diff --git a/lam/HISTORY b/lam/HISTORY
index efff9345..50116e1e 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,3 +1,7 @@
+March 2017
+  - 2-factor authentication for admin login and self service with privacyIDEA
+
+
 18.12.2016 5.6
   - New mechanism to replace wildcards in user edit screen. Personal/Unix support more wildcards like "$firstname".
   - Windows: added support for pager, otherPager, mobile, otherMobile, company and proxyAddresses (disabled by default in server profile)
diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index 8dcca869..5039fdcc 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -8563,7 +8563,7 @@ OK (10 msec)</programlisting>
       <title>Edit your new profile</title>
 
       <section id="selfServiceBasicSettings">
-        <title>Basic settings</title>
+        <title>General settings</title>
 
         <para>On top of the page you see the link to the user login page. Copy
         this link address and give it to your users.</para>
@@ -8708,6 +8708,52 @@ OK (10 msec)</programlisting>
             </tbody>
           </tgroup>
         </table>
+
+        <para></para>
+
+        <section>
+          <title>2-factor authentication</title>
+
+          <para>LAM supports 2-factor authentication for your users. This
+          means the user will not only authenticate by user+password but also
+          with e.g. a token generated by a mobile device. This adds more
+          security because the token is generated on a physically separated
+          device (typically mobile phone).</para>
+
+          <para>The token is validated by a second application. LAM currently
+          supports:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><ulink
+              url="https://www.privacyidea.org/">privacyIdea</ulink></para>
+            </listitem>
+          </itemizedlist>
+
+          <para>By default LAM will enforce to use a token and reject users
+          that did not setup one. You can set this check to optional. But if a
+          user has setup a token then this will always be required.</para>
+
+          <screenshot>
+            <mediaobject>
+              <imageobject>
+                <imagedata fileref="images/conf7.png" />
+              </imageobject>
+            </mediaobject>
+          </screenshot>
+
+          <para>After logging in with user + password LAM will ask for the 2nd
+          factor. If the user has setup multiple factors then he can choose
+          one of them.</para>
+
+          <screenshot>
+            <mediaobject>
+              <imageobject>
+                <imagedata fileref="images/conf8.png" />
+              </imageobject>
+            </mediaobject>
+          </screenshot>
+        </section>
       </section>
 
       <section>
diff --git a/lam/docs/manual-sources/images/conf4.png b/lam/docs/manual-sources/images/conf4.png
index 554cf0de..f26b45fb 100644
Binary files a/lam/docs/manual-sources/images/conf4.png and b/lam/docs/manual-sources/images/conf4.png differ
diff --git a/lam/docs/manual-sources/images/conf7.png b/lam/docs/manual-sources/images/conf7.png
new file mode 100644
index 00000000..718b0773
Binary files /dev/null and b/lam/docs/manual-sources/images/conf7.png differ
diff --git a/lam/docs/manual-sources/images/conf8.png b/lam/docs/manual-sources/images/conf8.png
new file mode 100644
index 00000000..9e00f2d3
Binary files /dev/null and b/lam/docs/manual-sources/images/conf8.png differ