+    // outstanding challenge. Returns true on success.
+    async verifyMfaCode(code) {
+      if (!this.mfaChallenge) return false
+      try {
+        const r = await axios.post('/api/enterprise/2fa/login/verify', {
+          challenge_token: this.mfaChallenge.token,
+          code,
+        })
+        await this._finalizeLogin(r.data.access_token)
+        return true
+      } catch (error) {
+        const detail = error.response?.data?.detail || 'Invalid verification code'
+        this.authError = detail
+        return false
+      }
+    },
+
+    // Forced enrollment during login (policy requires 2FA, user not enrolled).
+    // Returns the provisioning payload { secret, otpauth_uri, ... } or null.
+    async startMfaEnrollment() {
+      if (!this.mfaChallenge) return null
+      try {
+        const r = await axios.post('/api/enterprise/2fa/login/enroll/start', {
+          challenge_token: this.mfaChallenge.token,
+        })
+        return r.data
+      } catch (error) {
+        this.authError = error.response?.data?.detail || 'Failed to start enrollment'
+        return null
+      }
+    },
+
+    // Confirm forced enrollment with the first code → finalize login.
+    // Returns { ok, recoveryCodes } so the UI can show the backup codes once.
+    async confirmMfaEnrollment(code) {
+      if (!this.mfaChallenge) return { ok: false }
+      try {
+        const r = await axios.post('/api/enterprise/2fa/login/enroll/confirm', {
+          challenge_token: this.mfaChallenge.token,
+          code,
+        })
+        const recoveryCodes = r.data.recovery_codes || []
+        await this._finalizeLogin(r.data.access_token)
+        return { ok: true, recoveryCodes }
+      } catch (error) {
+        this.authError = error.response?.data?.detail || 'Invalid verification code'
+        return { ok: false }
+      }
+    },
+
     // Logout
     logout() {
       this.token = null
       this.user = null
       this.isAuthenticated = false
       this.authError = null
+      this.mfaChallenge = null
 
       localStorage.removeItem('token')
       localStorage.removeItem('auth0_user')
diff --git a/src/frontend/src/views/Login.vue b/src/frontend/src/views/Login.vue
index 262ced18..5bb82c0e 100644
--- a/src/frontend/src/views/Login.vue
+++ b/src/frontend/src/views/Login.vue
@@ -16,6 +16,71 @@
         <p class="mt-4 text-gray-600 dark:text-gray-400">{{ loadingMessage }}</p>
       </div>
 
+      <!-- Two-Factor step (#5) — shown after the first factor when 2FA is required -->
+      <div v-else-if="authStore.mfaChallenge" class="mt-8 space-y-6 bg-white dark:bg-gray-800 rounded-lg shadow-lg dark:shadow-gray-900 p-8">
+        <!-- Recovery codes shown once after forced enrollment -->
+        <div v-if="mfaRecoveryCodes.length" class="space-y-4">
+          <h3 class="text-lg font-medium text-gray-900 dark:text-white">Save your recovery codes</h3>
+          <p class="text-sm text-gray-600 dark:text-gray-400">
+            Store these somewhere safe — each works once if you lose your authenticator. They won't be shown again.
+          </p>
+          <div class="grid grid-cols-2 gap-1 font-mono text-sm text-gray-800 dark:text-gray-200 p-3 rounded-lg bg-amber-50 dark:bg-amber-900/20 border border-amber-200 dark:border-amber-800">
+            <code v-for="c in mfaRecoveryCodes" :key="c" class="select-all">{{ c }}</code>
+          </div>
+          <button @click="finishMfa"
+            class="w-full py-3 px-4 rounded-lg text-white bg-blue-600 hover:bg-blue-700">Continue</button>
+        </div>
+
+        <!-- Forced enrollment: scan QR + confirm -->
+        <div v-else-if="mfaMode === 'enroll'" class="space-y-4">
+          <h3 class="text-lg font-medium text-gray-900 dark:text-white">Set up two-factor authentication</h3>
+          <p class="text-sm text-gray-600 dark:text-gray-400">
+            Your account requires 2FA. Scan this QR with an authenticator app, then enter the 6-digit code.
+          </p>
+          <template v-if="mfaEnroll">
+            <QrCode :value="mfaEnroll.otpauth_uri" />
+            <div class="text-xs text-gray-500 dark:text-gray-400">
+              Can't scan? Enter this key manually:
+              <code class="block mt-1 select-all font-mono text-sm text-gray-800 dark:text-gray-200 break-all">{{ mfaEnroll.secret }}</code>
+            </div>
+          </template>
+          <p v-else class="text-sm text-gray-500 dark:text-gray-400">Preparing enrollment…</p>
+
+          <form @submit.prevent="handleMfaEnrollConfirm" class="space-y-3">
+            <input v-model="mfaCode" type="text" inputmode="numeric" maxlength="6" placeholder="000000"
+              autocomplete="one-time-code"
+              class="block w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-700 text-gray-900 dark:text-gray-100 text-center text-2xl tracking-widest" />
+            <button type="submit" :disabled="loginLoading || mfaCode.length < 6 || !mfaEnroll"
+              class="w-full py-3 px-4 rounded-lg text-white bg-blue-600 hover:bg-blue-700 disabled:opacity-50">
+              {{ loginLoading ? 'Verifying…' : 'Confirm & Sign In' }}
+            </button>
+          </form>
+        </div>
+
+        <!-- Verify (already enrolled) -->
+        <div v-else class="space-y-4">
+          <h3 class="text-lg font-medium text-gray-900 dark:text-white">Two-factor authentication</h3>
+          <p class="text-sm text-gray-600 dark:text-gray-400">
+            Enter the 6-digit code from your authenticator app, or a recovery code.
+          </p>
+          <form @submit.prevent="handleMfaVerify" class="space-y-3">
+            <input v-model="mfaCode" type="text" inputmode="text" autocomplete="one-time-code"
+              placeholder="000000"
+              class="block w-full px-3 py-2 border border-gray-300 dark:border-gray-600 rounded-lg bg-white dark:bg-gray-700 text-gray-900 dark:text-gray-100 text-center text-2xl tracking-widest" />
+            <button type="submit" :disabled="loginLoading || !mfaCode"
+              class="w-full py-3 px-4 rounded-lg text-white bg-blue-600 hover:bg-blue-700 disabled:opacity-50">
+              {{ loginLoading ? 'Verifying…' : 'Verify & Sign In' }}
+            </button>
+          </form>
+        </div>
+
+        <p v-if="authError" class="text-sm text-red-600 dark:text-red-400 text-center">{{ authError }}</p>
+        <button v-if="!mfaRecoveryCodes.length" @click="handleMfaCancel"
+          class="w-full text-sm text-gray-600 dark:text-gray-400 hover:text-gray-900 dark:hover:text-gray-200">
+          ← Cancel
+        </button>
+      </div>
+
       <!-- Error State -->
       <div v-else-if="authError" class="bg-white dark:bg-gray-800 rounded-lg shadow-lg dark:shadow-gray-900 p-8">
         <div class="text-center">
@@ -175,9 +240,10 @@
 </template>
 
 <script setup>
-import { ref, computed, onMounted, onUnmounted } from 'vue'
+import { ref, computed, onMounted, onUnmounted, watch } from 'vue'
 import { useRouter } from 'vue-router'
 import { useAuthStore } from '../stores/auth'
+import QrCode from '../components/QrCode.vue'
 
 const router = useRouter()
 const authStore = useAuthStore()
@@ -197,6 +263,23 @@ const countdownInterval = ref(null)
 // UI state for switching between login methods
 const showAdminLogin = ref(false)
 
+// Two-factor step state (#5)
+const mfaCode = ref('')
+const mfaEnroll = ref(null)            // provisioning payload during forced enrollment
+const mfaRecoveryCodes = ref([])
+const mfaMode = computed(() =>
+  authStore.mfaChallenge?.enrollmentRequired ? 'enroll' : 'verify'
+)
+
+// When a forced-enrollment challenge appears, fetch the provisioning QR.
+watch(() => authStore.mfaChallenge, async (ch) => {
+  mfaCode.value = ''
+  mfaEnroll.value = null
+  if (ch && ch.enrollmentRequired) {
+    mfaEnroll.value = await authStore.startMfaEnrollment()
+  }
+}, { immediate: true })
+
 // Computed
 const isLoading = computed(() => {
   // Still detecting mode
@@ -303,6 +386,42 @@ const handleAdminLogin = async () => {
   loginLoading.value = false
 }
 
+// --- Two-factor handlers (#5) ---
+const handleMfaVerify = async () => {
+  loginLoading.value = true
+  authStore.clearError()
+  const ok = await authStore.verifyMfaCode(mfaCode.value.trim())
+  loginLoading.value = false
+  if (ok) router.push('/')
+}
+
+const handleMfaEnrollConfirm = async () => {
+  loginLoading.value = true
+  authStore.clearError()
+  const { ok, recoveryCodes } = await authStore.confirmMfaEnrollment(mfaCode.value.trim())
+  loginLoading.value = false
+  if (ok) {
+    // Already authenticated (token minted); show the codes, then continue.
+    mfaRecoveryCodes.value = recoveryCodes || []
+    if (!mfaRecoveryCodes.value.length) router.push('/')
+  }
+}
+
+const finishMfa = () => {
+  mfaRecoveryCodes.value = []
+  router.push('/')
+}
+
+const handleMfaCancel = () => {
+  authStore.cancelMfa()
+  authStore.clearError()
+  mfaCode.value = ''
+  mfaEnroll.value = null
+  mfaRecoveryCodes.value = []
+  password.value = ''
+  handleBackToEmail()
+}
+
 // Handle retry after error
 const handleRetry = () => {
   authStore.clearError()
diff --git a/src/frontend/src/views/Settings.vue b/src/frontend/src/views/Settings.vue
index d5715f51..7115c82b 100644
--- a/src/frontend/src/views/Settings.vue
+++ b/src/frontend/src/views/Settings.vue
@@ -42,6 +42,9 @@
           <!-- MCP Keys Tab Content (extracted to component, #302) -->
           <McpKeysTab v-if="activeTab === 'mcp-keys'" />
 
+          <!-- #5 — Security / Two-Factor (enterprise, gated by `2fa`) -->
+          <TwoFactorPanel v-if="activeTab === 'security'" />
+
           <!-- Platform Section -->
           <div v-if="activeTab === 'general'" class="bg-white dark:bg-gray-800 shadow dark:shadow-gray-900 rounded-lg">
             <div class="px-6 py-4 border-b border-gray-200 dark:border-gray-700">
@@ -1907,12 +1910,17 @@ import { useSettingsStore } from '../stores/settings'
 import { useEnterpriseStore } from '../stores/enterprise'
 import NavBar from '../components/NavBar.vue'
 import McpKeysTab from '../components/settings/McpKeysTab.vue'
+import TwoFactorPanel from '../components/settings/TwoFactorPanel.vue'
 import ConfirmDialog from '../components/ConfirmDialog.vue'
 
 const router = useRouter()
 const route = useRoute()
 const authStore = useAuthStore()
 const settingsStore = useSettingsStore()
+// Declared early: visibleTabs (and thus the activeTab initializer below) reads
+// it during setup to gate the enterprise-only Security tab (#5). Declaring it
+// later would hit the temporal dead zone and blank the whole Settings page.
+const enterpriseStore = useEnterpriseStore()
 
 // #926: cached fetch of /api/version (singleton shared with NavBar).
 const buildInfo = useBuildInfo()
@@ -1933,11 +1941,17 @@ const ALL_TABS = [
   { id: 'access',       label: 'Access',       adminOnly: true  },
   { id: 'integrations', label: 'Integrations', adminOnly: true  },
   { id: 'mcp-keys',     label: 'MCP Keys',     adminOnly: false },
+  { id: 'security',     label: 'Security',     adminOnly: false, requires: '2fa' },
   { id: 'agents',       label: 'Agents',       adminOnly: true  },
 ]
 const { isAdmin } = useRole()
 const visibleTabs = computed(() =>
-  ALL_TABS.filter(t => isAdmin.value || !t.adminOnly)
+  ALL_TABS.filter(t => {
+    // #5 — the Security (2FA) tab only appears when the enterprise `2fa`
+    // feature is entitled; otherwise it's hidden in OSS-only builds.
+    if (t.requires) return enterpriseStore.isEntitled(t.requires)
+    return isAdmin.value || !t.adminOnly
+  })
 )
 const validTabIds = computed(() => visibleTabs.value.map(t => t.id))
 const DEFAULT_TAB = computed(() =>
@@ -1975,7 +1989,7 @@ const usersList = ref([])
 const loadingUsers = ref(false)
 
 // #995 — enterprise per-user activity audit (gated by user_management).
-const enterpriseStore = useEnterpriseStore()
+// (enterpriseStore is declared near the top — visibleTabs needs it during setup.)
 const umEntitled = computed(() => enterpriseStore.isEntitled('user_management'))
 const activityUser = ref(null)
 const activityData = ref(null)