diff --git a/source/guides/admin.rst b/source/guides/admin.rst
index 6a71bfdf711dae3f38ac3d16b9fc385876e0d5e8..4336d41dc4469288b1f511677ce24207956fbe57 100644
--- a/source/guides/admin.rst
+++ b/source/guides/admin.rst
@@ -26,6 +26,7 @@ There can be different reasons why a user has been locked:
 
 1.  **Account has expired**: Update the expiration date (see :ref:`admin-users`)
 2.  **Too many login attempts**: See `djang-axes <https://django-axes.readthedocs.io/en/latest/3_usage.html#resetting-attempts-and-lockouts>`_
+3.  **Lost access to second authentication factor**: Remove the user's MFA Keys via the admin interface
 
 
 .. _admin-roles:
diff --git a/source/guides/two-factor-authentication.rst b/source/guides/two-factor-authentication.rst
new file mode 100644
index 0000000000000000000000000000000000000000..a7a6be8c8940cd7d553c099f74087137be86a6ae
--- /dev/null
+++ b/source/guides/two-factor-authentication.rst
@@ -0,0 +1,42 @@
+.. _2fa:
+
+Two-Factor-Authentication
+=========================
+
+To further protect subjects' personal data against compromised or weak
+passwords, Castellum can *and should* be used with two-factor authentication
+(2FA).
+
+If enabled, a successful login requires an additional code or passphrase before
+Castellum can be used (similar to a TAN for online banking).
+
+Currently we support any generic TOTP application or FIDO2 hardware security
+tokens.
+
+Smartphone apps (TOTP)
+----------------------
+
+We recommend to use a 2FA application on your phone. Just search for "TOTP" in
+the app store of your choice.
+
+Most TOTP apps work the same:
+
+1.  Install an authenticator app on a phone
+2.  Register that phone on the website (Castellum) by scanning a QR code with
+    the authenticator app
+3.  The app will now generate TOTP authentication codes for you that can be
+    used to log in
+
+Hardware Keys (FIDO2)
+---------------------
+
+If you do not want to use your phone and TOTP, you can also chose to use
+FIDO2-based hardware keys (tokens). In that case we recommend `Yubico FIDO2
+tokens <https://www.yubico.com/de/product/security-key-nfc-by-yubico/>`_, but
+any FIDO2-compatible token should work.
+
+The tokens are connected to your device with USB and, when registered
+successfully, usually just require a tap / key press when prompted on login.
+
+For additional details about supported hardware tokens or Authenticator apps,
+contact your local IT department or security officer.
diff --git a/source/index.rst b/source/index.rst
index 80b42de4a25bd747adf5e2df225ffc2867fea2d6..6e7f34a885f05d355d83f4df3c8fa965118433f9 100644
--- a/source/index.rst
+++ b/source/index.rst
@@ -19,6 +19,7 @@ Welcome to Castellum's documentation!
    :maxdepth: 2
    :caption: Step-by-step guides
 
+   guides/two-factor-authentication
    guides/subject-management
    guides/study-management
    guides/subject-get-pseudonym
diff --git a/source/security.rst b/source/security.rst
index 13809b2547f914af6b54d0e28c7cbef477edc76f..0933d30aac834918b609b71c2ac02a6ae99532c2 100644
--- a/source/security.rst
+++ b/source/security.rst
@@ -18,6 +18,7 @@ Account restrictions
 
 -  Users are automatically logged out on inactivity
 -  User accounts expire on a set date
+-  (Mandatory) :ref:`2fa`
 
 .. _permissions: