diff --git a/oioioi/base/static/scss/_layout.scss b/oioioi/base/static/scss/_layout.scss
index df666f738..5fe31e6c8 100644
--- a/oioioi/base/static/scss/_layout.scss
+++ b/oioioi/base/static/scss/_layout.scss
@@ -22,6 +22,10 @@ $oioioi-narrow-input-max-width: 300px !default;
   padding-left: 0;
 }
 
+.padding-bottom-md {
+  padding-bottom: 1em;
+}
+
 .h-scrollable {
   overflow-x: auto;
 }
diff --git a/oioioi/base/templates/ingredients/navbar-user.html b/oioioi/base/templates/ingredients/navbar-user.html
index 67fb49499..666fda120 100644
--- a/oioioi/base/templates/ingredients/navbar-user.html
+++ b/oioioi/base/templates/ingredients/navbar-user.html
@@ -12,11 +12,12 @@
             <li class="navbar-form">
                 <form id="navbar-login" class="navbar-login" action="{% url 'login' %}" method="post">
                     {% csrf_token %}
+                    <input name="login_view-current_step" type="hidden" value="auth">
                     <div class="form-group">
-                        <input type="text" name="username" class="form-control" placeholder="{% trans "Login" %}">
+                        <input type="text" name="auth-username" class="form-control" placeholder="{% trans "Login" %}">
                     </div>
                     <div class="form-group">
-                        <input type="password" name="password" class="form-control" placeholder="{% trans "Password" %}">
+                        <input type="password" name="auth-password" class="form-control" placeholder="{% trans "Password" %}">
                     </div>
                     <a role="button" class="btn btn-default" href="{% url 'registration_register' %}">{% trans "Register" %}</a>
                     <button type="submit" class="btn btn-primary">{% trans "Log in" %}</button>
diff --git a/oioioi/base/templates/registration/login.html b/oioioi/base/templates/registration/login.html
deleted file mode 100644
index 9c49f1e60..000000000
--- a/oioioi/base/templates/registration/login.html
+++ /dev/null
@@ -1,66 +0,0 @@
-{% extends "base.html" %}
-
-{% load i18n simple_filters %}
-
-{% block body %}
-    <div class="row">
-        <div class="well col-sm-10 col-sm-offset-1 col-md-8 col-md-offset-2 col-lg-6 col-lg-offset-3">
-            <form method="post" class="form-horizontal">
-                {% csrf_token %}
-                <div class="form-group">
-                    <div class="text-center">
-                        <h1>{% trans "Log in" %}</h1>
-                    </div>
-                </div>
-
-                {% if form.non_field_errors %}
-                    <div class="form-group">
-                        <div class="col-xs-12">
-                            {% for error in form.non_field_errors %}
-                                <div class="alert alert-danger" role="alert">
-                                    <span class="glyphicon glyphicon-exclamation-sign" aria-hidden="true"></span>
-                                    <span class="sr-only">{% trans "Error" %}:</span>
-                                    {{ error }}
-                                </div>
-                            {% endfor %}
-                        </div>
-                    </div>
-                {% endif %}
-
-                {% for field in form.visible_fields %}
-                    <div class="form-group{% if field.errors %} has-error{% endif %}">
-                        {% if display_labels != False %}
-                            <label for="{{ field.auto_id }}" class="col-sm-4 control-label">
-                                {{ field.label }}
-                            </label>
-                        {% endif %}
-                        <div class="col-sm-8">
-                            {{ field | add_class:"form-control" }}
-                            {% for error in field.errors %}
-                                <div class="help-block">{{ error }}</div>
-                            {% endfor %}
-                            {% if field.help_text %}
-                                <div class="help-block">{{ field.help_text }}</div>
-                            {% endif %}
-                        </div>
-                    </div>
-                {% endfor %}
-
-                <div class="form-group">
-                    <div class="col-sm-offset-4 col-sm-8">
-                        <button id="id_submit" type="submit" class="btn btn-primary">
-                            {% trans "Log in" %}
-                        </button>
-                    </div>
-                </div>
-
-                <div class="form-group">
-                    <div class="col-sm-offset-4 col-sm-8">
-                        <p><a href="{% url 'auth_password_reset' %}">{% trans "Forgot password?" %}</a></p>
-                        <p><a href="{% url 'registration_register' %}">{% trans "Want to create an account?" %}</a></p>
-                    </div>
-                </div>
-            </form>
-        </div>
-    </div>
-{% endblock %}
diff --git a/oioioi/base/templates/two_factor/_base.html b/oioioi/base/templates/two_factor/_base.html
new file mode 100644
index 000000000..ee598818c
--- /dev/null
+++ b/oioioi/base/templates/two_factor/_base.html
@@ -0,0 +1 @@
+{% extends "simple-centered.html" %}
diff --git a/oioioi/base/templates/two_factor/_base_focus.html b/oioioi/base/templates/two_factor/_base_focus.html
new file mode 100644
index 000000000..f5a255845
--- /dev/null
+++ b/oioioi/base/templates/two_factor/_base_focus.html
@@ -0,0 +1,9 @@
+{% extends "two_factor/_base.html" %}
+
+{% block body %}
+  <div class="row padding-bottom-md">
+    <div class="col-md-8 col-md-offset-2">
+      {% block content %}{% endblock %}
+    </div>
+  </div>
+{% endblock %}
diff --git a/oioioi/base/templates/two_factor/_wizard_actions.html b/oioioi/base/templates/two_factor/_wizard_actions.html
new file mode 100644
index 000000000..7c6345bfb
--- /dev/null
+++ b/oioioi/base/templates/two_factor/_wizard_actions.html
@@ -0,0 +1,24 @@
+{% load i18n %}
+
+{% comment %}
+  Our changes:
+
+  Moved cancel button to the end, so now using tab key
+  we iterate over buttons in natural order.
+{% endcomment %}
+
+{% if wizard.steps.prev %}
+  <button name="wizard_goto_step" type="submit"
+          value="{{ wizard.steps.prev }}"
+          class="btn btn-default">{% trans "Back" %}</button>
+{% else %}
+  <button disabled name="" type="button"
+          class="btn btn-disabled">{% trans "Back" %}</button>
+{% endif %}
+
+<button type="submit" class="btn btn-primary">{% trans "Next" %}</button>
+
+{% if cancel_url %}
+  <a href="{{ cancel_url }}"
+     class="pull-right btn btn-link">{% trans "Cancel" %}</a>
+{% endif %}
diff --git a/oioioi/base/templates/two_factor/_wizard_forms.html b/oioioi/base/templates/two_factor/_wizard_forms.html
new file mode 100644
index 000000000..29df44215
--- /dev/null
+++ b/oioioi/base/templates/two_factor/_wizard_forms.html
@@ -0,0 +1,4 @@
+{{ wizard.management_form }}
+<div class="form-horizontal">
+  {% include "ingredients/form-horizontal.html" with form=wizard.form %}
+</div>
diff --git a/oioioi/base/templates/two_factor/core/login.html b/oioioi/base/templates/two_factor/core/login.html
new file mode 100644
index 000000000..b91b4c773
--- /dev/null
+++ b/oioioi/base/templates/two_factor/core/login.html
@@ -0,0 +1,73 @@
+{% extends "two_factor/_base_focus.html" %}
+{% load i18n two_factor %}
+
+{% block content %}
+  {% comment %}
+    Our changes:
+
+    * Using well for better looking form
+    * Centered "Log in" heading, also using "Log in" instead of "Login"
+    * Adding links to password reset and registration
+    * Removed "Enter your credentials." message (wizard.steps.current == 'auth')
+  {% endcomment %}
+
+  <div class="well">
+    <div class="form-group">
+      <div class="text-center">
+        <h1>{% block title %}{% trans "Log in" %}{% endblock %}</h1>
+      </div>
+    </div>
+
+    {% if wizard.steps.current == 'token' %}
+      {% if device.method == 'call' %}
+        <p>{% blocktrans %}We are calling your phone right now, please enter the
+          digits you hear.{% endblocktrans %}</p>
+      {% elif device.method == 'sms' %}
+        <p>{% blocktrans %}We sent you a text message, please enter the tokens we
+          sent.{% endblocktrans %}</p>
+      {% else %}
+        <p>{% blocktrans %}Please enter the tokens generated by your token
+          generator.{% endblocktrans %}</p>
+      {% endif %}
+    {% elif wizard.steps.current == 'backup' %}
+      <p>{% blocktrans %}Use this form for entering backup tokens for logging in.
+        These tokens have been generated for you to print and keep safe. Please
+        enter one of these backup tokens to login to your account.{% endblocktrans %}</p>
+    {% endif %}
+
+    <form action="" method="post">
+      {% csrf_token %}
+      {% include "two_factor/_wizard_forms.html" %}
+
+      {# hidden submit button to enable [enter] key #}
+      <div style="margin-left: -9999px"><input type="submit" value=""/></div>
+
+      {% if other_devices %}
+        <p>{% trans "Or, alternatively, use one of your backup phones:" %}</p>
+        <p>
+          {% for other in other_devices %}
+          <button name="challenge_device" value="{{ other.persistent_id }}"
+                  class="btn btn-default btn-block" type="submit">
+            {{ other|device_action }}
+          </button>
+        {% endfor %}</p>
+      {% endif %}
+      {% if backup_tokens %}
+        <p>{% trans "As a last resort, you can use a backup token:" %}</p>
+        <p>
+          <button name="wizard_goto_step" type="submit" value="backup"
+                  class="btn btn-default btn-block">{% trans "Use Backup Token" %}</button>
+        </p>
+      {% endif %}
+
+      {% if wizard.steps.current == 'auth' %}
+        <div class="form-group">
+          <p><a href="{% url 'auth_password_reset' %}">{% trans "Forgot password?" %}</a></p>
+          <p><a href="{% url 'registration_register' %}">{% trans "Want to create an account?" %}</a></p>
+        </div>
+      {% endif %}
+
+      {% include "two_factor/_wizard_actions.html" %}
+    </form>
+  </div>
+{% endblock %}
diff --git a/oioioi/base/templates/two_factor/core/setup.html b/oioioi/base/templates/two_factor/core/setup.html
new file mode 100644
index 000000000..e8ae68fd1
--- /dev/null
+++ b/oioioi/base/templates/two_factor/core/setup.html
@@ -0,0 +1,62 @@
+{% extends "two_factor/_base_focus.html" %}
+{% load i18n %}
+
+{% block content %}
+  {% comment %}
+    Our changes:
+
+    * Centered QR code.
+  {% endcomment %}
+
+  <h1>{% block title %}{% trans "Enable Two-Factor Authentication" %}{% endblock %}</h1>
+  {% if wizard.steps.current == 'welcome' %}
+    <p>{% blocktrans %}You are about to take your account security to the
+        next level. Follow the steps in this wizard to enable two-factor
+        authentication.{% endblocktrans %}</p>
+  {% elif wizard.steps.current == 'method' %}
+    <p>{% blocktrans %}Please select which authentication method you would
+        like to use.{% endblocktrans %}</p>
+  {% elif wizard.steps.current == 'generator' %}
+    <p>{% blocktrans %}To start using a token generator, please use your
+        smartphone to scan the QR code below. For example, use Google
+        Authenticator. Then, enter the token generated by the app.
+        {% endblocktrans %}</p>
+    <p class="text-center"><img src="{{ QR_URL }}" alt="QR Code" /></p>
+  {% elif wizard.steps.current == 'sms' %}
+    <p>{% blocktrans %}Please enter the phone number you wish to receive the
+      text messages on. This number will be validated in the next step.
+      {% endblocktrans %}</p>
+  {% elif wizard.steps.current == 'call' %}
+    <p>{% blocktrans %}Please enter the phone number you wish to be called on.
+      This number will be validated in the next step. {% endblocktrans %}</p>
+  {% elif wizard.steps.current == 'validation' %}
+    {% if challenge_succeeded %}
+      {% if device.method == 'call' %}
+        <p>{% blocktrans %}We are calling your phone right now, please enter the
+          digits you hear.{% endblocktrans %}</p>
+      {% elif device.method == 'sms' %}
+        <p>{% blocktrans %}We sent you a text message, please enter the tokens we
+          sent.{% endblocktrans %}</p>
+      {% endif %}
+    {% else %}
+      <p class="alert alert-warning" role="alert">{% blocktrans %}We've
+        encountered an issue with the selected authentication method. Please
+        go back and verify that you entered your information correctly, try
+        again, or use a different authentication method instead. If the issue
+        persists, contact the site administrator.{% endblocktrans %}</p>
+    {% endif %}
+  {% elif wizard.steps.current == 'yubikey' %}
+    <p>{% blocktrans %}To identify and verify your YubiKey, please insert a
+      token in the field below. Your YubiKey will be linked to your
+      account.{% endblocktrans %}</p>
+  {% endif %}
+
+  <form action="" method="post">{% csrf_token %}
+    {% include "two_factor/_wizard_forms.html" %}
+
+    {# hidden submit button to enable [enter] key #}
+    <div style="margin-left: -9999px"><input type="submit" value=""/></div>
+
+    {% include "two_factor/_wizard_actions.html" %}
+  </form>
+{% endblock %}
diff --git a/oioioi/base/templates/two_factor/profile/disable.html b/oioioi/base/templates/two_factor/profile/disable.html
new file mode 100644
index 000000000..c65ac3334
--- /dev/null
+++ b/oioioi/base/templates/two_factor/profile/disable.html
@@ -0,0 +1,21 @@
+{% extends "two_factor/_base_focus.html" %}
+{% load i18n %}
+
+{% block content %}
+  {% comment %}
+    Our changes:
+
+    * Using newer version of this file (1.7.0 or little bit newer).
+    * Rendering checkbox with our form template.
+  {% endcomment %}
+
+  <h1>{% block title %}{% trans "Disable Two-factor Authentication" %}{% endblock %}</h1>
+  <p>{% blocktrans %}You are about to disable two-factor authentication. This
+    weakens your account security, are you sure?{% endblocktrans %}</p>
+  <form method="post">
+    {% csrf_token %}
+    {% include "ingredients/form.html" with form=form %}
+    <button class="btn btn-danger"
+            type="submit">{% trans "Disable" %}</button>
+  </form>
+{% endblock %}
diff --git a/oioioi/base/templates/two_factor/profile/profile.html b/oioioi/base/templates/two_factor/profile/profile.html
new file mode 100644
index 000000000..788f1c2f2
--- /dev/null
+++ b/oioioi/base/templates/two_factor/profile/profile.html
@@ -0,0 +1,70 @@
+{% extends "two_factor/_base.html" %}
+{% load i18n two_factor %}
+
+{% block content %}
+  {% comment %}
+    Our changes:
+
+    * Using newer version of this file (1.7.0 or little bit newer)
+      (this means phone methods are not listed what is what we want since we don't support them)
+  {% endcomment %}
+
+  <h1>{% block title %}{% trans "Account Security" %}{% endblock %}</h1>
+
+  {% if default_device %}
+    {% if default_device_type == 'TOTPDevice' %}
+      <p>{% trans "Tokens will be generated by your token generator." %}</p>
+    {% elif default_device_type == 'PhoneDevice' %}
+      <p>{% blocktrans with primary=default_device|device_action %}Primary method: {{ primary }}{% endblocktrans %}</p>
+    {% elif default_device_type == 'RemoteYubikeyDevice' %}
+      <p>{% blocktrans %}Tokens will be generated by your YubiKey.{% endblocktrans %}</p>
+    {% endif %}
+
+    {% if available_phone_methods %}
+      <h2>{% trans "Backup Phone Numbers" %}</h2>
+      <p>{% blocktrans %}If your primary method is not available, we are able to
+        send backup tokens to the phone numbers listed below.{% endblocktrans %}</p>
+      <ul>
+        {% for phone in backup_phones %}
+          <li>
+            {{ phone|device_action }}
+            <form method="post" action="{% url 'two_factor:phone_delete' phone.id %}"
+                  onsubmit="return confirm('Are you sure?')">
+              {% csrf_token %}
+              <button class="btn btn-xs btn-warning"
+                      type="submit">{% trans "Unregister" %}</button>
+            </form>
+          </li>
+        {% endfor %}
+      </ul>
+      <p><a href="{% url 'two_factor:phone_create' %}"
+        class="btn btn-info">{% trans "Add Phone Number" %}</a></p>
+    {% endif %}
+
+    <h2>{% trans "Backup Tokens" %}</h2>
+    <p>
+      {% blocktrans %}If you don't have any device with you, you can access
+        your account using backup tokens.{% endblocktrans %}
+      {% blocktrans count counter=backup_tokens %}
+        You have only one backup token remaining.
+      {% plural %}
+        You have {{ counter }} backup tokens remaining.
+      {% endblocktrans %}
+    </p>
+    <p><a href="{% url 'two_factor:backup_tokens' %}"
+          class="btn btn-info">{% trans "Show Codes" %}</a></p>
+
+    <h3>{% trans "Disable Two-Factor Authentication" %}</h3>
+    <p>{% blocktrans %}However we strongly discourage you to do so, you can
+      also disable two-factor authentication for your account.{% endblocktrans %}</p>
+    <p><a class="btn btn-default" href="{% url 'two_factor:disable' %}">
+      {% trans "Disable Two-Factor Authentication" %}</a></p>
+  {% else %}
+    <p>{% blocktrans %}Two-factor authentication is not enabled for your
+      account. Enable two-factor authentication for enhanced account
+      security.{% endblocktrans %}</p>
+    <p><a href="{% url 'two_factor:setup' %}" class="btn btn-primary">
+      {% trans "Enable Two-Factor Authentication" %}</a>
+    </p>
+  {% endif %}
+{% endblock %}
diff --git a/oioioi/base/urls.py b/oioioi/base/urls.py
index 40e9bc2d8..0ed25bc0c 100644
--- a/oioioi/base/urls.py
+++ b/oioioi/base/urls.py
@@ -1,9 +1,10 @@
-from django.conf.urls import url
+from django.conf.urls import url, include
 
 from oioioi.base import admin, views
 from oioioi.base.main_page import main_page_view
 
 urlpatterns = [
+    url(r'', include('two_factor.urls', 'two_factor')),
     url(r'^force_error/$', views.force_error_view, name='force_error'),
     url(r'^force_permission_denied/$', views.force_permission_denied_view,
         name='force_permission_denied'),
@@ -15,6 +16,8 @@
         name='delete_account'),
     url(r'^generate_key/$', views.generate_key_view, name='generate_key'),
 
+# don't include without appropriate patching! admincdocs provides its own
+# login view which can be used to bypass 2FA.
 #   url(r'^admin/doc/', include('django.contrib.admindocs.urls')),
     url(r'^admin/logout/$', views.logout_view),
     url(r'^admin/', admin.site.urls),
diff --git a/oioioi/base/views.py b/oioioi/base/views.py
index 85a5fa070..80db5e410 100644
--- a/oioioi/base/views.py
+++ b/oioioi/base/views.py
@@ -9,8 +9,7 @@
 from django.views.decorators.http import require_POST, require_GET
 from django.core.exceptions import SuspiciousOperation
 from django.core.urlresolvers import reverse, reverse_lazy
-from django.contrib.auth.views import logout as auth_logout, \
-                                      login as auth_login
+from django.contrib.auth.views import logout as auth_logout
 from django.views.decorators.vary import vary_on_headers, vary_on_cookie
 from django.views.decorators.cache import cache_control
 from django.views.defaults import page_not_found
@@ -24,8 +23,12 @@
 from oioioi.base.processors import site_name
 import traceback
 
+from two_factor.views import LoginView as Login2FAView
+
 account_menu_registry.register('change_password', _("Change password"),
         lambda request: reverse('auth_password_change'), order=100)
+account_menu_registry.register('two_factor_auth', _("Two factor authentication"),
+        lambda request: reverse('two_factor:profile'), order=150)
 
 
 class ForcedError(StandardError):
@@ -113,7 +116,7 @@ def login_view(request, redirect_field_name=REDIRECT_FIELD_NAME, **kwargs):
         redirect_to = request.GET.get(redirect_field_name, None)
         return safe_redirect(request, redirect_to)
     else:
-        return auth_login(request, extra_context=site_name(request), **kwargs)
+        return Login2FAView.as_view(**kwargs)(request)
 
 
 @require_GET
diff --git a/oioioi/default_settings.py b/oioioi/default_settings.py
index 9b1f2f248..b209c2b29 100755
--- a/oioioi/default_settings.py
+++ b/oioioi/default_settings.py
@@ -144,6 +144,7 @@
     'django.middleware.common.CommonMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django_otp.middleware.OTPMiddleware',  # must be after AuthenticationMiddleware
     'oioioi.base.middleware.AnnotateUserBackendMiddleware',
     'oioioi.su.middleware.SuAuthenticationMiddleware',
     'oioioi.su.middleware.SuFirstTimeRedirectionMiddleware',
@@ -167,8 +168,9 @@
 
 ROOT_URLCONF = 'oioioi.urls'
 
-LOGIN_URL = '/login'
+LOGIN_URL = 'two_factor:login'
 LOGIN_REDIRECT_URL = '/'
+LOGOUT_REDIRECT_URL = '/'
 
 # Python dotted path to the WSGI application used by Django's runserver.
 WSGI_APPLICATION = 'wsgi.application'
@@ -224,6 +226,11 @@
     'django.contrib.messages',
     'django.contrib.staticfiles',
     'django.contrib.sites',
+
+    'django_otp',
+    'django_otp.plugins.otp_static',
+    'django_otp.plugins.otp_totp',
+    'two_factor',
 )
 
 AUTHENTICATION_BACKENDS = (
diff --git a/oioioi/maintenancemode/tests.py b/oioioi/maintenancemode/tests.py
index c2a335147..b1e4a0fe8 100644
--- a/oioioi/maintenancemode/tests.py
+++ b/oioioi/maintenancemode/tests.py
@@ -24,7 +24,7 @@ def test_not_logged_redirect(self):
         self.assertRedirects(response, reverse('maintenance'))
         self.assertEquals(response.context['message'], 'test message')
         self.assertContains(response, 'test message')
-        response = self.client.post(reverse('login'))
+        response = self.client.get(reverse('login'))
         self.assertEquals(response.status_code, 200)
 
     def test_logged_user_redirect(self):
diff --git a/setup.py b/setup.py
index 888504e49..4ef1af4ee 100644
--- a/setup.py
+++ b/setup.py
@@ -30,7 +30,7 @@
     author_email='sio2@sio2project.mimuw.edu.pl',
     url='http://sio2project.mimuw.edu.pl',
     install_requires=[
-        "Django>=1.9,<1.10",
+        "Django>=1.9,<1.10",  # when upgrading, upgrade also django-two-factor-auth!
         "pytz>=2013b",
         "sqlalchemy",
         "BeautifulSoup",
@@ -39,6 +39,7 @@
         # Earlier versions of django-nose are incompatible with Django 1.9
         "django-nose>=1.4",
         "nose-picker>=0.5.3",
+        "django-two-factor-auth==1.5.0",  # latest version for Django 1.9
 
         "django-registration-redux>=1.6,<2.0",