diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc
index 7218178e..1bff3571 100644
--- a/lam/lib/2factor.inc
+++ b/lam/lib/2factor.inc
@@ -225,6 +225,11 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
  */
 class TwoFactorProviderService {
 
+	/** 2factor authentication disabled */
+	const TWO_FACTOR_NONE = 'none';
+	/** 2factor authentication via privacyIDEA */
+	const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
+
 	private $profile;
 
 	/**
@@ -244,7 +249,7 @@ class TwoFactorProviderService {
 	 * @throws \Exception unable to get provider
 	 */
 	public function getProvider() {
-		if ($this->profile->twoFactorAuthentication == selfServiceProfile::TWO_FACTOR_PRIVACYIDEA) {
+		if ($this->profile->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
 			return new PrivacyIDEAProvider($this->profile);
 		}
 		throw new \Exception('Invalid provider: ' . $this->profile->twoFactorAuthentication);
diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index 9fc3cda9..8971d4f5 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -1,9 +1,10 @@
 <?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -31,11 +32,13 @@ $Id$
 */
 
 /** Used to print messages. */
-include_once("status.inc");
+include_once "status.inc";
 /** Used to get module information. */
-include_once("modules.inc");
+include_once "modules.inc";
 /** Used to get type information. */
-include_once("types.inc");
+include_once "types.inc";
+/** 2-factor */
+include_once '2factor.inc';
 
 /**
  * Sets the environment variables for custom SSL CA certificates.
@@ -567,6 +570,13 @@ class LAMConfig {
 	/** job configuration */
 	private $jobSettings = array();
 
+	private $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
+	private $twoFactorAuthenticationURL = 'https://localhost';
+	private $twoFactorAuthenticationInsecure = false;
+	private $twoFactorAuthenticationLabel = null;
+	private $twoFactorAuthenticationOptional = false;
+	private $twoFactorAuthenticationCaption = '';
+
 	/** List of all settings in config file */
 	private $settings = array("ServerURL", "useTLS", "followReferrals", 'pagedResults', "Passwd", "Admins", "treesuffix",
 		"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", 'serverDisplayName',
@@ -576,7 +586,9 @@ class LAMConfig {
 		'loginSearchPassword', 'timeZone', 'jobsBindUser', 'jobsBindPassword', 'jobsDatabase', 'jobToken', 'jobs',
 		'jobsDBHost', 'jobsDBPort', 'jobsDBUser', 'jobsDBPassword', 'jobsDBName', 'pwdResetAllowSpecificPassword',
 		'pwdResetAllowScreenPassword', 'pwdResetForcePasswordChange', 'pwdResetDefaultPasswordOutput',
-		'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword'
+		'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword', 'twoFactorAuthentication', 'twoFactorAuthenticationURL',
+		'twoFactorAuthenticationInsecure', 'twoFactorAuthenticationLabel', 'twoFactorAuthenticationOptional',
+		'twoFactorAuthenticationCaption'
 	);
 
 
@@ -816,6 +828,12 @@ class LAMConfig {
 			if (!in_array("pwdResetAllowScreenPassword", $saved)) array_push($file_array, "\n" . "pwdResetAllowScreenPassword: " . $this->pwdResetAllowScreenPassword . "\n");
 			if (!in_array("pwdResetForcePasswordChange", $saved)) array_push($file_array, "\n" . "pwdResetForcePasswordChange: " . $this->pwdResetForcePasswordChange . "\n");
 			if (!in_array("pwdResetDefaultPasswordOutput", $saved)) array_push($file_array, "\n" . "pwdResetDefaultPasswordOutput: " . $this->pwdResetDefaultPasswordOutput . "\n");
+			if (!in_array("twoFactorAuthentication", $saved)) array_push($file_array, "\n" . "twoFactorAuthentication: " . $this->twoFactorAuthentication . "\n");
+			if (!in_array("twoFactorAuthenticationURL", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationURL: " . $this->twoFactorAuthenticationURL . "\n");
+			if (!in_array("twoFactorAuthenticationInsecure", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationInsecure: " . $this->twoFactorAuthenticationInsecure . "\n");
+			if (!in_array("twoFactorAuthenticationLabel", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationLabel: " . $this->twoFactorAuthenticationLabel . "\n");
+			if (!in_array("twoFactorAuthenticationOptional", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationOptional: " . $this->twoFactorAuthenticationOptional . "\n");
+			if (!in_array("twoFactorAuthenticationCaption", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationCaption: " . $this->twoFactorAuthenticationCaption . "\n");
 			// check if all module settings were added
 			$m_settings = array_keys($this->moduleSettings);
 			for ($i = 0; $i < sizeof($m_settings); $i++) {
@@ -2044,6 +2062,113 @@ class LAMConfig {
 	public function setPwdResetDefaultPasswordOutput($pwdResetDefaultPasswordOutput) {
 		$this->pwdResetDefaultPasswordOutput = $pwdResetDefaultPasswordOutput;
 	}
+	/**
+	 * Returns the authentication type.
+	 *
+	 * @return string $twoFactorAuthentication authentication type
+	 */
+	public function getTwoFactorAuthentication() {
+		return $this->twoFactorAuthentication;
+	}
+
+	/**
+	 * Sets the authentication type.
+	 *
+	 * @param string $twoFactorAuthentication authentication type
+	 */
+	public function setTwoFactorAuthentication($twoFactorAuthentication) {
+		$this->twoFactorAuthentication = $twoFactorAuthentication;
+	}
+
+	/**
+	 * Returns the authentication URL.
+	 *
+	 * @return string $twoFactorAuthenticationURL authentication URL
+	 */
+	public function getTwoFactorAuthenticationURL() {
+		return $this->twoFactorAuthenticationURL;
+	}
+
+	/**
+	 * Sets the authentication URL.
+	 *
+	 * @param string $twoFactorAuthenticationURL authentication URL
+	 */
+	public function setTwoFactorAuthenticationURL($twoFactorAuthenticationURL) {
+		$this->twoFactorAuthenticationURL = $twoFactorAuthenticationURL;
+	}
+
+	/**
+	 * Returns if SSL certificate verification is turned off.
+	 *
+	 * @return bool $twoFactorAuthenticationInsecure SSL certificate verification is turned off
+	 */
+	public function getTwoFactorAuthenticationInsecure() {
+		return $this->twoFactorAuthenticationInsecure;
+	}
+
+	/**
+	 * Sets if SSL certificate verification is turned off.
+	 *
+	 * @param boolean $twoFactorAuthenticationInsecure SSL certificate verification is turned off
+	 */
+	public function setTwoFactorAuthenticationInsecure($twoFactorAuthenticationInsecure) {
+		$this->twoFactorAuthenticationInsecure = $twoFactorAuthenticationInsecure;
+	}
+
+	/**
+	 * Returns the authentication label.
+	 *
+	 * @return string $twoFactorAuthenticationLabel authentication label
+	 */
+	public function getTwoFactorAuthenticationLabel() {
+		return $this->twoFactorAuthenticationLabel;
+	}
+
+	/**
+	 * Sets the authentication label.
+	 *
+	 * @param string $twoFactorAuthenticationLabel authentication label
+	 */
+	public function setTwoFactorAuthenticationLabel($twoFactorAuthenticationLabel) {
+		$this->twoFactorAuthenticationLabel = $twoFactorAuthenticationLabel;
+	}
+
+	/**
+	 * Returns if 2nd factor is optional.
+	 *
+	 * @return bool $twoFactorAuthenticationOptional 2nd factor is optional
+	 */
+	public function getTwoFactorAuthenticationOptional() {
+		return $this->twoFactorAuthenticationOptional;
+	}
+
+	/**
+	 * Sets if 2nd factor is optional.
+	 *
+	 * @param boolean $twoFactorAuthenticationOptional 2nd factor is optional
+	 */
+	public function setTwoFactorAuthenticationOptional($twoFactorAuthenticationOptional) {
+		$this->twoFactorAuthenticationOptional = $twoFactorAuthenticationOptional;
+	}
+
+	/**
+	 * Returns the caption HTML.
+	 *
+	 * @return string $twoFactorAuthenticationCaption caption HTML
+	 */
+	public function getTwoFactorAuthenticationCaption() {
+		return $this->twoFactorAuthenticationCaption;
+	}
+
+	/**
+	 * Sets the caption HTML.
+	 *
+	 * @param string $twoFactorAuthenticationCaption caption HTML
+	 */
+	public function setTwoFactorAuthenticationCaption($twoFactorAuthenticationCaption) {
+		$this->twoFactorAuthenticationCaption = $twoFactorAuthenticationCaption;
+	}
 
 }
 
diff --git a/lam/lib/selfService.inc b/lam/lib/selfService.inc
index 9c716439..04cc7abb 100644
--- a/lam/lib/selfService.inc
+++ b/lam/lib/selfService.inc
@@ -1,4 +1,5 @@
-<?PHP
+<?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$
 
@@ -31,9 +32,11 @@ $Id$
 */
 
 /** modules */
-include_once("modules.inc");
+include_once "modules.inc";
 /** account types */
-include_once("types.inc");
+include_once "types.inc";
+/** 2-factor */
+include_once '2factor.inc';
 
 /**
  * Returns if this is a LAM Pro installation.
@@ -302,11 +305,6 @@ function isSelfService() {
  */
 class selfServiceProfile {
 
-	/** 2factor authentication disabled */
-	const TWO_FACTOR_NONE = 'none';
-	/** 2factor authentication via privacyIDEA */
-	const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
-
 	/** server address */
 	public $serverURL;
 
@@ -381,7 +379,7 @@ class selfServiceProfile {
 
 	public $timeZone = 'Europe/London';
 
-	public $twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
+	public $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
 	public $twoFactorAuthenticationURL = 'https://localhost';
 	public $twoFactorAuthenticationInsecure = false;
 	public $twoFactorAuthenticationLabel = null;
@@ -425,7 +423,7 @@ class selfServiceProfile {
 		$this->enforceLanguage = true;
 		$this->followReferrals = 0;
 		$this->timeZone = 'Europe/London';
-		$this->twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
+		$this->twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
 		$this->twoFactorAuthenticationURL = 'https://localhost';
 		$this->twoFactorAuthenticationInsecure = false;
 		$this->twoFactorAuthenticationLabel = null;
diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php
index 914f195f..a0b0f30b 100644
--- a/lam/templates/config/confmain.php
+++ b/lam/templates/config/confmain.php
@@ -1,9 +1,10 @@
 <?php
+use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 /*
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2003 - 2016  Roland Gruber
+  Copyright (C) 2003 - 2017  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -37,6 +38,8 @@ include_once("../../lib/config.inc");
 include_once("../../lib/modules.inc");
 /** access to tools */
 include_once("../../lib/tools.inc");
+/** 2-factor */
+include_once '../../lib/2facto.inc';
 
 // start session
 if (strtolower(session_module_name()) == 'files') {
@@ -523,8 +526,40 @@ $searchPasswordInput->setIsPassword(true);
 $securitySettingsContent->addElement($searchPasswordInput, true);
 // HTTP authentication
 $securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
-$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
+$securitySettingsContent->addElement(new htmlSpacer(null, '30px'), true);
+
+// 2factor authentication
+if (extension_loaded('curl')) {
+	$securitySettingsContent->addElement(new htmlSubTitle(_("2-factor authentication")), true);
+	$twoFactorOptions = array(
+			_('None') => TwoFactorProviderService::TWO_FACTOR_NONE,
+			_('privacyIDEA') => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA,
+	);
+	$twoFactorSelect = new htmlTableExtendedSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514');
+	$twoFactorSelect->setHasDescriptiveElements(true);
+	$twoFactorSelect->setTableRowsToHide(array(
+			TwoFactorProviderService::TWO_FACTOR_NONE => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
+	));
+	$twoFactorSelect->setTableRowsToShow(array(
+			TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
+	));
+	$securitySettingsContent->addElement($twoFactorSelect, true);
+	$twoFactorUrl = new htmlTableExtendedInputField(_("Base URL"), 'twoFactorURL', $conf->getTwoFactorAuthenticationURL(), '515');
+	$twoFactorUrl->setRequired(true);
+	$securitySettingsContent->addElement($twoFactorUrl, true);
+	$twoFactorLabel = new htmlTableExtendedInputField(_("Label"), 'twoFactorLabel', $conf->getTwoFactorAuthenticationLabel(), '517');
+	$securitySettingsContent->addElement($twoFactorLabel, true);
+	$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorOptional', $conf->getTwoFactorAuthenticationOptional(), _('Optional'), '519'), true);
+	$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorInsecure', $conf->getTwoFactorAuthenticationInsecure(), _('Disable certificate check'), '516'), true);
+	$securitySettingsContent->addElement(new htmlSpacer(null, '5px'), true);
+	$twoFactorCaption = new htmlTableExtendedInputTextarea('twoFactorCaption', $conf->getTwoFactorAuthenticationCaption(), '80', '4', _("Caption"), '518');
+	$twoFactorCaption->setIsRichEdit(true);
+	$twoFactorCaption->alignment = htmlElement::ALIGN_TOP;
+	$securitySettingsContent->addElement($twoFactorCaption, true);
+}
+
 // new password
+$securitySettingsContent->addElement(new htmlSubTitle(_("Profile password")), true);
 $password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
 $password1->setIsPassword(true);
 $password2 = new htmlTableExtendedInputField(_("Reenter password"), 'passwd2');
@@ -551,10 +586,12 @@ $buttonContainer->addElement($cancelButton, true);
 $buttonContainer->addElement(new htmlSpacer(null, '10px'), true);
 parseHtml(null, $buttonContainer, array(), false, $tabindex, 'user');
 
-echo "</form>\n";
-echo "</body>\n";
-echo "</html>\n";
-
+?>
+</form>
+<script type="text/javascript" src="../lib/extra/ckeditor/ckeditor.js"></script>
+</body>
+</html>
+<?php
 
 /**
  * Checks user input and saves the entered settings.
@@ -711,6 +748,15 @@ function checkInput() {
 		}
 	}
 	$conf->setToolSettings($toolSettings);
+	// 2-factor
+	if (extension_loaded('curl')) {
+		$conf->setTwoFactorAuthentication($_POST['twoFactor']);
+		$conf->setTwoFactorAuthenticationURL($_POST['twoFactorURL']);
+		$conf->setTwoFactorAuthenticationInsecure(isset($_POST['twoFactorInsecure']) && ($_POST['twoFactorInsecure'] == 'on'));
+		$conf->setTwoFactorAuthenticationLabel($_POST['twoFactorLabel']);
+		$conf->setTwoFactorAuthenticationOptional(isset($_POST['twoFactorOptional']) && ($_POST['twoFactorOptional'] == 'on'));
+		$conf->setTwoFactorAuthenticationCaption(str_replace(array("\r", "\n"), array('', ''), $_POST['twoFactorCaption']));
+	}
 	// check if password was changed
 	if (isset($_POST['passwd1']) && ($_POST['passwd1'] != '')) {
 		if ($_POST['passwd1'] != $_POST['passwd2']) {