fix(identity): remove access tokens when auth method is removed

Merge pull request #2741 from phamleduy04/sort-repo-github-intergration-app
Add sort to Github integration dropdown box
2025-07-28 02:53:22 +00:00 · 2024-11-19 22:24:17 +04:00 · 2024-11-19 11:46:43 -05:00 · 2024-11-19 08:45:38 -08:00 · 2024-11-19 08:30:58 -08:00 · 2024-11-19 08:16:30 -08:00
107 changed files with 3208 additions and 902 deletions
--- a/.github/workflows/release_build_infisical_cli.yml
+++ b/.github/workflows/release_build_infisical_cli.yml
@@ -10,8 +10,7 @@ on:

 permissions:
    contents: write
-    # packages: write
-    # issues: write
+
 jobs:
    cli-integration-tests:
        name: Run tests before deployment
@@ -26,6 +25,63 @@ jobs:
            CLI_TESTS_USER_PASSWORD: ${{ secrets.CLI_TESTS_USER_PASSWORD }}
            CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE: ${{ secrets.CLI_TESTS_INFISICAL_VAULT_FILE_PASSPHRASE }}

+    npm-release:
+        runs-on: ubuntu-20.04
+        env:
+            working-directory: ./npm
+        needs:
+            - cli-integration-tests
+            - goreleaser
+        steps:
+            - uses: actions/checkout@v3
+              with:
+                  fetch-depth: 0
+
+            - name: Extract version
+              run: |
+                  VERSION=$(echo ${{ github.ref_name }} | sed 's/infisical-cli\/v//')
+                  echo "Version extracted: $VERSION"
+                  echo "CLI_VERSION=$VERSION" >> $GITHUB_ENV
+
+            - name: Print version
+              run: echo ${{ env.CLI_VERSION }}
+
+            - name: Setup Node
+              uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
+              with:
+                  node-version: 20
+                  cache: "npm"
+                  cache-dependency-path: ./npm/package-lock.json
+            - name: Install dependencies
+              working-directory: ${{ env.working-directory }}
+              run: npm install --ignore-scripts
+
+            - name: Set NPM version
+              working-directory: ${{ env.working-directory }}
+              run: npm version ${{ env.CLI_VERSION }} --allow-same-version --no-git-tag-version
+
+            - name: Setup NPM
+              working-directory: ${{ env.working-directory }}
+              run: |
+                  echo 'registry="https://registry.npmjs.org/"' > ./.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ./.npmrc
+
+                  echo 'registry="https://registry.npmjs.org/"' > ~/.npmrc
+                  echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+            - name: Pack NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm pack
+
+            - name: Publish NPM
+              working-directory: ${{ env.working-directory }}
+              run: npm publish --tarball=./infisical-sdk-${{github.ref_name}} --access public --registry=https://registry.npmjs.org/
+              env:
+                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
    goreleaser:
        runs-on: ubuntu-20.04
        needs: [cli-integration-tests]
--- a/.gitignore
+++ b/.gitignore
@@ -71,3 +71,5 @@ frontend-build
 cli/infisical-merge
 cli/test/infisical-merge
 /backend/binary
+
+/npm/bin
--- a/backend/e2e-test/mocks/smtp.ts
+++ b/backend/e2e-test/mocks/smtp.ts
@@ -5,6 +5,9 @@ export const mockSmtpServer = (): TSmtpService => {
  return {
    sendMail: async (data) => {
      storage.push(data);
+    },
+    verify: async () => {
+      return true;
    }
  };
 };
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -75,6 +75,7 @@
        "openid-client": "^5.6.5",
        "ora": "^7.0.1",
        "oracledb": "^6.4.0",
+        "otplib": "^12.0.1",
        "passport-github": "^1.1.0",
        "passport-gitlab2": "^5.0.0",
        "passport-google-oauth20": "^2.0.0",
@@ -6815,6 +6816,48 @@
        "node": ">=8.0.0"
      }
    },
+    "node_modules/@otplib/core": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/core/-/core-12.0.1.tgz",
+      "integrity": "sha512-4sGntwbA/AC+SbPhbsziRiD+jNDdIzsZ3JUyfZwjtKyc/wufl1pnSIaG4Uqx8ymPagujub0o92kgBnB89cuAMA=="
+    },
+    "node_modules/@otplib/plugin-crypto": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/plugin-crypto/-/plugin-crypto-12.0.1.tgz",
+      "integrity": "sha512-qPuhN3QrT7ZZLcLCyKOSNhuijUi9G5guMRVrxq63r9YNOxxQjPm59gVxLM+7xGnHnM6cimY57tuKsjK7y9LM1g==",
+      "dependencies": {
+        "@otplib/core": "^12.0.1"
+      }
+    },
+    "node_modules/@otplib/plugin-thirty-two": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/plugin-thirty-two/-/plugin-thirty-two-12.0.1.tgz",
+      "integrity": "sha512-MtT+uqRso909UkbrrYpJ6XFjj9D+x2Py7KjTO9JDPhL0bJUYVu5kFP4TFZW4NFAywrAtFRxOVY261u0qwb93gA==",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "thirty-two": "^1.0.2"
+      }
+    },
+    "node_modules/@otplib/preset-default": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/preset-default/-/preset-default-12.0.1.tgz",
+      "integrity": "sha512-xf1v9oOJRyXfluBhMdpOkr+bsE+Irt+0D5uHtvg6x1eosfmHCsCC6ej/m7FXiWqdo0+ZUI6xSKDhJwc8yfiOPQ==",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/plugin-crypto": "^12.0.1",
+        "@otplib/plugin-thirty-two": "^12.0.1"
+      }
+    },
+    "node_modules/@otplib/preset-v11": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/@otplib/preset-v11/-/preset-v11-12.0.1.tgz",
+      "integrity": "sha512-9hSetMI7ECqbFiKICrNa4w70deTUfArtwXykPUvSHWOdzOlfa9ajglu7mNCntlvxycTiOAXkQGwjQCzzDEMRMg==",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/plugin-crypto": "^12.0.1",
+        "@otplib/plugin-thirty-two": "^12.0.1"
+      }
+    },
    "node_modules/@peculiar/asn1-cms": {
      "version": "2.3.8",
      "resolved": "https://registry.npmjs.org/@peculiar/asn1-cms/-/asn1-cms-2.3.8.tgz",
@@ -16453,6 +16496,16 @@
        "node": ">=14.6"
      }
    },
+    "node_modules/otplib": {
+      "version": "12.0.1",
+      "resolved": "https://registry.npmjs.org/otplib/-/otplib-12.0.1.tgz",
+      "integrity": "sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==",
+      "dependencies": {
+        "@otplib/core": "^12.0.1",
+        "@otplib/preset-default": "^12.0.1",
+        "@otplib/preset-v11": "^12.0.1"
+      }
+    },
    "node_modules/p-finally": {
      "version": "1.0.0",
      "resolved": "https://registry.npmjs.org/p-finally/-/p-finally-1.0.0.tgz",
@@ -19553,6 +19606,14 @@
        "node": ">=0.8"
      }
    },
+    "node_modules/thirty-two": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/thirty-two/-/thirty-two-1.0.2.tgz",
+      "integrity": "sha512-OEI0IWCe+Dw46019YLl6V10Us5bi574EvlJEOcAkB29IzQ/mYD1A6RyNHLjZPiHCmuodxvgF6U+vZO1L15lxVA==",
+      "engines": {
+        "node": ">=0.2.6"
+      }
+    },
    "node_modules/thread-stream": {
      "version": "2.4.1",
      "resolved": "https://registry.npmjs.org/thread-stream/-/thread-stream-2.4.1.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -50,6 +50,7 @@
    "auditlog-migration:down": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:down",
    "auditlog-migration:list": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:list",
    "auditlog-migration:status": "knex --knexfile ./src/db/auditlog-knexfile.ts --client pg migrate:status",
+    "auditlog-migration:unlock": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:unlock",
    "auditlog-migration:rollback": "knex --knexfile ./src/db/auditlog-knexfile.ts migrate:rollback",
    "migration:new": "tsx ./scripts/create-migration.ts",
    "migration:up": "npm run auditlog-migration:up && knex --knexfile ./src/db/knexfile.ts --client pg migrate:up",
@@ -58,6 +59,7 @@
    "migration:latest": "npm run auditlog-migration:latest && knex --knexfile ./src/db/knexfile.ts --client pg migrate:latest",
    "migration:status": "npm run auditlog-migration:status && knex --knexfile ./src/db/knexfile.ts --client pg migrate:status",
    "migration:rollback": "npm run auditlog-migration:rollback && knex --knexfile ./src/db/knexfile.ts migrate:rollback",
+    "migration:unlock": "npm run auditlog-migration:unlock && knex --knexfile ./src/db/knexfile.ts migrate:unlock",
    "migrate:org": "tsx ./scripts/migrate-organization.ts",
    "seed:new": "tsx ./scripts/create-seed-file.ts",
    "seed": "knex --knexfile ./src/db/knexfile.ts --client pg seed:run",
@@ -181,6 +183,7 @@
    "openid-client": "^5.6.5",
    "ora": "^7.0.1",
    "oracledb": "^6.4.0",
+    "otplib": "^12.0.1",
    "passport-github": "^1.1.0",
    "passport-gitlab2": "^5.0.0",
    "passport-google-oauth20": "^2.0.0",
--- a/backend/scripts/migrate-organization.ts
+++ b/backend/scripts/migrate-organization.ts
@@ -8,61 +8,80 @@ const prompt = promptSync({
  sigint: true
 });

+const sanitizeInputParam = (value: string) => {
+  // Escape double quotes and wrap the entire value in double quotes
+  if (value) {
+    return `"${value.replace(/"/g, '\\"')}"`;
+  }
+  return '""';
+};
+
 const exportDb = () => {
-  const exportHost = prompt("Enter your Postgres Host to migrate from: ");
-  const exportPort = prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432";
-  const exportUser = prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical";
-  const exportPassword = prompt("Enter your Postgres Password to migrate from: ");
-  const exportDatabase = prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical";
+  const exportHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate from: "));
+  const exportPort = sanitizeInputParam(
+    prompt("Enter your Postgres Port to migrate from [Default = 5432]: ") ?? "5432"
+  );
+  const exportUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate from: [Default = infisical]: ") ?? "infisical"
+  );
+  const exportPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate from: "));
+  const exportDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate from [Default = infisical]: ") ?? "infisical"
+  );

  // we do not include the audit_log and secret_sharing entries
  execSync(
-    `PGDATABASE="${exportDatabase}" PGPASSWORD="${exportPassword}" PGHOST="${exportHost}" PGPORT=${exportPort} PGUSER=${exportUser} pg_dump infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
+    `PGDATABASE=${exportDatabase} PGPASSWORD=${exportPassword} PGHOST=${exportHost} PGPORT=${exportPort} PGUSER=${exportUser} pg_dump -Fc infisical --exclude-table-data="secret_sharing" --exclude-table-data="audit_log*" > ${path.join(
      __dirname,
-      "../src/db/dump.sql"
+      "../src/db/backup.dump"
    )}`,
    { stdio: "inherit" }
  );
 };

 const importDbForOrg = () => {
-  const importHost = prompt("Enter your Postgres Host to migrate to: ");
-  const importPort = prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432";
-  const importUser = prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical";
-  const importPassword = prompt("Enter your Postgres Password to migrate to: ");
-  const importDatabase = prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical";
-  const orgId = prompt("Enter the organization ID to migrate: ");
+  const importHost = sanitizeInputParam(prompt("Enter your Postgres Host to migrate to: "));
+  const importPort = sanitizeInputParam(prompt("Enter your Postgres Port to migrate to [Default = 5432]: ") ?? "5432");
+  const importUser = sanitizeInputParam(
+    prompt("Enter your Postgres User to migrate to: [Default = infisical]: ") ?? "infisical"
+  );
+  const importPassword = sanitizeInputParam(prompt("Enter your Postgres Password to migrate to: "));
+  const importDatabase = sanitizeInputParam(
+    prompt("Enter your Postgres Database to migrate to [Default = infisical]: ") ?? "infisical"
+  );
+  const orgId = sanitizeInputParam(prompt("Enter the organization ID to migrate: "));

-  if (!existsSync(path.join(__dirname, "../src/db/dump.sql"))) {
+  if (!existsSync(path.join(__dirname, "../src/db/backup.dump"))) {
    console.log("File not found, please export the database first.");
    return;
  }

  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -f ${path.join(
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} pg_restore -d ${importDatabase} --verbose ${path.join(
      __dirname,
-      "../src/db/dump.sql"
-    )}`
+      "../src/db/backup.dump"
+    )}`,
+    { maxBuffer: 1024 * 1024 * 4096 }
  );

  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c "DELETE FROM public.organizations WHERE id != '${orgId}'"`
  );

  // delete global/instance-level resources not relevant to the organization to migrate
  // users
  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM users WHERE users.id NOT IN (SELECT org_memberships."userId" FROM org_memberships)'`
  );

  // identities
  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'DELETE FROM identities WHERE id NOT IN (SELECT "identityId" FROM identity_org_memberships)'`
  );

  // reset slack configuration in superAdmin
  execSync(
-    `PGDATABASE="${importDatabase}" PGPASSWORD="${importPassword}" PGHOST="${importHost}" PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
+    `PGDATABASE=${importDatabase} PGPASSWORD=${importPassword} PGHOST=${importHost} PGPORT=${importPort} PGUSER=${importUser} psql -c 'UPDATE super_admin SET "encryptedSlackClientId" = null, "encryptedSlackClientSecret" = null'`
  );

  console.log("Organization migrated successfully.");
--- a/backend/src/@types/fastify.d.ts
+++ b/backend/src/@types/fastify.d.ts
@@ -79,6 +79,7 @@ import { TServiceTokenServiceFactory } from "@app/services/service-token/service
 import { TSlackServiceFactory } from "@app/services/slack/slack-service";
 import { TSuperAdminServiceFactory } from "@app/services/super-admin/super-admin-service";
 import { TTelemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
+import { TTotpServiceFactory } from "@app/services/totp/totp-service";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { TUserServiceFactory } from "@app/services/user/user-service";
 import { TUserEngagementServiceFactory } from "@app/services/user-engagement/user-engagement-service";
@@ -193,6 +194,7 @@ declare module "fastify" {
      migration: TExternalMigrationServiceFactory;
      externalGroupOrgRoleMapping: TExternalGroupOrgRoleMappingServiceFactory;
      projectTemplate: TProjectTemplateServiceFactory;
+      totp: TTotpServiceFactory;
    };
    // this is exclusive use for middlewares in which we need to inject data
    // everywhere else access using service layer
--- a/backend/src/@types/knex.d.ts
+++ b/backend/src/@types/knex.d.ts
@@ -314,6 +314,9 @@ import {
  TSuperAdmin,
  TSuperAdminInsert,
  TSuperAdminUpdate,
+  TTotpConfigs,
+  TTotpConfigsInsert,
+  TTotpConfigsUpdate,
  TTrustedIps,
  TTrustedIpsInsert,
  TTrustedIpsUpdate,
@@ -826,5 +829,6 @@ declare module "knex/types/tables" {
      TProjectTemplatesInsert,
      TProjectTemplatesUpdate
    >;
+    [TableName.TotpConfig]: KnexOriginal.CompositeTableType<TTotpConfigs, TTotpConfigsInsert, TTotpConfigsUpdate>;
  }
 }
--- a/backend/src/db/migrations/20240802181855_ca-cert-version.ts
+++ b/backend/src/db/migrations/20240802181855_ca-cert-version.ts
@@ -64,23 +64,25 @@ export async function up(knex: Knex): Promise<void> {
  }

  if (await knex.schema.hasTable(TableName.Certificate)) {
-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").nullable();
-      t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
-    });
+    const hasCaCertIdColumn = await knex.schema.hasColumn(TableName.Certificate, "caCertId");
+    if (!hasCaCertIdColumn) {
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.uuid("caCertId").nullable();
+        t.foreign("caCertId").references("id").inTable(TableName.CertificateAuthorityCert);
+      });

-    await knex.raw(`
+      await knex.raw(`
        UPDATE "${TableName.Certificate}" cert
        SET "caCertId" = (
          SELECT caCert.id
          FROM "${TableName.CertificateAuthorityCert}" caCert
          WHERE caCert."caId" = cert."caId"
-        )
-      `);
+        )`);

-    await knex.schema.alterTable(TableName.Certificate, (t) => {
-      t.uuid("caCertId").notNullable().alter();
-    });
+      await knex.schema.alterTable(TableName.Certificate, (t) => {
+        t.uuid("caCertId").notNullable().alter();
+      });
+    }
  }
 }

--- a/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
+++ b/backend/src/db/migrations/20241014084900_identity-multiple-auth-methods.ts
@@ -2,7 +2,7 @@ import { Knex } from "knex";

 import { TableName } from "../schemas";

-const BATCH_SIZE = 30_000;
+const BATCH_SIZE = 10_000;

 export async function up(knex: Knex): Promise<void> {
  const hasAuthMethodColumnAccessToken = await knex.schema.hasColumn(TableName.IdentityAccessToken, "authMethod");
@@ -12,7 +12,18 @@ export async function up(knex: Knex): Promise<void> {
      t.string("authMethod").nullable();
    });

-    let nullableAccessTokens = await knex(TableName.IdentityAccessToken).whereNull("authMethod").limit(BATCH_SIZE);
+    // first we remove identities without auth method that is unused
+    // ! We delete all access tokens where the identity has no auth method set!
+    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
+    await knex(TableName.IdentityAccessToken)
+      .leftJoin(TableName.Identity, `${TableName.Identity}.id`, `${TableName.IdentityAccessToken}.identityId`)
+      .whereNull(`${TableName.Identity}.authMethod`)
+      .delete();
+
+    let nullableAccessTokens = await knex(TableName.IdentityAccessToken)
+      .whereNull("authMethod")
+      .limit(BATCH_SIZE)
+      .select("id");
    let totalUpdated = 0;

    do {
@@ -33,24 +44,15 @@ export async function up(knex: Knex): Promise<void> {
        });

      // eslint-disable-next-line no-await-in-loop
-      nullableAccessTokens = await knex(TableName.IdentityAccessToken).whereNull("authMethod").limit(BATCH_SIZE);
+      nullableAccessTokens = await knex(TableName.IdentityAccessToken)
+        .whereNull("authMethod")
+        .limit(BATCH_SIZE)
+        .select("id");

      totalUpdated += batchIds.length;
      console.log(`Updated ${batchIds.length} access tokens in batch <> Total updated: ${totalUpdated}`);
    } while (nullableAccessTokens.length > 0);

-    // ! We delete all access tokens where the identity has no auth method set!
-    // ! Which means un-configured identities that for some reason have access tokens, will have their access tokens deleted.
-    await knex(TableName.IdentityAccessToken)
-      .whereNotExists((queryBuilder) => {
-        void queryBuilder
-          .select("id")
-          .from(TableName.Identity)
-          .whereRaw(`${TableName.IdentityAccessToken}."identityId" = ${TableName.Identity}.id`)
-          .whereNotNull("authMethod");
-      })
-      .delete();
-
    // Finally we set the authMethod to notNullable after populating the column.
    // This will fail if the data is not populated correctly, so it's safe.
    await knex.schema.alterTable(TableName.IdentityAccessToken, (t) => {
--- a/backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts
+++ b/backend/src/db/migrations/20241110032223_add-missing-oidc-org-cascade-reference.ts
@@ -0,0 +1,21 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization).onDelete("CASCADE");
+    });
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasColumn(TableName.OidcConfig, "orgId")) {
+    await knex.schema.alterTable(TableName.OidcConfig, (t) => {
+      t.dropForeign("orgId");
+      t.foreign("orgId").references("id").inTable(TableName.Organization);
+    });
+  }
+}
--- a/backend/src/db/migrations/20241112082701_add-totp-support.ts
+++ b/backend/src/db/migrations/20241112082701_add-totp-support.ts
@@ -0,0 +1,54 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.TotpConfig))) {
+    await knex.schema.createTable(TableName.TotpConfig, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("userId").notNullable();
+      t.foreign("userId").references("id").inTable(TableName.Users).onDelete("CASCADE");
+      t.boolean("isVerified").defaultTo(false).notNullable();
+      t.binary("encryptedRecoveryCodes").notNullable();
+      t.binary("encryptedSecret").notNullable();
+      t.timestamps(true, true, true);
+      t.unique("userId");
+    });
+
+    await createOnUpdateTrigger(knex, TableName.TotpConfig);
+  }
+
+  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (!doesOrgMfaMethodColExist) {
+      t.string("selectedMfaMethod");
+    }
+  });
+
+  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (!doesUserSelectedMfaMethodColExist) {
+      t.string("selectedMfaMethod");
+    }
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await dropOnUpdateTrigger(knex, TableName.TotpConfig);
+  await knex.schema.dropTableIfExists(TableName.TotpConfig);
+
+  const doesOrgMfaMethodColExist = await knex.schema.hasColumn(TableName.Organization, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Organization, (t) => {
+    if (doesOrgMfaMethodColExist) {
+      t.dropColumn("selectedMfaMethod");
+    }
+  });
+
+  const doesUserSelectedMfaMethodColExist = await knex.schema.hasColumn(TableName.Users, "selectedMfaMethod");
+  await knex.schema.alterTable(TableName.Users, (t) => {
+    if (doesUserSelectedMfaMethodColExist) {
+      t.dropColumn("selectedMfaMethod");
+    }
+  });
+}
--- a/backend/src/db/schemas/index.ts
+++ b/backend/src/db/schemas/index.ts
@@ -106,6 +106,7 @@ export * from "./secrets-v2";
 export * from "./service-tokens";
 export * from "./slack-integrations";
 export * from "./super-admin";
+export * from "./totp-configs";
 export * from "./trusted-ips";
 export * from "./user-actions";
 export * from "./user-aliases";
--- a/backend/src/db/schemas/models.ts
+++ b/backend/src/db/schemas/models.ts
@@ -117,6 +117,7 @@ export enum TableName {
  ExternalKms = "external_kms",
  InternalKms = "internal_kms",
  InternalKmsKeyVersion = "internal_kms_key_version",
+  TotpConfig = "totp_configs",
  // @depreciated
  KmsKeyVersion = "kms_key_versions",
  WorkflowIntegrations = "workflow_integrations",
--- a/backend/src/db/schemas/organizations.ts
+++ b/backend/src/db/schemas/organizations.ts
@@ -21,7 +21,8 @@ export const OrganizationsSchema = z.object({
  kmsDefaultKeyId: z.string().uuid().nullable().optional(),
  kmsEncryptedDataKey: zodBuffer.nullable().optional(),
  defaultMembershipRole: z.string().default("member"),
-  enforceMfa: z.boolean().default(false)
+  enforceMfa: z.boolean().default(false),
+  selectedMfaMethod: z.string().nullable().optional()
 });

 export type TOrganizations = z.infer<typeof OrganizationsSchema>;
--- a/backend/src/db/schemas/totp-configs.ts
+++ b/backend/src/db/schemas/totp-configs.ts
@@ -0,0 +1,24 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { zodBuffer } from "@app/lib/zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const TotpConfigsSchema = z.object({
+  id: z.string().uuid(),
+  userId: z.string().uuid(),
+  isVerified: z.boolean().default(false),
+  encryptedRecoveryCodes: zodBuffer,
+  encryptedSecret: zodBuffer,
+  createdAt: z.date(),
+  updatedAt: z.date()
+});
+
+export type TTotpConfigs = z.infer<typeof TotpConfigsSchema>;
+export type TTotpConfigsInsert = Omit<z.input<typeof TotpConfigsSchema>, TImmutableDBKeys>;
+export type TTotpConfigsUpdate = Partial<Omit<z.input<typeof TotpConfigsSchema>, TImmutableDBKeys>>;
--- a/backend/src/db/schemas/users.ts
+++ b/backend/src/db/schemas/users.ts
@@ -26,7 +26,8 @@ export const UsersSchema = z.object({
  consecutiveFailedMfaAttempts: z.number().default(0).nullable().optional(),
  isLocked: z.boolean().default(false).nullable().optional(),
  temporaryLockDateEnd: z.date().nullable().optional(),
-  consecutiveFailedPasswordAttempts: z.number().default(0).nullable().optional()
+  consecutiveFailedPasswordAttempts: z.number().default(0).nullable().optional(),
+  selectedMfaMethod: z.string().nullable().optional()
 });

 export type TUsers = z.infer<typeof UsersSchema>;
--- a/backend/src/db/utils.ts
+++ b/backend/src/db/utils.ts
@@ -2,6 +2,9 @@ import { Knex } from "knex";

 import { TableName } from "./schemas";

+interface PgTriggerResult {
+  rows: Array<{ exists: boolean }>;
+}
 export const createJunctionTable = (knex: Knex, tableName: TableName, table1Name: TableName, table2Name: TableName) =>
  knex.schema.createTable(tableName, (table) => {
    table.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
@@ -28,13 +31,26 @@ DROP FUNCTION IF EXISTS on_update_timestamp() CASCADE;

 // we would be using this to apply updatedAt where ever we wanta
 // remember to set `timestamps(true,true,true)` before this on schema
-export const createOnUpdateTrigger = (knex: Knex, tableName: string) =>
-  knex.raw(`
-CREATE TRIGGER "${tableName}_updatedAt"
-BEFORE UPDATE ON ${tableName}
-FOR EACH ROW
-EXECUTE PROCEDURE on_update_timestamp();
-`);
+export const createOnUpdateTrigger = async (knex: Knex, tableName: string) => {
+  const triggerExists = await knex.raw<PgTriggerResult>(`
+    SELECT EXISTS (
+      SELECT 1 
+      FROM pg_trigger 
+      WHERE tgname = '${tableName}_updatedAt'
+    );
+  `);
+
+  if (!triggerExists?.rows?.[0]?.exists) {
+    return knex.raw(`
+      CREATE TRIGGER "${tableName}_updatedAt"
+      BEFORE UPDATE ON ${tableName}
+      FOR EACH ROW
+      EXECUTE PROCEDURE on_update_timestamp();
+    `);
+  }
+
+  return null;
+};

 export const dropOnUpdateTrigger = (knex: Knex, tableName: string) =>
  knex.raw(`DROP TRIGGER IF EXISTS "${tableName}_updatedAt" ON ${tableName}`);
--- a/backend/src/ee/routes/v1/saml-router.ts
+++ b/backend/src/ee/routes/v1/saml-router.ts
@@ -122,6 +122,8 @@ export const registerSamlRouter = async (server: FastifyZodProvider) => {
              },
              `email: ${email} firstName: ${profile.firstName as string}`
            );
+
+            throw new Error("Invalid saml request. Missing email or first name");
          }

          const userMetadata = Object.keys(profile.attributes || {})
--- a/backend/src/ee/services/oidc/oidc-config-service.ts
+++ b/backend/src/ee/services/oidc/oidc-config-service.ts
@@ -17,7 +17,7 @@ import {
  infisicalSymmetricDecrypt,
  infisicalSymmetricEncypt
 } from "@app/lib/crypto/encryption";
-import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+import { BadRequestError, ForbiddenRequestError, NotFoundError, OidcAuthError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
 import { TAuthTokenServiceFactory } from "@app/services/auth-token/auth-token-service";
 import { TokenType } from "@app/services/auth-token/auth-token-types";
@@ -56,7 +56,7 @@ type TOidcConfigServiceFactoryDep = {
  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan" | "updateSubscriptionOrgMemberCount">;
  tokenService: Pick<TAuthTokenServiceFactory, "createTokenForUser">;
-  smtpService: Pick<TSmtpService, "sendMail">;
+  smtpService: Pick<TSmtpService, "sendMail" | "verify">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  oidcConfigDAL: Pick<TOidcConfigDALFactory, "findOne" | "update" | "create">;
 };
@@ -223,6 +223,7 @@ export const oidcConfigServiceFactory = ({
        let newUser: TUsers | undefined;

        if (serverCfg.trustOidcEmails) {
+          // we prioritize getting the most complete user to create the new alias under
          newUser = await userDAL.findOne(
            {
              email,
@@ -230,6 +231,23 @@ export const oidcConfigServiceFactory = ({
            },
            tx
          );
+
+          if (!newUser) {
+            // this fetches user entries created via invites
+            newUser = await userDAL.findOne(
+              {
+                username: email
+              },
+              tx
+            );
+
+            if (newUser && !newUser.isEmailVerified) {
+              // we automatically mark it as email-verified because we've configured trust for OIDC emails
+              newUser = await userDAL.updateById(newUser.id, {
+                isEmailVerified: true
+              });
+            }
+          }
        }

        if (!newUser) {
@@ -332,14 +350,20 @@ export const oidcConfigServiceFactory = ({
        userId: user.id
      });

-      await smtpService.sendMail({
-        template: SmtpTemplates.EmailVerification,
-        subjectLine: "Infisical confirmation code",
-        recipients: [user.email],
-        substitutions: {
-          code: token
-        }
-      });
+      await smtpService
+        .sendMail({
+          template: SmtpTemplates.EmailVerification,
+          subjectLine: "Infisical confirmation code",
+          recipients: [user.email],
+          substitutions: {
+            code: token
+          }
+        })
+        .catch((err: Error) => {
+          throw new OidcAuthError({
+            message: `Error sending email confirmation code for user registration - contact the Infisical instance admin. ${err.message}`
+          });
+        });
    }

    return { isUserCompleted, providerAuthToken };
@@ -395,6 +419,18 @@ export const oidcConfigServiceFactory = ({
        message: `Organization bot for organization with ID '${org.id}' not found`,
        name: "OrgBotNotFound"
      });
+
+    const serverCfg = await getServerCfg();
+    if (isActive && !serverCfg.trustOidcEmails) {
+      const isSmtpConnected = await smtpService.verify();
+      if (!isSmtpConnected) {
+        throw new BadRequestError({
+          message:
+            "Cannot enable OIDC when there are issues with the instance's SMTP configuration. Bypass this by turning on trust for OIDC emails in the server admin console."
+        });
+      }
+    }
+
    const key = infisicalSymmetricDecrypt({
      ciphertext: orgBot.encryptedSymmetricKey,
      iv: orgBot.symmetricKeyIV,
--- a/backend/src/ee/services/permission/permission-fns.ts
+++ b/backend/src/ee/services/permission/permission-fns.ts
@@ -29,4 +29,18 @@ function validateOrgSSO(actorAuthMethod: ActorAuthMethod, isOrgSsoEnforced: TOrg
  }
 }

-export { isAuthMethodSaml, validateOrgSSO };
+const escapeHandlebarsMissingMetadata = (obj: Record<string, string>) => {
+  const handler = {
+    get(target: Record<string, string>, prop: string) {
+      if (!(prop in target)) {
+        // eslint-disable-next-line no-param-reassign
+        target[prop] = `{{identity.metadata.${prop}}}`; // Add missing key as an "own" property
+      }
+      return target[prop];
+    }
+  };
+
+  return new Proxy(obj, handler);
+};
+
+export { escapeHandlebarsMissingMetadata, isAuthMethodSaml, validateOrgSSO };
--- a/backend/src/ee/services/permission/permission-service.ts
+++ b/backend/src/ee/services/permission/permission-service.ts
@@ -21,7 +21,7 @@ import { TServiceTokenDALFactory } from "@app/services/service-token/service-tok

 import { orgAdminPermissions, orgMemberPermissions, orgNoAccessPermissions, OrgPermissionSet } from "./org-permission";
 import { TPermissionDALFactory } from "./permission-dal";
-import { validateOrgSSO } from "./permission-fns";
+import { escapeHandlebarsMissingMetadata, validateOrgSSO } from "./permission-fns";
 import { TBuildOrgPermissionDTO, TBuildProjectPermissionDTO } from "./permission-service-types";
 import {
  buildServiceTokenProjectPermission,
@@ -227,11 +227,13 @@ export const permissionServiceFactory = ({
      })) || [];

    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
-    const metadataKeyValuePair = objectify(
-      userProjectPermission.metadata,
-      (i) => i.key,
-      (i) => i.value
+    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      objectify(
+        userProjectPermission.metadata,
+        (i) => i.key,
+        (i) => i.value
+      )
    );
    const interpolateRules = templatedRules(
      {
@@ -292,12 +294,15 @@ export const permissionServiceFactory = ({
      })) || [];

    const rules = buildProjectPermissionRules(rolePermissions.concat(additionalPrivileges));
-    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false, strict: true });
-    const metadataKeyValuePair = objectify(
-      identityProjectPermission.metadata,
-      (i) => i.key,
-      (i) => i.value
+    const templatedRules = handlebars.compile(JSON.stringify(rules), { data: false });
+    const metadataKeyValuePair = escapeHandlebarsMissingMetadata(
+      objectify(
+        identityProjectPermission.metadata,
+        (i) => i.key,
+        (i) => i.value
+      )
    );
+
    const interpolateRules = templatedRules(
      {
        identity: {
--- a/backend/src/lib/errors/index.ts
+++ b/backend/src/lib/errors/index.ts
@@ -133,3 +133,15 @@ export class ScimRequestError extends Error {
    this.status = status;
  }
 }
+
+export class OidcAuthError extends Error {
+  name: string;
+
+  error: unknown;
+
+  constructor({ name, error, message }: { message?: string; name?: string; error?: unknown }) {
+    super(message || "Something went wrong");
+    this.name = name || "OidcAuthError";
+    this.error = error;
+  }
+}
--- a/backend/src/server/boot-strap-check.ts
+++ b/backend/src/server/boot-strap-check.ts
@@ -46,10 +46,10 @@ export const bootstrapCheck = async ({ db }: BootstrapOpt) => {
  await createTransport(smtpCfg)
    .verify()
    .then(async () => {
-      console.info("SMTP successfully connected");
+      console.info(`SMTP - Verified connection to ${appCfg.SMTP_HOST}:${appCfg.SMTP_PORT}`);
    })
-    .catch((err) => {
-      console.error(`SMTP - Failed to connect to ${appCfg.SMTP_HOST}:${appCfg.SMTP_PORT}`);
+    .catch((err: Error) => {
+      console.error(`SMTP - Failed to connect to ${appCfg.SMTP_HOST}:${appCfg.SMTP_PORT} - ${err.message}`);
      logger.error(err);
    });

--- a/backend/src/server/plugins/error-handler.ts
+++ b/backend/src/server/plugins/error-handler.ts
@@ -10,6 +10,7 @@ import {
  GatewayTimeoutError,
  InternalServerError,
  NotFoundError,
+  OidcAuthError,
  RateLimitError,
  ScimRequestError,
  UnauthorizedError
@@ -83,7 +84,10 @@ export const fastifyErrHandler = fastifyPlugin(async (server: FastifyZodProvider
        status: error.status,
        detail: error.detail
      });
-      // Handle JWT errors and make them more human-readable for the end-user.
+    } else if (error instanceof OidcAuthError) {
+      void res
+        .status(HttpStatusCodes.InternalServerError)
+        .send({ statusCode: HttpStatusCodes.InternalServerError, message: error.message, error: error.name });
    } else if (error instanceof jwt.JsonWebTokenError) {
      const message = (() => {
        if (error.message === JWTErrors.JwtExpired) {
--- a/backend/src/server/routes/index.ts
+++ b/backend/src/server/routes/index.ts
@@ -201,6 +201,8 @@ import { getServerCfg, superAdminServiceFactory } from "@app/services/super-admi
 import { telemetryDALFactory } from "@app/services/telemetry/telemetry-dal";
 import { telemetryQueueServiceFactory } from "@app/services/telemetry/telemetry-queue";
 import { telemetryServiceFactory } from "@app/services/telemetry/telemetry-service";
+import { totpConfigDALFactory } from "@app/services/totp/totp-config-dal";
+import { totpServiceFactory } from "@app/services/totp/totp-service";
 import { userDALFactory } from "@app/services/user/user-dal";
 import { userServiceFactory } from "@app/services/user/user-service";
 import { userAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
@@ -348,6 +350,7 @@ export const registerRoutes = async (
  const slackIntegrationDAL = slackIntegrationDALFactory(db);
  const projectSlackConfigDAL = projectSlackConfigDALFactory(db);
  const workflowIntegrationDAL = workflowIntegrationDALFactory(db);
+  const totpConfigDAL = totpConfigDALFactory(db);

  const externalGroupOrgRoleMappingDAL = externalGroupOrgRoleMappingDALFactory(db);

@@ -511,12 +514,19 @@ export const registerRoutes = async (
    projectMembershipDAL
  });

-  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL });
+  const totpService = totpServiceFactory({
+    totpConfigDAL,
+    userDAL,
+    kmsService
+  });
+
+  const loginService = authLoginServiceFactory({ userDAL, smtpService, tokenService, orgDAL, totpService });
  const passwordService = authPaswordServiceFactory({
    tokenService,
    smtpService,
    authDAL,
-    userDAL
+    userDAL,
+    totpConfigDAL
  });

  const projectBotService = projectBotServiceFactory({ permissionService, projectBotDAL, projectDAL });
@@ -1369,7 +1379,8 @@ export const registerRoutes = async (
    workflowIntegration: workflowIntegrationService,
    migration: migrationService,
    externalGroupOrgRoleMapping: externalGroupOrgRoleMappingService,
-    projectTemplate: projectTemplateService
+    projectTemplate: projectTemplateService,
+    totp: totpService
  });

  const cronJobs: CronJob[] = [];
--- a/backend/src/server/routes/v1/auth-router.ts
+++ b/backend/src/server/routes/v1/auth-router.ts
@@ -108,7 +108,8 @@ export const registerAuthRoutes = async (server: FastifyZodProvider) => {
          tokenVersionId: tokenVersion.id,
          accessVersion: tokenVersion.accessVersion,
          organizationId: decodedToken.organizationId,
-          isMfaVerified: decodedToken.isMfaVerified
+          isMfaVerified: decodedToken.isMfaVerified,
+          mfaMethod: decodedToken.mfaMethod
        },
        appCfg.AUTH_SECRET,
        { expiresIn: appCfg.JWT_AUTH_LIFETIME }
--- a/backend/src/server/routes/v1/dashboard-router.ts
+++ b/backend/src/server/routes/v1/dashboard-router.ts
@@ -840,4 +840,91 @@ export const registerDashboardRouter = async (server: FastifyZodProvider) => {
      };
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/secrets-by-keys",
+    config: {
+      rateLimit: secretsLimit
+    },
+    schema: {
+      security: [
+        {
+          bearerAuth: []
+        }
+      ],
+      querystring: z.object({
+        projectId: z.string().trim(),
+        environment: z.string().trim(),
+        secretPath: z.string().trim().default("/").transform(removeTrailingSlash),
+        keys: z.string().trim().transform(decodeURIComponent)
+      }),
+      response: {
+        200: z.object({
+          secrets: secretRawSchema
+            .extend({
+              secretPath: z.string().optional(),
+              tags: SecretTagsSchema.pick({
+                id: true,
+                slug: true,
+                color: true
+              })
+                .extend({ name: z.string() })
+                .array()
+                .optional()
+            })
+            .array()
+            .optional()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      const { secretPath, projectId, environment } = req.query;
+
+      const keys = req.query.keys?.split(",").filter((key) => Boolean(key.trim())) ?? [];
+      if (!keys.length) throw new BadRequestError({ message: "One or more keys required" });
+
+      const { secrets } = await server.services.secret.getSecretsRaw({
+        actorId: req.permission.id,
+        actor: req.permission.type,
+        actorOrgId: req.permission.orgId,
+        environment,
+        actorAuthMethod: req.permission.authMethod,
+        projectId,
+        path: secretPath,
+        keys
+      });
+
+      await server.services.auditLog.createAuditLog({
+        projectId,
+        ...req.auditLogInfo,
+        event: {
+          type: EventType.GET_SECRETS,
+          metadata: {
+            environment,
+            secretPath,
+            numberOfSecrets: secrets.length
+          }
+        }
+      });
+
+      if (getUserAgentType(req.headers["user-agent"]) !== UserAgentType.K8_OPERATOR) {
+        await server.services.telemetry.sendPostHogEvents({
+          event: PostHogEventTypes.SecretPulled,
+          distinctId: getTelemetryDistinctId(req),
+          properties: {
+            numberOfSecrets: secrets.length,
+            workspaceId: projectId,
+            environment,
+            secretPath,
+            channel: getUserAgentType(req.headers["user-agent"]),
+            ...req.auditLogInfo
+          }
+        });
+      }
+
+      return { secrets };
+    }
+  });
 };
--- a/backend/src/server/routes/v1/organization-router.ts
+++ b/backend/src/server/routes/v1/organization-router.ts
@@ -15,7 +15,7 @@ import { AUDIT_LOGS, ORGANIZATIONS } from "@app/lib/api-docs";
 import { getLastMidnightDateISO } from "@app/lib/fn";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { ActorType, AuthMode } from "@app/services/auth/auth-type";
+import { ActorType, AuthMode, MfaMethod } from "@app/services/auth/auth-type";

 import { integrationAuthPubSchema } from "../sanitizedSchemas";

@@ -259,7 +259,8 @@ export const registerOrgRouter = async (server: FastifyZodProvider) => {
            message: "Membership role must be a valid slug"
          })
          .optional(),
-        enforceMfa: z.boolean().optional()
+        enforceMfa: z.boolean().optional(),
+        selectedMfaMethod: z.nativeEnum(MfaMethod).optional()
      }),
      response: {
        200: z.object({
--- a/backend/src/server/routes/v1/user-router.ts
+++ b/backend/src/server/routes/v1/user-router.ts
@@ -169,4 +169,103 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
      return groupMemberships;
    }
  });
+
+  server.route({
+    method: "GET",
+    url: "/me/totp",
+    config: {
+      rateLimit: readLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          isVerified: z.boolean(),
+          recoveryCodes: z.string().array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      return server.services.totp.getUserTotpConfig({
+        userId: req.permission.id
+      });
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/me/totp",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      return server.services.totp.deleteUserTotpConfig({
+        userId: req.permission.id
+      });
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/me/totp/register",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          otpUrl: z.string(),
+          recoveryCodes: z.string().array()
+        })
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT], {
+      requireOrg: false
+    }),
+    handler: async (req) => {
+      return server.services.totp.registerUserTotp({
+        userId: req.permission.id
+      });
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/me/totp/verify",
+    config: {
+      rateLimit: writeLimit
+    },
+    schema: {
+      body: z.object({
+        totp: z.string()
+      }),
+      response: {
+        200: z.object({})
+      }
+    },
+    onRequest: verifyAuth([AuthMode.JWT], {
+      requireOrg: false
+    }),
+    handler: async (req) => {
+      return server.services.totp.verifyUserTotpConfig({
+        userId: req.permission.id,
+        totp: req.body.totp
+      });
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/me/totp/recovery-codes",
+    config: {
+      rateLimit: writeLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    handler: async (req) => {
+      return server.services.totp.createUserTotpRecoveryCodes({
+        userId: req.permission.id
+      });
+    }
+  });
 };
--- a/backend/src/server/routes/v2/mfa-router.ts
+++ b/backend/src/server/routes/v2/mfa-router.ts
@@ -2,8 +2,9 @@ import jwt from "jsonwebtoken";
 import { z } from "zod";

 import { getConfig } from "@app/lib/config/env";
+import { BadRequestError, NotFoundError } from "@app/lib/errors";
 import { mfaRateLimit } from "@app/server/config/rateLimiter";
-import { AuthModeMfaJwtTokenPayload, AuthTokenType } from "@app/services/auth/auth-type";
+import { AuthModeMfaJwtTokenPayload, AuthTokenType, MfaMethod } from "@app/services/auth/auth-type";

 export const registerMfaRouter = async (server: FastifyZodProvider) => {
  const cfg = getConfig();
@@ -49,6 +50,38 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
    }
  });

+  server.route({
+    method: "GET",
+    url: "/mfa/check/totp",
+    config: {
+      rateLimit: mfaRateLimit
+    },
+    schema: {
+      response: {
+        200: z.object({
+          isVerified: z.boolean()
+        })
+      }
+    },
+    handler: async (req) => {
+      try {
+        const totpConfig = await server.services.totp.getUserTotpConfig({
+          userId: req.mfa.userId
+        });
+
+        return {
+          isVerified: Boolean(totpConfig)
+        };
+      } catch (error) {
+        if (error instanceof NotFoundError || error instanceof BadRequestError) {
+          return { isVerified: false };
+        }
+
+        throw error;
+      }
+    }
+  });
+
  server.route({
    url: "/mfa/verify",
    method: "POST",
@@ -57,7 +90,8 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        mfaToken: z.string().trim()
+        mfaToken: z.string().trim(),
+        mfaMethod: z.nativeEnum(MfaMethod).optional().default(MfaMethod.EMAIL)
      }),
      response: {
        200: z.object({
@@ -86,7 +120,8 @@ export const registerMfaRouter = async (server: FastifyZodProvider) => {
        ip: req.realIp,
        userId: req.mfa.userId,
        orgId: req.mfa.orgId,
-        mfaToken: req.body.mfaToken
+        mfaToken: req.body.mfaToken,
+        mfaMethod: req.body.mfaMethod
      });

      void res.setCookie("jid", token.refresh, {
--- a/backend/src/server/routes/v2/project-membership-router.ts
+++ b/backend/src/server/routes/v2/project-membership-router.ts
@@ -27,7 +27,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
      body: z.object({
        emails: z.string().email().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.emails),
        usernames: z.string().array().default([]).describe(PROJECT_USERS.INVITE_MEMBER.usernames),
-        roleSlugs: z.string().array().optional().describe(PROJECT_USERS.INVITE_MEMBER.roleSlugs)
+        roleSlugs: z.string().array().min(1).optional().describe(PROJECT_USERS.INVITE_MEMBER.roleSlugs)
      }),
      response: {
        200: z.object({
@@ -49,7 +49,7 @@ export const registerProjectMembershipRouter = async (server: FastifyZodProvider
        projects: [
          {
            id: req.params.projectId,
-            projectRoleSlug: [ProjectMembershipRole.Member]
+            projectRoleSlug: req.body.roleSlugs || [ProjectMembershipRole.Member]
          }
        ]
      });
--- a/backend/src/server/routes/v2/user-router.ts
+++ b/backend/src/server/routes/v2/user-router.ts
@@ -4,7 +4,7 @@ import { AuthTokenSessionsSchema, OrganizationsSchema, UserEncryptionKeysSchema,
 import { ApiKeysSchema } from "@app/db/schemas/api-keys";
 import { authRateLimit, readLimit, writeLimit } from "@app/server/config/rateLimiter";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
-import { AuthMethod, AuthMode } from "@app/services/auth/auth-type";
+import { AuthMethod, AuthMode, MfaMethod } from "@app/services/auth/auth-type";

 export const registerUserRouter = async (server: FastifyZodProvider) => {
  server.route({
@@ -56,7 +56,8 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    },
    schema: {
      body: z.object({
-        isMfaEnabled: z.boolean()
+        isMfaEnabled: z.boolean().optional(),
+        selectedMfaMethod: z.nativeEnum(MfaMethod).optional()
      }),
      response: {
        200: z.object({
@@ -66,7 +67,12 @@ export const registerUserRouter = async (server: FastifyZodProvider) => {
    },
    preHandler: verifyAuth([AuthMode.JWT, AuthMode.API_KEY]),
    handler: async (req) => {
-      const user = await server.services.user.toggleUserMfa(req.permission.id, req.body.isMfaEnabled);
+      const user = await server.services.user.updateUserMfa({
+        userId: req.permission.id,
+        isMfaEnabled: req.body.isMfaEnabled,
+        selectedMfaMethod: req.body.selectedMfaMethod
+      });
+
      return { user };
    }
  });
--- a/backend/src/server/routes/v3/login-router.ts
+++ b/backend/src/server/routes/v3/login-router.ts
@@ -48,7 +48,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
      response: {
        200: z.object({
          token: z.string(),
-          isMfaEnabled: z.boolean()
+          isMfaEnabled: z.boolean(),
+          mfaMethod: z.string().optional()
        })
      }
    },
@@ -64,7 +65,8 @@ export const registerLoginRouter = async (server: FastifyZodProvider) => {
      if (tokens.isMfaEnabled) {
        return {
          token: tokens.mfa as string,
-          isMfaEnabled: true
+          isMfaEnabled: true,
+          mfaMethod: tokens.mfaMethod
        };
      }

--- a/backend/src/services/auth/auth-login-service.ts
+++ b/backend/src/services/auth/auth-login-service.ts
@@ -17,6 +17,7 @@ import { TokenType } from "../auth-token/auth-token-types";
 import { TOrgDALFactory } from "../org/org-dal";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
 import { LoginMethod } from "../super-admin/super-admin-types";
+import { TTotpServiceFactory } from "../totp/totp-service";
 import { TUserDALFactory } from "../user/user-dal";
 import { enforceUserLockStatus, validateProviderAuthToken } from "./auth-fns";
 import {
@@ -26,13 +27,14 @@ import {
  TOauthTokenExchangeDTO,
  TVerifyMfaTokenDTO
 } from "./auth-login-type";
-import { AuthMethod, AuthModeJwtTokenPayload, AuthModeMfaJwtTokenPayload, AuthTokenType } from "./auth-type";
+import { AuthMethod, AuthModeJwtTokenPayload, AuthModeMfaJwtTokenPayload, AuthTokenType, MfaMethod } from "./auth-type";

 type TAuthLoginServiceFactoryDep = {
  userDAL: TUserDALFactory;
  orgDAL: TOrgDALFactory;
  tokenService: TAuthTokenServiceFactory;
  smtpService: TSmtpService;
+  totpService: Pick<TTotpServiceFactory, "verifyUserTotp" | "verifyWithUserRecoveryCode">;
 };

 export type TAuthLoginFactory = ReturnType<typeof authLoginServiceFactory>;
@@ -40,7 +42,8 @@ export const authLoginServiceFactory = ({
  userDAL,
  tokenService,
  smtpService,
-  orgDAL
+  orgDAL,
+  totpService
 }: TAuthLoginServiceFactoryDep) => {
  /*
   * Private
@@ -100,7 +103,8 @@ export const authLoginServiceFactory = ({
    userAgent,
    organizationId,
    authMethod,
-    isMfaVerified
+    isMfaVerified,
+    mfaMethod
  }: {
    user: TUsers;
    ip: string;
@@ -108,6 +112,7 @@ export const authLoginServiceFactory = ({
    organizationId?: string;
    authMethod: AuthMethod;
    isMfaVerified?: boolean;
+    mfaMethod?: MfaMethod;
  }) => {
    const cfg = getConfig();
    await updateUserDeviceSession(user, ip, userAgent);
@@ -126,7 +131,8 @@ export const authLoginServiceFactory = ({
        tokenVersionId: tokenSession.id,
        accessVersion: tokenSession.accessVersion,
        organizationId,
-        isMfaVerified
+        isMfaVerified,
+        mfaMethod
      },
      cfg.AUTH_SECRET,
      { expiresIn: cfg.JWT_AUTH_LIFETIME }
@@ -140,7 +146,8 @@ export const authLoginServiceFactory = ({
        tokenVersionId: tokenSession.id,
        refreshVersion: tokenSession.refreshVersion,
        organizationId,
-        isMfaVerified
+        isMfaVerified,
+        mfaMethod
      },
      cfg.AUTH_SECRET,
      { expiresIn: cfg.JWT_REFRESH_LIFETIME }
@@ -353,8 +360,12 @@ export const authLoginServiceFactory = ({
      });
    }

-    // send multi factor auth token if they it enabled
-    if ((selectedOrg.enforceMfa || user.isMfaEnabled) && user.email && !decodedToken.isMfaVerified) {
+    const shouldCheckMfa = selectedOrg.enforceMfa || user.isMfaEnabled;
+    const orgMfaMethod = selectedOrg.enforceMfa ? selectedOrg.selectedMfaMethod ?? MfaMethod.EMAIL : undefined;
+    const userMfaMethod = user.isMfaEnabled ? user.selectedMfaMethod ?? MfaMethod.EMAIL : undefined;
+    const mfaMethod = orgMfaMethod ?? userMfaMethod;
+
+    if (shouldCheckMfa && (!decodedToken.isMfaVerified || decodedToken.mfaMethod !== mfaMethod)) {
      enforceUserLockStatus(Boolean(user.isLocked), user.temporaryLockDateEnd);

      const mfaToken = jwt.sign(
@@ -369,12 +380,14 @@ export const authLoginServiceFactory = ({
        }
      );

-      await sendUserMfaCode({
-        userId: user.id,
-        email: user.email
-      });
+      if (mfaMethod === MfaMethod.EMAIL && user.email) {
+        await sendUserMfaCode({
+          userId: user.id,
+          email: user.email
+        });
+      }

-      return { isMfaEnabled: true, mfa: mfaToken } as const;
+      return { isMfaEnabled: true, mfa: mfaToken, mfaMethod } as const;
    }

    const tokens = await generateUserTokens({
@@ -383,7 +396,8 @@ export const authLoginServiceFactory = ({
      userAgent,
      ip: ipAddress,
      organizationId,
-      isMfaVerified: decodedToken.isMfaVerified
+      isMfaVerified: decodedToken.isMfaVerified,
+      mfaMethod: decodedToken.mfaMethod
    });

    return {
@@ -458,17 +472,39 @@ export const authLoginServiceFactory = ({
   * Multi factor authentication verification of code
   * Third step of login in which user completes with mfa
   * */
-  const verifyMfaToken = async ({ userId, mfaToken, mfaJwtToken, ip, userAgent, orgId }: TVerifyMfaTokenDTO) => {
+  const verifyMfaToken = async ({
+    userId,
+    mfaToken,
+    mfaMethod,
+    mfaJwtToken,
+    ip,
+    userAgent,
+    orgId
+  }: TVerifyMfaTokenDTO) => {
    const appCfg = getConfig();
    const user = await userDAL.findById(userId);
    enforceUserLockStatus(Boolean(user.isLocked), user.temporaryLockDateEnd);

    try {
-      await tokenService.validateTokenForUser({
-        type: TokenType.TOKEN_EMAIL_MFA,
-        userId,
-        code: mfaToken
-      });
+      if (mfaMethod === MfaMethod.EMAIL) {
+        await tokenService.validateTokenForUser({
+          type: TokenType.TOKEN_EMAIL_MFA,
+          userId,
+          code: mfaToken
+        });
+      } else if (mfaMethod === MfaMethod.TOTP) {
+        if (mfaToken.length === 6) {
+          await totpService.verifyUserTotp({
+            userId,
+            totp: mfaToken
+          });
+        } else {
+          await totpService.verifyWithUserRecoveryCode({
+            userId,
+            recoveryCode: mfaToken
+          });
+        }
+      }
    } catch (err) {
      const updatedUser = await processFailedMfaAttempt(userId);
      if (updatedUser.isLocked) {
@@ -513,7 +549,8 @@ export const authLoginServiceFactory = ({
      userAgent,
      organizationId: orgId,
      authMethod: decodedToken.authMethod,
-      isMfaVerified: true
+      isMfaVerified: true,
+      mfaMethod
    });

    return { token, user: userEnc };
--- a/backend/src/services/auth/auth-login-type.ts
+++ b/backend/src/services/auth/auth-login-type.ts
@@ -1,4 +1,4 @@
-import { AuthMethod } from "./auth-type";
+import { AuthMethod, MfaMethod } from "./auth-type";

 export type TLoginGenServerPublicKeyDTO = {
  email: string;
@@ -19,6 +19,7 @@ export type TLoginClientProofDTO = {
 export type TVerifyMfaTokenDTO = {
  userId: string;
  mfaToken: string;
+  mfaMethod: MfaMethod;
  mfaJwtToken: string;
  ip: string;
  userAgent: string;
--- a/backend/src/services/auth/auth-password-service.ts
+++ b/backend/src/services/auth/auth-password-service.ts
@@ -8,6 +8,7 @@ import { generateSrpServerKey, srpCheckClientProof } from "@app/lib/crypto";
 import { TAuthTokenServiceFactory } from "../auth-token/auth-token-service";
 import { TokenType } from "../auth-token/auth-token-types";
 import { SmtpTemplates, TSmtpService } from "../smtp/smtp-service";
+import { TTotpConfigDALFactory } from "../totp/totp-config-dal";
 import { TUserDALFactory } from "../user/user-dal";
 import { TAuthDALFactory } from "./auth-dal";
 import { TChangePasswordDTO, TCreateBackupPrivateKeyDTO, TResetPasswordViaBackupKeyDTO } from "./auth-password-type";
@@ -18,6 +19,7 @@ type TAuthPasswordServiceFactoryDep = {
  userDAL: TUserDALFactory;
  tokenService: TAuthTokenServiceFactory;
  smtpService: TSmtpService;
+  totpConfigDAL: Pick<TTotpConfigDALFactory, "delete">;
 };

 export type TAuthPasswordFactory = ReturnType<typeof authPaswordServiceFactory>;
@@ -25,7 +27,8 @@ export const authPaswordServiceFactory = ({
  authDAL,
  userDAL,
  tokenService,
-  smtpService
+  smtpService,
+  totpConfigDAL
 }: TAuthPasswordServiceFactoryDep) => {
  /*
   * Pre setup for pass change with srp protocol
@@ -185,6 +188,12 @@ export const authPaswordServiceFactory = ({
      temporaryLockDateEnd: null,
      consecutiveFailedMfaAttempts: 0
    });
+
+    /* we reset the mobile authenticator configs of the user
+    because we want this to be one of the recovery modes from account lockout */
+    await totpConfigDAL.delete({
+      userId
+    });
  };

  /*
--- a/backend/src/services/auth/auth-type.ts
+++ b/backend/src/services/auth/auth-type.ts
@@ -53,6 +53,7 @@ export type AuthModeJwtTokenPayload = {
  accessVersion: number;
  organizationId?: string;
  isMfaVerified?: boolean;
+  mfaMethod?: MfaMethod;
 };

 export type AuthModeMfaJwtTokenPayload = {
@@ -71,6 +72,7 @@ export type AuthModeRefreshJwtTokenPayload = {
  refreshVersion: number;
  organizationId?: string;
  isMfaVerified?: boolean;
+  mfaMethod?: MfaMethod;
 };

 export type AuthModeProviderJwtTokenPayload = {
@@ -85,3 +87,8 @@ export type AuthModeProviderSignUpTokenPayload = {
  authTokenType: AuthTokenType.SIGNUP_TOKEN;
  userId: string;
 };
+
+export enum MfaMethod {
+  EMAIL = "email",
+  TOTP = "totp"
+}
--- a/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
+++ b/backend/src/services/identity-aws-auth/identity-aws-auth-service.ts
@@ -29,7 +29,7 @@ import {
 } from "./identity-aws-auth-types";

 type TIdentityAwsAuthServiceFactoryDep = {
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  identityAwsAuthDAL: Pick<TIdentityAwsAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -346,6 +346,8 @@ export const identityAwsAuthServiceFactory = ({

    const revokedIdentityAwsAuth = await identityAwsAuthDAL.transaction(async (tx) => {
      const deletedAwsAuth = await identityAwsAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.AWS_AUTH }, tx);
+
      return { ...deletedAwsAuth?.[0], orgId: identityMembershipOrg.orgId };
    });
    return revokedIdentityAwsAuth;
--- a/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
+++ b/backend/src/services/identity-azure-auth/identity-azure-auth-service.ts
@@ -30,7 +30,7 @@ type TIdentityAzureAuthServiceFactoryDep = {
    "findOne" | "transaction" | "create" | "updateById" | "delete"
  >;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -70,7 +70,9 @@ export const identityAzureAuthServiceFactory = ({
        .map((servicePrincipalId) => servicePrincipalId.trim())
        .some((servicePrincipalId) => servicePrincipalId === azureIdentity.oid);

-      if (!isServicePrincipalAllowed) throw new UnauthorizedError({ message: "Service principal not allowed" });
+      if (!isServicePrincipalAllowed) {
+        throw new UnauthorizedError({ message: `Service principal '${azureIdentity.oid}' not allowed` });
+      }
    }

    const identityAccessToken = await identityAzureAuthDAL.transaction(async (tx) => {
@@ -317,6 +319,8 @@ export const identityAzureAuthServiceFactory = ({

    const revokedIdentityAzureAuth = await identityAzureAuthDAL.transaction(async (tx) => {
      const deletedAzureAuth = await identityAzureAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.AZURE_AUTH }, tx);
+
      return { ...deletedAzureAuth?.[0], orgId: identityMembershipOrg.orgId };
    });
    return revokedIdentityAzureAuth;
--- a/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
+++ b/backend/src/services/identity-gcp-auth/identity-gcp-auth-service.ts
@@ -28,7 +28,7 @@ import {
 type TIdentityGcpAuthServiceFactoryDep = {
  identityGcpAuthDAL: Pick<TIdentityGcpAuthDALFactory, "findOne" | "transaction" | "create" | "updateById" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
 };
@@ -365,6 +365,8 @@ export const identityGcpAuthServiceFactory = ({

    const revokedIdentityGcpAuth = await identityGcpAuthDAL.transaction(async (tx) => {
      const deletedGcpAuth = await identityGcpAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.GCP_AUTH }, tx);
+
      return { ...deletedGcpAuth?.[0], orgId: identityMembershipOrg.orgId };
    });
    return revokedIdentityGcpAuth;
--- a/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
+++ b/backend/src/services/identity-kubernetes-auth/identity-kubernetes-auth-service.ts
@@ -41,7 +41,7 @@ type TIdentityKubernetesAuthServiceFactoryDep = {
    TIdentityKubernetesAuthDALFactory,
    "create" | "findOne" | "transaction" | "updateById" | "delete"
  >;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne" | "findById">;
  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
@@ -622,6 +622,7 @@ export const identityKubernetesAuthServiceFactory = ({

    const revokedIdentityKubernetesAuth = await identityKubernetesAuthDAL.transaction(async (tx) => {
      const deletedKubernetesAuth = await identityKubernetesAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.KUBERNETES_AUTH }, tx);
      return { ...deletedKubernetesAuth?.[0], orgId: identityMembershipOrg.orgId };
    });
    return revokedIdentityKubernetesAuth;
--- a/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
+++ b/backend/src/services/identity-oidc-auth/identity-oidc-auth-service.ts
@@ -39,7 +39,7 @@ import {
 type TIdentityOidcAuthServiceFactoryDep = {
  identityOidcAuthDAL: TIdentityOidcAuthDALFactory;
  identityOrgMembershipDAL: Pick<TIdentityOrgDALFactory, "findOne">;
-  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create">;
+  identityAccessTokenDAL: Pick<TIdentityAccessTokenDALFactory, "create" | "delete">;
  permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
  licenseService: Pick<TLicenseServiceFactory, "getPlan">;
  orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "transaction" | "create">;
@@ -539,6 +539,8 @@ export const identityOidcAuthServiceFactory = ({

    const revokedIdentityOidcAuth = await identityOidcAuthDAL.transaction(async (tx) => {
      const deletedOidcAuth = await identityOidcAuthDAL.delete({ identityId }, tx);
+      await identityAccessTokenDAL.delete({ identityId, authMethod: IdentityAuthMethod.OIDC_AUTH }, tx);
+
      return { ...deletedOidcAuth?.[0], orgId: identityMembershipOrg.orgId };
    });

--- a/backend/src/services/org/org-service.ts
+++ b/backend/src/services/org/org-service.ts
@@ -268,7 +268,7 @@ export const orgServiceFactory = ({
    actorOrgId,
    actorAuthMethod,
    orgId,
-    data: { name, slug, authEnforced, scimEnabled, defaultMembershipRoleSlug, enforceMfa }
+    data: { name, slug, authEnforced, scimEnabled, defaultMembershipRoleSlug, enforceMfa, selectedMfaMethod }
  }: TUpdateOrgDTO) => {
    const appCfg = getConfig();
    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -333,7 +333,8 @@ export const orgServiceFactory = ({
      authEnforced,
      scimEnabled,
      defaultMembershipRole,
-      enforceMfa
+      enforceMfa,
+      selectedMfaMethod
    });
    if (!org) throw new NotFoundError({ message: `Organization with ID '${orgId}' not found` });
    return org;
--- a/backend/src/services/org/org-types.ts
+++ b/backend/src/services/org/org-types.ts
@@ -1,6 +1,6 @@
 import { TOrgPermission } from "@app/lib/types";

-import { ActorAuthMethod, ActorType } from "../auth/auth-type";
+import { ActorAuthMethod, ActorType, MfaMethod } from "../auth/auth-type";

 export type TUpdateOrgMembershipDTO = {
  userId: string;
@@ -65,6 +65,7 @@ export type TUpdateOrgDTO = {
    scimEnabled: boolean;
    defaultMembershipRoleSlug: string;
    enforceMfa: boolean;
+    selectedMfaMethod: MfaMethod;
  }>;
 } & TOrgPermission;

--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-dal.ts
@@ -361,6 +361,10 @@ export const secretV2BridgeDALFactory = (db: TDbClient) => {
              void bd.whereILike(`${TableName.SecretV2}.key`, `%${filters?.search}%`);
            }
          }
+
+          if (filters?.keys) {
+            void bd.whereIn(`${TableName.SecretV2}.key`, filters.keys);
+          }
        })
        .where((bd) => {
          void bd.whereNull(`${TableName.SecretV2}.userId`).orWhere({ userId: userId || null });
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-fns.ts
@@ -518,7 +518,10 @@ export const expandSecretReferencesFactory = ({
          }

          if (referencedSecretValue) {
-            expandedValue = expandedValue.replaceAll(interpolationSyntax, referencedSecretValue);
+            expandedValue = expandedValue.replaceAll(
+              interpolationSyntax,
+              () => referencedSecretValue // prevents special characters from triggering replacement patterns
+            );
          }
        }
      }
--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-service.ts
@@ -150,9 +150,13 @@ export const secretV2BridgeServiceFactory = ({
      }
    });

-    if (referredSecrets.length !== references.length)
+    if (
+      referredSecrets.length !==
+      new Set(references.map(({ secretKey, secretPath, environment }) => `${secretKey}.${secretPath}.${environment}`))
+        .size // only count unique references
+    )
      throw new BadRequestError({
-        message: `Referenced secret not found. Found only ${diff(
+        message: `Referenced secret(s) not found: ${diff(
          references.map((el) => el.secretKey),
          referredSecrets.map((el) => el.key)
        ).join(",")}`
@@ -410,12 +414,13 @@ export const secretV2BridgeServiceFactory = ({
      type: KmsDataKey.SecretManager,
      projectId
    });
-    const encryptedValue = secretValue
-      ? {
-          encryptedValue: secretManagerEncryptor({ plainText: Buffer.from(secretValue) }).cipherTextBlob,
-          references: getAllSecretReferences(secretValue).nestedReferences
-        }
-      : {};
+    const encryptedValue =
+      typeof secretValue === "string"
+        ? {
+            encryptedValue: secretManagerEncryptor({ plainText: Buffer.from(secretValue) }).cipherTextBlob,
+            references: getAllSecretReferences(secretValue).nestedReferences
+          }
+        : {};

    if (secretValue) {
      const { nestedReferences, localReferences } = getAllSecretReferences(secretValue);
@@ -1161,7 +1166,7 @@ export const secretV2BridgeServiceFactory = ({
    const newSecrets = await secretDAL.transaction(async (tx) =>
      fnSecretBulkInsert({
        inputSecrets: inputSecrets.map((el) => {
-          const references = secretReferencesGroupByInputSecretKey[el.secretKey].nestedReferences;
+          const references = secretReferencesGroupByInputSecretKey[el.secretKey]?.nestedReferences;

          return {
            version: 1,
@@ -1368,7 +1373,7 @@ export const secretV2BridgeServiceFactory = ({
            typeof el.secretValue !== "undefined"
              ? {
                  encryptedValue: secretManagerEncryptor({ plainText: Buffer.from(el.secretValue) }).cipherTextBlob,
-                  references: secretReferencesGroupByInputSecretKey[el.secretKey].nestedReferences
+                  references: secretReferencesGroupByInputSecretKey[el.secretKey]?.nestedReferences
                }
              : {};

--- a/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
+++ b/backend/src/services/secret-v2-bridge/secret-v2-bridge-types.ts
@@ -33,6 +33,7 @@ export type TGetSecretsDTO = {
  offset?: number;
  limit?: number;
  search?: string;
+  keys?: string[];
 } & TProjectPermission;

 export type TGetASecretDTO = {
@@ -294,6 +295,7 @@ export type TFindSecretsByFolderIdsFilter = {
  search?: string;
  tagSlugs?: string[];
  includeTagsInSearch?: boolean;
+  keys?: string[];
 };

 export type TGetSecretsRawByFolderMappingsDTO = {
--- a/backend/src/services/secret/secret-types.ts
+++ b/backend/src/services/secret/secret-types.ts
@@ -185,6 +185,7 @@ export type TGetSecretsRawDTO = {
  offset?: number;
  limit?: number;
  search?: string;
+  keys?: string[];
 } & TProjectPermission;

 export type TGetASecretRawDTO = {
--- a/backend/src/services/smtp/smtp-service.ts
+++ b/backend/src/services/smtp/smtp-service.ts
@@ -77,5 +77,21 @@ export const smtpServiceFactory = (cfg: TSmtpConfig) => {
    }
  };

-  return { sendMail };
+  const verify = async () => {
+    const isConnected = smtp
+      .verify()
+      .then(async () => {
+        logger.info("SMTP connected");
+        return true;
+      })
+      .catch((err: Error) => {
+        logger.error("SMTP error");
+        logger.error(err);
+        return false;
+      });
+
+    return isConnected;
+  };
+
+  return { sendMail, verify };
 };
--- a/backend/src/services/totp/totp-config-dal.ts
+++ b/backend/src/services/totp/totp-config-dal.ts
@@ -0,0 +1,11 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { ormify } from "@app/lib/knex";
+
+export type TTotpConfigDALFactory = ReturnType<typeof totpConfigDALFactory>;
+
+export const totpConfigDALFactory = (db: TDbClient) => {
+  const totpConfigDal = ormify(db, TableName.TotpConfig);
+
+  return totpConfigDal;
+};
--- a/backend/src/services/totp/totp-fns.ts
+++ b/backend/src/services/totp/totp-fns.ts
@@ -0,0 +1,3 @@
+import crypto from "node:crypto";
+
+export const generateRecoveryCode = () => String(crypto.randomInt(10 ** 7, 10 ** 8 - 1));
--- a/backend/src/services/totp/totp-service.ts
+++ b/backend/src/services/totp/totp-service.ts
@@ -0,0 +1,270 @@
+import { authenticator } from "otplib";
+
+import { BadRequestError, ForbiddenRequestError, NotFoundError } from "@app/lib/errors";
+
+import { TKmsServiceFactory } from "../kms/kms-service";
+import { TUserDALFactory } from "../user/user-dal";
+import { TTotpConfigDALFactory } from "./totp-config-dal";
+import { generateRecoveryCode } from "./totp-fns";
+import {
+  TCreateUserTotpRecoveryCodesDTO,
+  TDeleteUserTotpConfigDTO,
+  TGetUserTotpConfigDTO,
+  TRegisterUserTotpDTO,
+  TVerifyUserTotpConfigDTO,
+  TVerifyUserTotpDTO,
+  TVerifyWithUserRecoveryCodeDTO
+} from "./totp-types";
+
+type TTotpServiceFactoryDep = {
+  userDAL: TUserDALFactory;
+  totpConfigDAL: TTotpConfigDALFactory;
+  kmsService: TKmsServiceFactory;
+};
+
+export type TTotpServiceFactory = ReturnType<typeof totpServiceFactory>;
+
+const MAX_RECOVERY_CODE_LIMIT = 10;
+
+export const totpServiceFactory = ({ totpConfigDAL, kmsService, userDAL }: TTotpServiceFactoryDep) => {
+  const getUserTotpConfig = async ({ userId }: TGetUserTotpConfigDTO) => {
+    const totpConfig = await totpConfigDAL.findOne({
+      userId
+    });
+
+    if (!totpConfig) {
+      throw new NotFoundError({
+        message: "TOTP configuration not found"
+      });
+    }
+
+    if (!totpConfig.isVerified) {
+      throw new BadRequestError({
+        message: "TOTP configuration has not been verified"
+      });
+    }
+
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+    const recoveryCodes = decryptWithRoot(totpConfig.encryptedRecoveryCodes).toString().split(",");
+
+    return {
+      isVerified: totpConfig.isVerified,
+      recoveryCodes
+    };
+  };
+
+  const registerUserTotp = async ({ userId }: TRegisterUserTotpDTO) => {
+    const totpConfig = await totpConfigDAL.transaction(async (tx) => {
+      const verifiedTotpConfig = await totpConfigDAL.findOne(
+        {
+          userId,
+          isVerified: true
+        },
+        tx
+      );
+
+      if (verifiedTotpConfig) {
+        throw new BadRequestError({
+          message: "TOTP configuration for user already exists"
+        });
+      }
+
+      const unverifiedTotpConfig = await totpConfigDAL.findOne({
+        userId,
+        isVerified: false
+      });
+
+      if (unverifiedTotpConfig) {
+        return unverifiedTotpConfig;
+      }
+
+      const encryptWithRoot = kmsService.encryptWithRootKey();
+
+      // create new TOTP configuration
+      const secret = authenticator.generateSecret();
+      const encryptedSecret = encryptWithRoot(Buffer.from(secret));
+      const recoveryCodes = Array.from({ length: MAX_RECOVERY_CODE_LIMIT }).map(generateRecoveryCode);
+      const encryptedRecoveryCodes = encryptWithRoot(Buffer.from(recoveryCodes.join(",")));
+      const newTotpConfig = await totpConfigDAL.create({
+        userId,
+        encryptedRecoveryCodes,
+        encryptedSecret
+      });
+
+      return newTotpConfig;
+    });
+
+    const user = await userDAL.findById(userId);
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+
+    const secret = decryptWithRoot(totpConfig.encryptedSecret).toString();
+    const recoveryCodes = decryptWithRoot(totpConfig.encryptedRecoveryCodes).toString().split(",");
+    const otpUrl = authenticator.keyuri(user.username, "Infisical", secret);
+
+    return {
+      otpUrl,
+      recoveryCodes
+    };
+  };
+
+  const verifyUserTotpConfig = async ({ userId, totp }: TVerifyUserTotpConfigDTO) => {
+    const totpConfig = await totpConfigDAL.findOne({
+      userId
+    });
+
+    if (!totpConfig) {
+      throw new NotFoundError({
+        message: "TOTP configuration not found"
+      });
+    }
+
+    if (totpConfig.isVerified) {
+      throw new BadRequestError({
+        message: "TOTP configuration has already been verified"
+      });
+    }
+
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+    const secret = decryptWithRoot(totpConfig.encryptedSecret).toString();
+    const isValid = authenticator.verify({
+      token: totp,
+      secret
+    });
+
+    if (isValid) {
+      await totpConfigDAL.updateById(totpConfig.id, {
+        isVerified: true
+      });
+    } else {
+      throw new BadRequestError({
+        message: "Invalid TOTP token"
+      });
+    }
+  };
+
+  const verifyUserTotp = async ({ userId, totp }: TVerifyUserTotpDTO) => {
+    const totpConfig = await totpConfigDAL.findOne({
+      userId
+    });
+
+    if (!totpConfig) {
+      throw new NotFoundError({
+        message: "TOTP configuration not found"
+      });
+    }
+
+    if (!totpConfig.isVerified) {
+      throw new BadRequestError({
+        message: "TOTP configuration has not been verified"
+      });
+    }
+
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+    const secret = decryptWithRoot(totpConfig.encryptedSecret).toString();
+    const isValid = authenticator.verify({
+      token: totp,
+      secret
+    });
+
+    if (!isValid) {
+      throw new ForbiddenRequestError({
+        message: "Invalid TOTP"
+      });
+    }
+  };
+
+  const verifyWithUserRecoveryCode = async ({ userId, recoveryCode }: TVerifyWithUserRecoveryCodeDTO) => {
+    const totpConfig = await totpConfigDAL.findOne({
+      userId
+    });
+
+    if (!totpConfig) {
+      throw new NotFoundError({
+        message: "TOTP configuration not found"
+      });
+    }
+
+    if (!totpConfig.isVerified) {
+      throw new BadRequestError({
+        message: "TOTP configuration has not been verified"
+      });
+    }
+
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+    const encryptWithRoot = kmsService.encryptWithRootKey();
+
+    const recoveryCodes = decryptWithRoot(totpConfig.encryptedRecoveryCodes).toString().split(",");
+    const matchingCode = recoveryCodes.find((code) => recoveryCode === code);
+    if (!matchingCode) {
+      throw new ForbiddenRequestError({
+        message: "Invalid TOTP recovery code"
+      });
+    }
+
+    const updatedRecoveryCodes = recoveryCodes.filter((code) => code !== matchingCode);
+    const encryptedRecoveryCodes = encryptWithRoot(Buffer.from(updatedRecoveryCodes.join(",")));
+    await totpConfigDAL.updateById(totpConfig.id, {
+      encryptedRecoveryCodes
+    });
+  };
+
+  const deleteUserTotpConfig = async ({ userId }: TDeleteUserTotpConfigDTO) => {
+    const totpConfig = await totpConfigDAL.findOne({
+      userId
+    });
+
+    if (!totpConfig) {
+      throw new NotFoundError({
+        message: "TOTP configuration not found"
+      });
+    }
+
+    await totpConfigDAL.deleteById(totpConfig.id);
+  };
+
+  const createUserTotpRecoveryCodes = async ({ userId }: TCreateUserTotpRecoveryCodesDTO) => {
+    const decryptWithRoot = kmsService.decryptWithRootKey();
+    const encryptWithRoot = kmsService.encryptWithRootKey();
+
+    return totpConfigDAL.transaction(async (tx) => {
+      const totpConfig = await totpConfigDAL.findOne(
+        {
+          userId,
+          isVerified: true
+        },
+        tx
+      );
+
+      if (!totpConfig) {
+        throw new NotFoundError({
+          message: "Valid TOTP configuration not found"
+        });
+      }
+
+      const recoveryCodes = decryptWithRoot(totpConfig.encryptedRecoveryCodes).toString().split(",");
+      if (recoveryCodes.length >= MAX_RECOVERY_CODE_LIMIT) {
+        throw new BadRequestError({
+          message: `Cannot have more than ${MAX_RECOVERY_CODE_LIMIT} recovery codes at a time`
+        });
+      }
+
+      const toGenerateCount = MAX_RECOVERY_CODE_LIMIT - recoveryCodes.length;
+      const newRecoveryCodes = Array.from({ length: toGenerateCount }).map(generateRecoveryCode);
+      const encryptedRecoveryCodes = encryptWithRoot(Buffer.from([...recoveryCodes, ...newRecoveryCodes].join(",")));
+
+      await totpConfigDAL.updateById(totpConfig.id, {
+        encryptedRecoveryCodes
+      });
+    });
+  };
+
+  return {
+    registerUserTotp,
+    verifyUserTotpConfig,
+    getUserTotpConfig,
+    verifyUserTotp,
+    verifyWithUserRecoveryCode,
+    deleteUserTotpConfig,
+    createUserTotpRecoveryCodes
+  };
+};
--- a/backend/src/services/totp/totp-types.ts
+++ b/backend/src/services/totp/totp-types.ts
@@ -0,0 +1,30 @@
+export type TRegisterUserTotpDTO = {
+  userId: string;
+};
+
+export type TVerifyUserTotpConfigDTO = {
+  userId: string;
+  totp: string;
+};
+
+export type TGetUserTotpConfigDTO = {
+  userId: string;
+};
+
+export type TVerifyUserTotpDTO = {
+  userId: string;
+  totp: string;
+};
+
+export type TVerifyWithUserRecoveryCodeDTO = {
+  userId: string;
+  recoveryCode: string;
+};
+
+export type TDeleteUserTotpConfigDTO = {
+  userId: string;
+};
+
+export type TCreateUserTotpRecoveryCodesDTO = {
+  userId: string;
+};
--- a/backend/src/services/user/user-service.ts
+++ b/backend/src/services/user/user-service.ts
@@ -15,7 +15,7 @@ import { AuthMethod } from "../auth/auth-type";
 import { TGroupProjectDALFactory } from "../group-project/group-project-dal";
 import { TProjectMembershipDALFactory } from "../project-membership/project-membership-dal";
 import { TUserDALFactory } from "./user-dal";
-import { TListUserGroupsDTO } from "./user-types";
+import { TListUserGroupsDTO, TUpdateUserMfaDTO } from "./user-types";

 type TUserServiceFactoryDep = {
  userDAL: Pick<
@@ -171,15 +171,24 @@ export const userServiceFactory = ({
    });
  };

-  const toggleUserMfa = async (userId: string, isMfaEnabled: boolean) => {
+  const updateUserMfa = async ({ userId, isMfaEnabled, selectedMfaMethod }: TUpdateUserMfaDTO) => {
    const user = await userDAL.findById(userId);

    if (!user || !user.email) throw new BadRequestError({ name: "Failed to toggle MFA" });

+    let mfaMethods;
+    if (isMfaEnabled === undefined) {
+      mfaMethods = undefined;
+    } else {
+      mfaMethods = isMfaEnabled ? ["email"] : [];
+    }
+
    const updatedUser = await userDAL.updateById(userId, {
      isMfaEnabled,
-      mfaMethods: isMfaEnabled ? ["email"] : []
+      mfaMethods,
+      selectedMfaMethod
    });
+
    return updatedUser;
  };

@@ -327,7 +336,7 @@ export const userServiceFactory = ({
  return {
    sendEmailVerificationCode,
    verifyEmailVerificationCode,
-    toggleUserMfa,
+    updateUserMfa,
    updateUserName,
    updateAuthMethods,
    deleteUser,
--- a/backend/src/services/user/user-types.ts
+++ b/backend/src/services/user/user-types.ts
@@ -1,5 +1,7 @@
 import { TOrgPermission } from "@app/lib/types";

+import { MfaMethod } from "../auth/auth-type";
+
 export type TListUserGroupsDTO = {
  username: string;
 } & Omit<TOrgPermission, "orgId">;
@@ -8,3 +10,9 @@ export enum UserEncryption {
  V1 = 1,
  V2 = 2
 }
+
+export type TUpdateUserMfaDTO = {
+  userId: string;
+  isMfaEnabled?: boolean;
+  selectedMfaMethod?: MfaMethod;
+};
--- a/cli/packages/api/model.go
+++ b/cli/packages/api/model.go
@@ -138,6 +138,7 @@ type GetOrganizationsResponse struct {
 type SelectOrganizationResponse struct {
 	Token      string `json:"token"`
 	MfaEnabled bool   `json:"isMfaEnabled"`
+	MfaMethod  string `json:"mfaMethod"`
 }

 type SelectOrganizationRequest struct {
@@ -260,8 +261,9 @@ type GetLoginTwoV2Response struct {
 }

 type VerifyMfaTokenRequest struct {
-	Email    string `json:"email"`
-	MFAToken string `json:"mfaToken"`
+	Email     string `json:"email"`
+	MFAToken  string `json:"mfaToken"`
+	MFAMethod string `json:"mfaMethod"`
 }

 type VerifyMfaTokenResponse struct {
--- a/cli/packages/cmd/init.go
+++ b/cli/packages/cmd/init.go
@@ -79,13 +79,14 @@ var initCmd = &cobra.Command{
 		if tokenResponse.MfaEnabled {
 			i := 1
 			for i < 6 {
-				mfaVerifyCode := askForMFACode()
-	
+				mfaVerifyCode := askForMFACode(tokenResponse.MfaMethod)
+
 				httpClient := resty.New()
 				httpClient.SetAuthToken(tokenResponse.Token)
 				verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
-					Email:    userCreds.UserCredentials.Email,
-					MFAToken: mfaVerifyCode,
+					Email:     userCreds.UserCredentials.Email,
+					MFAToken:  mfaVerifyCode,
+					MFAMethod: tokenResponse.MfaMethod,
 				})
 				if requestError != nil {
 					util.HandleError(err)
@@ -99,7 +100,7 @@ var initCmd = &cobra.Command{
 							break
 						}
 					}
-	
+
 					if mfaErrorResponse.Context.Code == "mfa_expired" {
 						util.PrintErrorMessageAndExit("Your 2FA verification code has expired, please try logging in again")
 						break
--- a/cli/packages/cmd/login.go
+++ b/cli/packages/cmd/login.go
@@ -343,7 +343,7 @@ func cliDefaultLogin(userCredentialsToBeStored *models.UserCredentials) {
 	if loginTwoResponse.MfaEnabled {
 		i := 1
 		for i < 6 {
-			mfaVerifyCode := askForMFACode()
+			mfaVerifyCode := askForMFACode("email")

 			httpClient := resty.New()
 			httpClient.SetAuthToken(loginTwoResponse.Token)
@@ -532,7 +532,7 @@ func askForDomain() error {
 	const (
 		INFISICAL_CLOUD_US = "Infisical Cloud (US Region)"
 		INFISICAL_CLOUD_EU = "Infisical Cloud (EU Region)"
-		SELF_HOSTING       = "Self-Hosting"
+		SELF_HOSTING       = "Self-Hosting or Dedicated Instance"
 		ADD_NEW_DOMAIN     = "Add a new domain"
 	)

@@ -756,13 +756,14 @@ func GetJwtTokenWithOrganizationId(oldJwtToken string, email string) string {
 	if selectedOrgRes.MfaEnabled {
 		i := 1
 		for i < 6 {
-			mfaVerifyCode := askForMFACode()
+			mfaVerifyCode := askForMFACode(selectedOrgRes.MfaMethod)

 			httpClient := resty.New()
 			httpClient.SetAuthToken(selectedOrgRes.Token)
 			verifyMFAresponse, mfaErrorResponse, requestError := api.CallVerifyMfaToken(httpClient, api.VerifyMfaTokenRequest{
-				Email:    email,
-				MFAToken: mfaVerifyCode,
+				Email:     email,
+				MFAToken:  mfaVerifyCode,
+				MFAMethod: selectedOrgRes.MfaMethod,
 			})
 			if requestError != nil {
 				util.HandleError(err)
@@ -817,9 +818,15 @@ func generateFromPassword(password string, salt []byte, p *params) (hash []byte,
 	return hash, nil
 }

-func askForMFACode() string {
+func askForMFACode(mfaMethod string) string {
+	var label string
+	if mfaMethod == "totp" {
+		label = "Enter the verification code from your mobile authenticator app or use a recovery code"
+	} else {
+		label = "Enter the 2FA verification code sent to your email"
+	}
 	mfaCodePromptUI := promptui.Prompt{
-		Label: "Enter the 2FA verification code sent to your email",
+		Label: label,
 	}

 	mfaVerifyCode, err := mfaCodePromptUI.Run()
--- a/company/handbook/compensation.mdx
+++ b/company/handbook/compensation.mdx
@@ -0,0 +1,28 @@
+---
+title: "Compensation"
+sidebarTitle: "Compensation"
+description: "This guide explains how various compensation processes work at Infisical."
+---
+
+## Probation period
+
+We are fully committed to ensuring that you are set up for success, but also understand that it may take some time to determine whether or not there is a long term fit between you and Infisical.
+
+The first 3 months of your employment with Infisical is a probation period. During this time, you can choose to end your contract with 1 week's notice. If we chose to end your contract, Infisical will pay you 4 weeks' pay, but usually ask you to finish on the same day.
+
+People in sales roles, such as Account Executives, have a 6 month probation period - this is to account for the fact that it can be difficult to establish whether or not someone is able to close contracts within their first 3 months, given sales cycles.
+
+Your manager is responsible for monitoring and specifically reviewing your performance throughout this initial period. If under-performance is a concern, or if there is any hesitation regarding the future at Infisical, this should be discussed immediately with you and your manager.
+
+
+## Severance
+
+At Infisical, average performance gets a generous severance.
+
+If Infisical decides to end your contract after the first 3 months of employment have been completed, we will give you 10 weeks' pay. It is likely we will ask you to stop working immediately.
+
+If the decision to leave is yours, then we just require 1 month of notice.
+
+We have structured notice in this way as we believe it is in neither Infisical's nor your interest to lock you into a role that is no longer right for you due to financial considerations. This extended notice period only applies in the case of under-performance or a change in business needs - if your contract is terminated due to gross misconduct then you may be dismissed without notice. If this policy conflicts with the requirements of your local jurisdiction, then those local laws will take priority.
+
+
--- a/company/mint.json
+++ b/company/mint.json
@@ -58,6 +58,7 @@
      "pages": [
        "handbook/onboarding", 
        "handbook/spending-money",
+        "handbook/compensation",
        "handbook/time-off",
        "handbook/hiring",
        "handbook/meetings",
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -69,4 +69,4 @@ volumes:
    driver: local

 networks:
-  infisical:
+  infisical:
--- a/docs/cli/overview.mdx
+++ b/docs/cli/overview.mdx
@@ -9,7 +9,7 @@ You can use it across various environments, whether it's local development, CI/C
 ## Installation

 <Tabs>
-   <Tab title="MacOS">
+  <Tab title="MacOS">
  	Use [brew](https://brew.sh/) package manager

    	```bash
@@ -21,9 +21,8 @@ You can use it across various environments, whether it's local development, CI/C
    	```bash
    	brew update && brew upgrade infisical
    	```
-
-   </Tab>
-   <Tab title="Windows">
+  </Tab>
+  <Tab title="Windows">
      Use [Scoop](https://scoop.sh/) package manager

    		```bash
@@ -40,7 +39,20 @@ You can use it across various environments, whether it's local development, CI/C
    		scoop update infisical
    		```

-   </Tab>
+  </Tab>
+  <Tab title="NPM">
+      Use [NPM](https://www.npmjs.com/) package manager
+
+    	```bash
+      npm install -g @infisical/cli
+    	```
+
+    	### Updates
+
+    	```bash
+    	npm update -g @infisical/cli
+    	```
+  </Tab>
 	 <Tab title="Alpine">
 	 Install prerequisite
 		```bash
--- a/docs/documentation/platform/mfa.mdx
+++ b/docs/documentation/platform/mfa.mdx
@@ -4,19 +4,18 @@ sidebarTitle: "MFA"
 description: "Learn how to secure your Infisical account with MFA."
 ---

-MFA requires users to provide multiple forms of identification to access their account. Currently, this means logging in with your password and a 6-digit code sent to your email.
+MFA requires users to provide multiple forms of identification to access their account.

 ## Email 2FA

-Check the box in Personal Settings > Two-factor Authentication to enable email-based 2FA.
+If 2-factor authentication is enabled in the Personal settings page, email will be used for MFA by default.

-![Email-based MFA](../../images/mfa-email.png)
+![Email-based MFA](/images/mfa-email.png)

-<Note>
-  Infisical currently supports email-based 2FA. We're actively working on
-  building support for other forms of identification via SMS and Authenticator
-  App.
-</Note>
+## Mobile Authenticator 2FA
+
+You can use any mobile authenticator app (Authy, Google Authenticator, Duo, etc.) to secure your account. After registration with an authenticator, select **Mobile Authenticator** as your 2FA method.
+![Authenticator-based MFA](/images/mfa-authenticator.png)

 ## Entra ID / Azure AD MFA

@@ -25,32 +24,39 @@ Check the box in Personal Settings > Two-factor Authentication to enable email-b

    We also encourage you to have your team download and setup the
    [Microsoft Authenticator App](https://www.microsoft.com/en-us/security/mobile-authenticator-app) prior to enabling MFA.
+
 </Note>

 <Steps>
-    <Step title="Open your Infisical Application in the Microsoft Entra Admin Center">
-        ![Entra Infisical app](../../images/platform/mfa/entra/mfa_entra_infisical_app.png)
-    </Step>
-    <Step title="Tap on Conditional Access under the Security Tab">
-        ![conditional access](../../images/platform/mfa/entra/mfa_entra_conditional_access.png)
-    </Step>
-    <Step title="Tap on Create New Policy from Templates">
-        ![create policy](../../images/platform/mfa/entra/mfa_entra_create_policy.png)
-    </Step>
-    <Step title="Select Require MFA for All Users and Tap on Review + Create">
-        ![require MFA and review policy](../../images/platform/mfa/entra/mfa_entra_review_policy.png)
-        <Note>
-            By default all users except the configuring admin will be setup to require MFA.
-            Microsoft encourages keeping at least one admin excluded from MFA to prevent accidental lockout.
-        </Note>
-    </Step>
-    <Step title="Set Policy State to Enabled and Tap on Create">
-        ![enable policy and confirm](../../images/platform/mfa/entra/mfa_entra_confirm_policy.png)
-    </Step>
-    <Step title="MFA is now Required When Accessing Infisical">
-        ![mfa login](../../images/platform/mfa/entra/mfa_entra_login.png)
-        <Note>
-            If users have not setup MFA for Entra / Azure they will be prompted to do so at this time.
-        </Note>
-    </Step>
-</Steps>
+  <Step title="Open your Infisical Application in the Microsoft Entra Admin Center">
+    ![Entra Infisical
+    app](/images/platform/mfa/entra/mfa_entra_infisical_app.png)
+  </Step>
+  <Step title="Tap on Conditional Access under the Security Tab">
+    ![conditional
+    access](/images/platform/mfa/entra/mfa_entra_conditional_access.png)
+  </Step>
+  <Step title="Tap on Create New Policy from Templates">
+    ![create policy](/images/platform/mfa/entra/mfa_entra_create_policy.png)
+  </Step>
+  <Step title="Select Require MFA for All Users and Tap on Review + Create">
+    ![require MFA and review
+    policy](/images/platform/mfa/entra/mfa_entra_review_policy.png)
+    <Note>
+      By default all users except the configuring admin will be setup to require
+      MFA. Microsoft encourages keeping at least one admin excluded from MFA to
+      prevent accidental lockout.
+    </Note>
+  </Step>
+  <Step title="Set Policy State to Enabled and Tap on Create">
+    ![enable policy and
+    confirm](/images/platform/mfa/entra/mfa_entra_confirm_policy.png)
+  </Step>
+  <Step title="MFA is now Required When Accessing Infisical">
+    ![mfa login](/images/platform/mfa/entra/mfa_entra_login.png)
+    <Note>
+      If users have not setup MFA for Entra / Azure they will be prompted to do
+      so at this time.
+    </Note>
+  </Step>
+</Steps>
--- a/docs/images/mfa-authenticator.png
+++ b/docs/images/mfa-authenticator.png
--- a/docs/images/mfa-email.png
+++ b/docs/images/mfa-email.png
--- a/docs/mint.json
+++ b/docs/mint.json
@@ -293,7 +293,10 @@
        },
        {
          "group": "Reference architectures",
-          "pages": ["self-hosting/reference-architectures/aws-ecs"]
+          "pages": [
+            "self-hosting/reference-architectures/aws-ecs",
+            "self-hosting/reference-architectures/linux-deployment-ha"
+          ]
        },
        "self-hosting/ee",
        "self-hosting/faq"
--- a/docs/self-hosting/deployment-options/kubernetes-helm.mdx
+++ b/docs/self-hosting/deployment-options/kubernetes-helm.mdx
@@ -79,7 +79,7 @@ description: "Learn how to use Helm chart to install Infisical on your Kubernete
  </Step>

  <Step title="Database schema migration ">
-    Infisical relies a relational database, which means that database schemas need to be migrated before the instance can become operational. 
+    Infisical relies on a relational database, which means that database schemas need to be migrated before the instance can become operational. 
    
    To automate this process, the chart includes a option named `infisical.autoDatabaseSchemaMigration`.
    When this option is enabled, a deployment/upgrade will only occur _after_ a successful schema migration.
--- a/docs/self-hosting/deployment-options/native/high-availability.mdx
+++ b/docs/self-hosting/deployment-options/native/high-availability.mdx
@@ -1,520 +0,0 @@
---
-title: "Automatically deploy Infisical with High Availability"
-sidebarTitle: "High Availability"
---
-
-
-# Self-Hosting Infisical with a native High Availability (HA) deployment
-
-This page describes the Infisical architecture designed to provide high availability (HA) and how to deploy Infisical with high availability. The high availability deployment is designed to ensure that Infisical services are always available and can handle service failures gracefully, without causing service disruptions.
-
-<Info>
-  This deployment option is currently only available for Debian-based nodes (e.g., Ubuntu, Debian).
-  We plan on adding support for other operating systems in the future.
-</Info>
-
-## High availability architecture
-| Service                          | Nodes          | Configuration                | GCP           | AWS          |
-|----------------------------------|----------------|------------------------------|---------------|--------------|
-| External load balancer$^1$       | 1              | 4 vCPU, 3.6 GB memory        | n1-highcpu-4  | c5n.xlarge   |
-| Internal load balancer$^2$       | 1              | 4 vCPU, 3.6 GB memory        | n1-highcpu-4  | c5n.xlarge   |
-| Etcd cluster$^3$                 | 3              | 4 vCPU, 3.6 GB memory        | n1-highcpu-4  | c5n.xlarge   |
-| PostgreSQL$^4$                   | 3              | 2 vCPU, 7.5 GB memory        | n1-standard-2 | m5.large     |
-| Sentinel$^4$                     | 3              | 2 vCPU, 7.5 GB memory        | n1-standard-2 | m5.large     |
-| Redis$^4$                        | 3              | 2 vCPU, 7.5 GB memory        | n1-standard-2 | m5.large     |
-| Infisical Core                   | 3              | 8 vCPU, 7.2 GB memory        | n1-highcpu-8  | c5.2xlarge   |
-
-**Footnotes:**
-1. External load balancer: If you wish to have multiple instances of the internal load balancer, you will need to use an external load balancer to distribute incoming traffic across multiple internal load balancers.
-   Using multiple internal load balancers is recommended for high-traffic environments. In the following guide we will use a single internal load balancer, as external load balancing falls outside the scope of this guide.
-2. Internal load balancer: The internal load balancer (a HAProxy instance) is used to distribute incoming traffic across multiple Infisical Core instances, Postgres nodes, and Redis nodes. The internal load balancer exposes a set of ports _(80 for Infiscial, 5000 for Read/Write postgres, 5001 for Read-only postgres, and 6379 for Redis)_. Where these ports route to is determained by the internal load balancer based on the availability and health of the service nodes.
-   The internal load balancer is only accessible from within the same network, and is not exposed to the public internet.
-3. Etcd cluster: Etcd is a distributed key-value store used to store and distribute data between the PostgreSQL nodes. Etcd is dependent on high disk I/O performance, therefore it is highly recommended to use highly performant SSD disks for the Etcd nodes, with _at least_ 80GB of disk space.
-4. The Redis and PostgreSQL nodes will automatically be configured for high availability and used in your Infisical Core instances. However, you can optionally choose to bring your own database (BYOD), and skip these nodes. See more on how to [provide your own databases](#provide-your-own-databases).
-
-<Info>
- For all services that require multiple nodes, it is recommended to deploy them across multiple availability zones (AZs) to ensure high availability and fault tolerance. This will help prevent service disruptions in the event of an AZ failure.
-</Info>
-
-![High availability stack](../../images/self-hosting/deployment-options/native/ha-stack.png)
-The image above shows how a high availability deployment of Infisical is structured. In this example, an external load balancer is used to distribute incoming traffic across multiple internal load balancers. The internal load balancers. The external load balancer isn't required, and it will require additional configuration to set up.
-
-###  Fault Tolerance
-This setup provides N+1 redundancy, meaning it can tolerate the failure of any single node without service interruption.
-
-## Ansible
-### What is Ansible
-Ansible is an open-source automation tool that simplifies application deployment, configuration management, and task automation.
-At Infisical, we use Ansible to automate the deployment of Infisical services. The Ansible roles are designed to make it easy to deploy Infisical services in a high availability environment.
-
-### Installing Ansible
-<Steps>
-  <Step title="Install using the pipx Python package manager">
-    ```bash
-      pipx install --include-deps ansible
-    ```
-  </Step>
-  <Step title="Verify the installation">
-    ```bash
-      ansible --version
-    ```
-  </Step>
-</Steps>
-
-
-### Understanding Ansible Concepts
-
-* Inventory _(inventory.ini)_: A file that lists your target hosts.
-* Playbook _(playbook.yml)_: YAML file containing a set of tasks to be executed on hosts.
-* Roles: Reusable units of organization for playbooks. Roles are used to group tasks together in a structured and reusable manner.
-
-
-### Basic Ansible Commands
-Running a playbook with with an invetory file:
-```bash
-  ansible-playbook -i inventory.ini playbook.yml
-```
-
-This is how you would run the playbook containing the roles for setting up Infisical in a high availability environment.
-
-### Installing the Infisical High Availability Deployment Ansible Role
-The Infisical Ansible role is available on Ansible Galaxy. You can install the role by running the following command:
-```bash
-  ansible-galaxy collection install infisical.infisical_core_ha_deployment
-```
-
-
-## Set up components
-1. External load balancer (optional, and not covered in this guide)
-2. [Configure Etcd cluster](#configure-etcd-cluster)
-3. [Configure PostgreSQL database](#configure-postgresql-database)
-4. [Configure Redis/Sentinel](#configure-redis-and-sentinel)
-5. [Configure Infisical Core](#configure-infisical-core)
-
-
-The servers start on the same 52.1.0.0/24 private network range, and can connect to each other freely on these addresses.
-
-The following list includes descriptions of each server and its assigned IP:
-
-52.1.0.1:   External Load Balancer
-52.1.0.2:   Internal Load Balancer
-52.1.0.3:   Etcd 1
-52.1.0.4:   Etcd 2
-52.1.0.5:   Etcd 3
-52.1.0.6:   PostgreSQL 1
-52.1.0.7:   PostgreSQL 2
-52.1.0.8:   PostgreSQL 3
-52.1.0.9:   Redis 1
-52.1.0.10:  Redis 2
-52.1.0.11:  Redis 3
-52.1.0.12:  Sentinel 1
-52.1.0.13:  Sentinel 2
-52.1.0.14:  Sentinel 3
-52.1.0.15: Infisical Core 1
-52.1.0.16: Infisical Core 2
-52.1.0.17: Infisical Core 3
-
-
-
-### Configure Etcd cluster
-
-Configuring the ETCD cluster is the first step in setting up a high availability deployment of Infisical.
-The ETCD cluster is used to store and distribute data between the PostgreSQL nodes. The ETCD cluster is a distributed key-value store that is highly available and fault-tolerant.
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Set up etcd cluster
-    hosts: etcd
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: etcd
-```
-
-```ini example.inventory.ini
-  [etcd]
-  etcd1 ansible_host=52.1.0.3
-  etcd2 ansible_host=52.1.0.4
-  etcd3 ansible_host=52.1.0.5
-
-  [etcd:vars]
-  ansible_user=ubuntu
-  ansible_ssh_private_key_file=./ssh-key.pem
-  ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-```
-
-### Configure PostgreSQL database
-
-The Postgres role takes a set of parameters that are used to configure your PostgreSQL database.
-
-Make sure to set the following variables in your playbook.yml file:
- `postgres_super_user_password`: The password for the 'postgres' database user.
- `postgres_db_name`: The name of the database that will be created on the leader node and replicated to the secondary nodes.
- `postgres_user`: The name of the user that will be created on the leader node and replicated to the secondary nodes.
- `postgres_user_password`: The password for the user that will be created on the leader node and replicated to the secondary nodes.
- `etcd_hosts`: The list of etcd hosts that the PostgreSQL nodes will use to communicate with etcd. By default you want to keep this value set to `"{{ groups['etcd'] }}"`
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Set up PostgreSQL with Patroni
-    hosts: postgres
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: postgres
-        vars:
-          postgres_super_user_password: "your-super-user-password"
-          postgres_user: infisical-user
-          postgres_user_password: "your-password"
-          postgres_db_name: infisical-db
-
-          etcd_hosts: "{{ groups['etcd'] }}"
-```
-
-```ini example.inventory.ini
-  [postgres]
-  postgres1 ansible_host=52.1.0.6
-  postgres2 ansible_host=52.1.0.7
-  postgres3 ansible_host=52.1.0.8
-```
-
-### Configure Redis and Sentinel
-
-The Redis role takes a single variable as input, which is the redis password.
-The Sentinel and Redis hosts will run the same role, therefore we are running the task for both the sentinel and redis hosts, `hosts: redis:sentinel`.
-
- `redis_password`: The password that will be set for the Redis instance.
-  
-```yaml example.playbook.yml
-    - hosts: all
-      gather_facts: true
-  
-    - name: Setup Redis and Sentinel
-      hosts: redis:sentinel
-      become: true
-      collections:
-        - infisical.infisical_core_ha_deployment
-      roles:
-        - role: redis
-          vars:
-            redis_password: "REDIS_PASSWORD"
-```
-
-```ini example.inventory.ini
-    [redis]
-    redis1 ansible_host=52.1.0.9
-    redis2 ansible_host=52.1.0.10
-    redis3 ansible_host=52.1.0.11
-
-    [sentinel]
-    sentinel1 ansible_host=52.1.0.12
-    sentinel2 ansible_host=52.1.0.13
-    sentinel3 ansible_host=52.1.0.14
-```
-
-### Configure Internal Load Balancer
-
-The internal load balancer used is HAProxy. HAProxy will expose a set of ports as listed below. Each port will route to a different service based on the availability and health of the service nodes.
-
- Port 80: Infisical Core
- Port 5000: Read/Write PostgreSQL
- Port 5001: Read-only PostgreSQL
- Port 6379: Redis
- Port 7000: HAProxy monitoring
-These ports will need to be exposed on your network to become accessible from the outside world.
-
-The HAProxy configuration file is generated by the Infisical Core role, and is located at `/etc/haproxy/haproxy.cfg` on your internal load balancer node.
-
-The HAProxy setup comes with a monitoring panel. You have to set the username/password combination for the monitoring panel by setting the `stats_user` and `stats_password` variables in the HAProxy role.
-
-
-Once the HAProxy role has fully executed, you can monitor your HA setup by navigating to `http://52.1.0.2:7000/haproxy?stats` in your browser.
-
-```ini example.inventory.ini
-[haproxy]
-internal_lb ansible_host=52.1.0.2
-```
-
-```yaml example.playbook.yml
- name: Set up HAProxy
-  hosts: haproxy
-  become: true
-  collections:
-    - infisical.infisical_core_ha_deployment
-  roles:
-    - role: haproxy
-      vars:
-        stats_user: "stats-username"
-        stats_password: "stats-password!"
-
-        postgres_servers: "{{ groups['postgres'] }}"
-        infisical_servers: "{{ groups['infisical'] }}"
-        redis_servers: "{{ groups['redis'] }}"
-```
-
-
-
-### Configure Infisical Core
-
-The Infisical Core role will set up your actual Infisical instances.
-
-The `env_vars` variable is used to set the environment variables that Infisical will use. The minimum required environment variables are `ENCRYPTION_KEY` and `AUTH_SECRET`. You can find a list of all available environment variables [here](/docs/self-hosting/configuration/envars#general-platform).
-The `DB_CONNECTION_URI` and `REDIS_URL` variables will automatically be set if you're running the full playbook. However, you can choose to set them yourself, and skip the Postgres, etcd, redis/sentinel roles entirely.
-
-<Info>
- If you later need to add new environment varibles to your Infisical deployments, it's important you add the variables to **all** your Infisical nodes.<br/>
- You can find the environment file for Infisical at `/etc/infisical/environment`.<br/>
- After editing the environment file, you need to reload the Infisical service by doing `systemctl restart infisical`.
-</Info>
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Setup Infisical
-    hosts: infisical
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: infisical
-        env_vars:
-          ENCRYPTION_KEY: "YOUR_ENCRYPTION_KEY" # openssl rand -hex 16
-          AUTH_SECRET: "YOUR_AUTH_SECRET" # openssl rand -base64 32
-```
-
-```ini example.inventory.ini
-  [infisical]
-  infisical1 ansible_host=52.1.0.15
-  infisical2 ansible_host=52.1.0.16
-  infisical3 ansible_host=52.1.0.17
-```
-
-## Provide your own databases
-Bringing your own database is an option using the Infisical Core deployment role.
-By bringing your own database, you're able to skip the Etcd, Postgres, and Redis/Sentinel roles entirely.
-
-To bring your own database, you need to set the `DB_CONNECTION_URI` and `REDIS_URL` environment variables in the Infisical Core role.
-
-```yaml example.playbook.yml
-  - hosts: all
-    gather_facts: true
-
-  - name: Setup Infisical
-    hosts: infisical
-    become: true
-    collections:
-      - infisical.infisical_core_ha_deployment
-    roles:
-      - role: infisical
-        env_vars:
-          ENCRYPTION_KEY: "YOUR_ENCRYPTION_KEY" # openssl rand -hex 16
-          AUTH_SECRET: "YOUR_AUTH_SECRET" # openssl rand -base64 32
-          DB_CONNECTION_URI: "postgres://user:password@localhost:5432/infisical"
-          REDIS_URL: "redis://localhost:6379"
-```
-
-```ini example.inventory.ini
-  [infisical]
-  infisical1 ansible_host=52.1.0.15
-  infisical2 ansible_host=52.1.0.16
-  infisical3 ansible_host=52.1.0.17
-```
-
-## Full deployment example
-To make it easier to get started, we've provided a full deployment example that you can use to deploy Infisical in a high availability environment.
-
- This deployment does not use an external load balancer.
- You **must** change the environment variables defined in the `playbook.yml` example.
- You have update the IP addresses in the `inventory.ini` file to match your own network configuration.
- You need to set the SSH key and ssh user in the `inventory.ini` file.
-
-<Steps>
-  <Step title="Install Ansible">
-    Install Ansible using the pipx Python package manager.
-  ```bash
-    pipx install --include-deps ansible
-  ```
-
-  </Step>
-  <Step title="Install the Infisical deployment Ansible Role">
-    Install the Infisical deployment role from Ansible Galaxy.
-  ```bash
-    ansible-galaxy collection install infisical.infisical_core_ha_deployment
-  ```
-  </Step>
-  <Step title="Setup your hosts">
-
-    Create an `inventory.ini` file, and define your hosts and their IP addresses. You can use the example below as a template, and update the IP addresses to match your own network configuration.
-    Make sure to set the SSH key and ssh user in the `inventory.ini` file. Please see the example below.
-
-    ```ini example.inventory.ini
-      [etcd]
-      etcd1 ansible_host=52.1.0.3
-      etcd2 ansible_host=52.1.0.4
-      etcd3 ansible_host=52.1.0.5
-
-      [postgres]
-      postgres1 ansible_host=52.1.0.6
-      postgres2 ansible_host=52.1.0.7
-      postgres3 ansible_host=52.1.0.8
-
-      [infisical]
-      infisical1 ansible_host=52.1.0.15
-      infisical2 ansible_host=52.1.0.16
-      infisical3 ansible_host=52.1.0.17
-
-      [redis]
-      redis1 ansible_host=52.1.0.9
-      redis2 ansible_host=52.1.0.10
-      redis3 ansible_host=52.1.0.11
-
-      [sentinel]
-      sentinel1 ansible_host=52.1.0.12
-      sentinel2 ansible_host=52.1.0.13
-      sentinel3 ansible_host=52.1.0.14
-
-      [haproxy]
-      internal_lb ansible_host=52.1.0.2
-
-      ; This can be defined individually for each host, or globally for all hosts.
-      ; In this case the credentials are the same for all hosts, so we define them globally as seen below ([all:vars]).
-      [all:vars]
-      ansible_user=ubuntu
-      ansible_ssh_private_key_file=./your-ssh-key.pem
-      ansible_ssh_common_args='-o StrictHostKeyChecking=no'
-    ```
-  </Step>
-  <Step title="Setup your Ansible playbook">
-    The Ansible playbook is where you define which roles/tasks to execute on which hosts.
-
-    ```yaml example.playbook.yml
-      ---
-      # Important, we must gather facts from all hosts prior to running the roles to ensure we have all the information we need.
-      - hosts: all
-        gather_facts: true
-
-      - name: Set up etcd cluster
-        hosts: etcd
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: etcd
-
-      - name: Set up PostgreSQL with Patroni
-        hosts: postgres
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: postgres
-            vars:
-              postgres_super_user_password: "<ENTER_SUPERUSER_PASSWORD>" # Password for the 'postgres' database user
-
-              # A database with these credentials will be created on the leader node, and replicated to the secondary nodes.
-              postgres_db_name: <ENTER_DB_NAME>
-              postgres_user: <ENTER_DB_USER>
-              postgres_user_password: <ENTER_DB_USER_PASSWORD>
-
-              etcd_hosts: "{{ groups['etcd'] }}"
-
-      - name: Setup Redis and Sentinel
-        hosts: redis:sentinel
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: redis
-            vars:
-              redis_password: "<ENTER_REDIS_PASSWORD>"
-
-      - name: Set up HAProxy
-        hosts: haproxy
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: haproxy
-            vars:
-              stats_user: "<ENTER_HAPROXY_STATS_USERNAME>"
-              stats_password: "<ENTER_HAPROXY_STATS_PASSWORD>"
-
-              postgres_servers: "{{ groups['postgres'] }}"
-              infisical_servers: "{{ groups['infisical'] }}"
-              redis_servers: "{{ groups['redis'] }}"
-      - name: Setup Infisical
-        hosts: infisical
-        become: true
-        collections:
-          - infisical.infisical_core_ha_deployment
-        roles:
-          - role: infisical
-            env_vars:
-              ENCRYPTION_KEY: "YOUR_ENCRYPTION_KEY" # openssl rand -hex 16
-              AUTH_SECRET: "YOUR_AUTH_SECRET" # openssl rand -base64 32
-  ```
-  </Step>
-  <Step title="Run the Ansible playbook">
-    After creating the `playbook.yml` and `inventory.ini` files, you can run the playbook using the following command
-  ```bash
-      ansible-playbook -i inventory.ini playbook.yml
-  ```
-
-  This step may take upwards of 10 minutes to complete, depending on the number of nodes and the network speed.
-  Once the playbook has completed, you should have a fully deployed high availability Infisical environment.
-
-  To access Infisical, you can try navigating to `http://52.1.0.2`, in order to view your newly deployed Infisical instance.
-  </Step>
-</Steps>
-
-
-## Post-deployment steps
-After deploying Infisical in a high availability environment, you should perform the following post-deployment steps:
- Check your deployment to ensure that all services are running as expected. You can use the HAProxy monitoring panel to check the status of your services (http://52.1.0.2:7000/haproxy?stats)
- Attempt to access the Infisical Core instances to ensure that they are accessible from the internal load balancer. (http://52.1.0.2)
-
-A HAProxy stats page indicating success will look like the image below
-![HAProxy stats page](../../images/self-hosting/deployment-options/native/haproxy-stats.png)
-
-
-## Security Considerations
-### Network Security
-Secure the network that your instances run on. While this falls outside the scope of Infisical deployment, it's crucial for overall security.
-AWS-specific recommendations:
-
-Use Virtual Private Cloud (VPC) to isolate your infrastructure.
-Configure security groups to restrict inbound and outbound traffic.
-Use Network Access Control Lists (NACLs) for additional network-level security.
-
-<Note>
-  Please take note that the Infisical team cannot provide infrastructure support for **free self-hosted** deployments.<br/>If you need help with infrastructure, we recommend upgrading to a [paid plan](https://infisical.com/pricing) which includes infrastructure support.
-
-  You can also join our community [Slack](https://infisical.com/slack) for help and support from the community. 
-</Note>
-
-
-### Troubleshooting
-<Accordion title="Ansible: Failed to set permissions on the temporary files Ansible needs to create when becoming an unprivileged user">
-  If you encounter this issue, please update your ansible config (`ansible.cfg`) file with the following configuration:
-  ```ini
-    [defaults]
-    allow_world_readable_tmpfiles = true
-  ```
-
-  You can read more about the solution [here](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/sh_shell.html#parameter-world_readable_temp)
-</Accordion>
-
-<Accordion title="I'm unable to connect to access the Infisical instance on the web">
-  This issue can be caused by a number of reasons, mostly realted to  the network configuration. Here are a few things you can check:
-  1. Ensure that the firewall is not blocking the connection. You can check this by running `ufw status`. Ensure that port 80 is open.
-  2. If you're using a cloud provider like AWS or GCP, ensure that the security group allows traffic on port 80.
-  3. Ensure that the HAProxy service is running. You can check this by running `systemctl status haproxy`.
-  4. Ensure that the Infisical service is running. You can check this by running `systemctl status infisical`.
-</Accordion>
--- a/docs/self-hosting/reference-architectures/aws-ecs.mdx
+++ b/docs/self-hosting/reference-architectures/aws-ecs.mdx
@@ -1,5 +1,5 @@
 ---
-title: "AWS ECS"
+title: "AWS ECS (HA)"
 description: "Reference architecture for self-hosting Infisical on AWS ECS"
 ---

--- a/docs/self-hosting/reference-architectures/linux-deployment-ha.mdx
+++ b/docs/self-hosting/reference-architectures/linux-deployment-ha.mdx
@@ -0,0 +1,383 @@
+---
+title: "Linux (HA)"
+description: "Infisical High Availability Deployment architecture for Linux"
+---
+
+This guide describes how to achieve a highly available deployment of Infisical on Linux machines without containerization. The architecture provided serves as a foundation for minimum high availability, which you can scale based on your specific requirements.
+
+## Architecture Overview
+
+![High availability stack](/images/self-hosting/deployment-options/native/ha-stack.png)
+
+The deployment consists of the following key components:
+
+| Service                    | Nodes | Recommended Specs         | GCP Instance    | AWS Instance |
+|---------------------------|-------|---------------------------|-----------------|--------------|
+| External Load Balancer    | 1     | 4 vCPU, 4 GB memory      | n1-highcpu-4   | c5n.xlarge   |
+| Internal Load Balancer    | 1     | 4 vCPU, 4 GB memory      | n1-highcpu-4   | c5n.xlarge   |
+| Etcd Cluster              | 3     | 4 vCPU, 4 GB memory      | n1-highcpu-4   | c5n.xlarge   |
+| PostgreSQL Cluster        | 3     | 2 vCPU, 8 GB memory      | n1-standard-2  | m5.large     |
+| Redis + Sentinel          | 3+3   | 2 vCPU, 8 GB memory      | n1-standard-2  | m5.large     |
+| Infisical Core           | 3     | 2 vCPU, 4 GB memory      |  n1-highcpu-2   | c5.large   |
+
+### Network Architecture
+
+All servers operate within the 52.1.0.0/24 private network range with the following IP assignments:
+
+| Service               | IP Address |
+|----------------------|------------|
+| External Load Balancer| 52.1.0.1   |
+| Internal Load Balancer| 52.1.0.2   |
+| Etcd Node 1          | 52.1.0.3   |
+| Etcd Node 2          | 52.1.0.4   |
+| Etcd Node 3          | 52.1.0.5   |
+| PostgreSQL Node 1     | 52.1.0.6   |
+| PostgreSQL Node 2     | 52.1.0.7   |
+| PostgreSQL Node 3     | 52.1.0.8   |
+| Redis Node 1         | 52.1.0.9   |
+| Redis Node 2         | 52.1.0.10  |
+| Redis Node 3         | 52.1.0.11  |
+| Sentinel Node 1      | 52.1.0.12  |
+| Sentinel Node 2      | 52.1.0.13  |
+| Sentinel Node 3      | 52.1.0.14  |
+| Infisical Core 1     | 52.1.0.15  |
+| Infisical Core 2     | 52.1.0.16  |
+| Infisical Core 3     | 52.1.0.17  |
+
+## Component Setup Guide
+
+### 1. Configure Etcd Cluster
+
+The Etcd cluster is needed for leader election in the PostgreSQL HA setup. Skip this step if using managed PostgreSQL.
+
+1. Install Etcd on each node:
+```bash
+sudo apt update
+sudo apt install etcd
+```
+
+2. Configure each node with unique identifiers and cluster membership. Example configuration for Node 1 (`/etc/etcd/etcd.conf`):
+```yaml
+name: etcd1
+data-dir: /var/lib/etcd
+initial-cluster-state: new
+initial-cluster-token: etcd-cluster-1
+initial-cluster: etcd1=http://52.1.0.3:2380,etcd2=http://52.1.0.4:2380,etcd3=http://52.1.0.5:2380
+initial-advertise-peer-urls: http://52.1.0.3:2380
+listen-peer-urls: http://52.1.0.3:2380
+listen-client-urls: http://52.1.0.3:2379,http://127.0.0.1:2379
+advertise-client-urls: http://52.1.0.3:2379
+```
+
+### 2. Configure PostgreSQL
+
+For production deployments, you have two options for highly available PostgreSQL:
+
+#### Option A: Managed PostgreSQL Service (Recommended for Most Users)
+
+Use cloud provider managed services:
+- AWS: Amazon RDS for PostgreSQL with Multi-AZ
+- GCP: Cloud SQL for PostgreSQL with HA configuration
+- Azure: Azure Database for PostgreSQL with zone redundant HA
+
+These services handle replication, failover, and maintenance automatically.
+
+#### Option B: Self-Managed PostgreSQL Cluster
+
+Full HA installation guide of PostgreSQL is beyond the scope of this document. However, we have provided an overview of resources and code snippets below to guide your deployment.
+
+1. Required Components:
+   - PostgreSQL 14+ on each node
+   - Patroni for cluster management
+   - Etcd for distributed consensus
+
+2. Documentation we recommend you read:
+   - [Complete Patroni Setup Guide](https://patroni.readthedocs.io/en/latest/README.html)
+   - [PostgreSQL Replication Documentation](https://www.postgresql.org/docs/current/high-availability.html)
+
+3. Key Steps Overview:
+```bash
+# 1. Install requirements on each PostgreSQL node
+sudo apt update
+sudo apt install -y postgresql-14 postgresql-contrib-14 python3-pip
+pip3 install patroni[etcd] psycopg2-binary
+
+# 2. Create Patroni config directory
+sudo mkdir /etc/patroni
+sudo chown postgres:postgres /etc/patroni
+
+# 3. Create Patroni configuration (example for first node)
+# /etc/patroni/config.yml - REQUIRES CAREFUL CUSTOMIZATION
+```
+
+```yaml
+scope: infisical-cluster
+namespace: /db/
+name: postgresql1
+
+restapi:
+  listen: 52.1.0.6:8008
+  connect_address: 52.1.0.6:8008
+
+etcd:
+  hosts: 52.1.0.3:2379,52.1.0.4:2379,52.1.0.5:2379
+
+bootstrap:
+  dcs:
+    ttl: 30
+    loop_wait: 10
+    retry_timeout: 10
+    maximum_lag_on_failover: 1048576
+    postgresql:
+      use_pg_rewind: true
+      parameters:
+        max_connections: 1000
+        shared_buffers: 2GB
+        work_mem: 8MB
+        max_worker_processes: 8
+        max_parallel_workers_per_gather: 4
+        max_parallel_workers: 8
+        wal_level: replica
+        hot_standby: "on"
+        max_wal_senders: 10
+        max_replication_slots: 10
+        hot_standby_feedback: "on"
+```
+
+4. Important considerations:
+   - Proper disk configuration for WAL and data directories
+   - Network latency between nodes
+   - Backup strategy and point-in-time recovery
+   - Monitoring and alerting setup
+   - Connection pooling configuration
+   - Security and network access controls
+
+5. Recommended readings:
+   - [PostgreSQL Backup and Recovery](https://www.postgresql.org/docs/current/backup.html)
+   - [PostgreSQL Monitoring](https://www.postgresql.org/docs/current/monitoring.html)
+
+### 3. Configure Redis and Sentinel
+
+Similar to PostgreSQL, a full HA Redis setup guide is beyond the scope of this document. Below are the key resources and considerations for your deployment.
+
+#### Option A: Managed Redis Service (Recommended for Most Users)
+
+Use cloud provider managed Redis services:
+- AWS: ElastiCache for Redis with Multi-AZ
+- GCP: Memorystore for Redis with HA
+- Azure: Azure Cache for Redis with zone redundancy
+
+Follow your cloud provider's documentation:
+- [AWS ElastiCache Documentation](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/WhatIs.html)
+- [GCP Memorystore Documentation](https://cloud.google.com/memorystore/docs/redis)
+- [Azure Redis Cache Documentation](https://learn.microsoft.com/en-us/azure/azure-cache-for-redis/)
+
+#### Option B: Self-Managed Redis Cluster
+
+Setting up a production Redis HA cluster requires understanding several components. Refer to these linked resources:
+
+1. Required Reading:
+   - [Redis Sentinel Documentation](https://redis.io/docs/management/sentinel/)
+   - [Redis Replication Guide](https://redis.io/topics/replication)
+   - [Redis Security Guide](https://redis.io/topics/security)
+
+2. Key Steps Overview:
+```bash
+# 1. Install Redis on all nodes
+sudo apt update
+sudo apt install redis-server
+
+# 2. Configure master node (52.1.0.9)
+# /etc/redis/redis.conf
+```
+
+```conf
+bind 52.1.0.9
+port 6379
+dir /var/lib/redis
+maxmemory 3gb
+maxmemory-policy noeviction
+requirepass "your_redis_password"
+masterauth "your_redis_password"
+```
+
+3. Configure replica nodes (`52.1.0.10`, `52.1.0.11`):
+```conf
+bind 52.1.0.10  # Change for each replica
+port 6379
+dir /var/lib/redis
+replicaof 52.1.0.9 6379
+masterauth "your_redis_password"
+requirepass "your_redis_password"
+```
+
+4. Configure Sentinel nodes (`52.1.0.12`, `52.1.0.13`, `52.1.0.14`):
+```conf
+port 26379
+sentinel monitor mymaster 52.1.0.9 6379 2
+sentinel auth-pass mymaster "your_redis_password"
+sentinel down-after-milliseconds mymaster 5000
+sentinel failover-timeout mymaster 60000
+sentinel parallel-syncs mymaster 1
+```
+
+5. Recommended Additional Reading:
+   - [Redis High Availability Tools](https://redis.io/topics/high-availability)
+   - [Redis Sentinel Client Implementation](https://redis.io/topics/sentinel-clients)
+
+### 4. Configure HAProxy Load Balancer
+
+Install and configure HAProxy for internal load balancing:
+
+```conf ha-proxy-config
+global
+    maxconn 10000
+    log stdout format raw local0
+
+defaults
+    log global
+    mode tcp
+    retries 3
+    timeout client 30m
+    timeout connect 10s
+    timeout server 30m
+    timeout check 5s
+
+listen stats
+    mode http
+    bind *:7000
+    stats enable
+    stats uri /
+
+resolvers hostdns
+    nameserver dns 127.0.0.11:53
+    resolve_retries 3
+    timeout resolve 1s
+    timeout retry 1s
+    hold valid 5s
+
+frontend postgres_master
+    bind *:5000
+    default_backend postgres_master_backend
+
+frontend postgres_replicas
+    bind *:5001
+    default_backend postgres_replica_backend
+
+backend postgres_master_backend
+    option httpchk GET /master
+    http-check expect status 200
+    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+    server postgres-1 52.1.0.6:5432 check port 8008
+    server postgres-2 52.1.0.7:5432 check port 8008
+    server postgres-3 52.1.0.8:5432 check port 8008
+
+backend postgres_replica_backend
+    option httpchk GET /replica
+    http-check expect status 200
+    default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
+    server postgres-1 52.1.0.6:5432 check port 8008
+    server postgres-2 52.1.0.7:5432 check port 8008
+    server postgres-3 52.1.0.8:5432 check port 8008
+
+frontend redis_master_frontend
+    bind *:6379
+    default_backend redis_master_backend
+
+backend redis_master_backend
+    option tcp-check
+    tcp-check send AUTH\ 123456\r\n
+    tcp-check expect string +OK
+    tcp-check send PING\r\n
+    tcp-check expect string +PONG
+    tcp-check send info\ replication\r\n
+    tcp-check expect string role:master
+    tcp-check send QUIT\r\n
+    tcp-check expect string +OK
+    server redis-1 52.1.0.9:6379 check inter 1s
+    server redis-2 52.1.0.10:6379 check inter 1s
+    server redis-3 52.1.0.11:6379 check inter 1s
+
+frontend infisical_frontend
+    bind *:80
+    default_backend infisical_backend
+
+backend infisical_backend
+    option httpchk GET /api/status
+    http-check expect status 200
+    server infisical-1 52.1.0.15:8080 check inter 1s
+    server infisical-2 52.1.0.16:8080 check inter 1s
+    server infisical-3 52.1.0.17:8080 check inter 1s
+```
+
+### 5. Deploy Infisical Core
+<Tabs>
+  <Tab title="Debian/Ubuntu">
+    First, add the Infisical repository:
+    ```bash
+    curl -1sLf \
+    'https://dl.cloudsmith.io/public/infisical/infisical-core/setup.deb.sh' \
+    | sudo -E bash
+    ```
+
+    Then install Infisical:
+    ```bash
+    sudo apt-get update && sudo apt-get install -y infisical-core
+    ```
+
+    <Info>
+      For production environments, we strongly recommend installing a specific version of the package to maintain consistency across reinstalls. View available versions at [Infisical Package Versions](https://cloudsmith.io/~infisical/repos/infisical-core/packages/).
+    </Info>
+  </Tab>
+
+  <Tab title="RedHat/CentOS/Amazon Linux">
+    First, add the Infisical repository:
+    ```bash
+    curl -1sLf \
+    'https://dl.cloudsmith.io/public/infisical/infisical-core/setup.rpm.sh' \
+    | sudo -E bash
+    ```
+
+    Then install Infisical:
+    ```bash
+    sudo yum install infisical-core
+    ```
+
+    <Info>
+      For production environments, we strongly recommend installing a specific version of the package to maintain consistency across reinstalls. View available versions at [Infisical Package Versions](https://cloudsmith.io/~infisical/repos/infisical-core/packages/).
+    </Info>
+
+  </Tab>
+</Tabs>
+
+Next, create configuration file `/etc/infisical/infisical.rb` with the following:
+
+```ruby
+infisical_core['ENCRYPTION_KEY'] = 'your-secure-encryption-key'
+infisical_core['AUTH_SECRET'] = 'your-secure-auth-secret'
+
+infisical_core['DB_CONNECTION_URI'] = 'postgres://user:pass@52.1.0.2:5000/infisical'
+infisical_core['REDIS_URL'] = 'redis://52.1.0.2:6379'
+
+infisical_core['PORT'] = 8080
+```
+
+To generate `ENCRYPTION_KEY` and `AUTH_SECRET` view the [following configurations documentation here](/self-hosting/configuration/envars).
+
+If you are using managed services for either Postgres or Redis, please replace the values of the secrets accordingly.
+
+
+Lastly, start and verify each node running infisical-core:
+```bash
+sudo infisical-ctl reconfigure
+sudo infisical-ctl status
+```
+
+## Monitoring and Maintenance
+
+1. Monitor HAProxy stats: `http://52.1.0.2:7000/haproxy?stats`
+2. Monitor Infisical logs: `sudo infisical-ctl tail`
+3. Check cluster health:
+   - Etcd: `etcdctl cluster-health`
+   - PostgreSQL: `patronictl list`
+   - Redis: `redis-cli info replication`
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -75,6 +75,7 @@
        "nprogress": "^0.2.0",
        "picomatch": "^2.3.1",
        "posthog-js": "^1.105.6",
+        "qrcode": "^1.5.4",
        "query-string": "^7.1.3",
        "react": "^17.0.2",
        "react-beautiful-dnd": "^13.1.1",
@@ -120,6 +121,7 @@
        "@types/jsrp": "^0.2.4",
        "@types/node": "^18.11.9",
        "@types/picomatch": "^2.3.0",
+        "@types/qrcode": "^1.5.5",
        "@types/react": "^18.0.26",
        "@types/sanitize-html": "^2.9.0",
        "@typescript-eslint/eslint-plugin": "^5.48.1",
@@ -8857,6 +8859,15 @@
      "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.11.tgz",
      "integrity": "sha512-ga8y9v9uyeiLdpKddhxYQkxNDrfvuPrlFb0N1qnZZByvcElJaXthF1UhvCh9TLWJBEHeNtdnbysW7Y6Uq8CVng=="
    },
+    "node_modules/@types/qrcode": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@types/qrcode/-/qrcode-1.5.5.tgz",
+      "integrity": "sha512-CdfBi/e3Qk+3Z/fXYShipBT13OJ2fDO2Q2w5CIP5anLTLIndQG9z6P1cnm+8zCWSpm5dnxMFd/uREtb0EXuQzg==",
+      "dev": true,
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
    "node_modules/@types/qs": {
      "version": "6.9.11",
      "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.9.11.tgz",
@@ -9785,7 +9796,6 @@
      "version": "5.0.1",
      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
-      "dev": true,
      "engines": {
        "node": ">=8"
      }
@@ -9794,7 +9804,6 @@
      "version": "4.3.0",
      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
-      "dev": true,
      "dependencies": {
        "color-convert": "^2.0.1"
      },
@@ -11076,7 +11085,6 @@
      "version": "5.3.1",
      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
-      "dev": true,
      "engines": {
        "node": ">=6"
      }
@@ -11376,6 +11384,29 @@
      "resolved": "https://registry.npmjs.org/client-only/-/client-only-0.0.1.tgz",
      "integrity": "sha512-IV3Ou0jSMzZrd3pZ48nLkT9DA7Ag1pnPzaiQhpW7c3RbcqqzvzzVu+L8gfqMp/8IM2MQtSiqaCxrrcfu8I8rMA=="
    },
+    "node_modules/cliui": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      }
+    },
+    "node_modules/cliui/node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/clone": {
      "version": "1.0.4",
      "resolved": "https://registry.npmjs.org/clone/-/clone-1.0.4.tgz",
@@ -12281,6 +12312,14 @@
      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
    },
+    "node_modules/decamelize": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
+      "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/decode-named-character-reference": {
      "version": "1.0.2",
      "resolved": "https://registry.npmjs.org/decode-named-character-reference/-/decode-named-character-reference-1.0.2.tgz",
@@ -12677,6 +12716,11 @@
      "integrity": "sha512-c98Bf3tPniI+scsdk237ku1Dc3ujXQTSgyiPUDEOe7tRkhrqridvh8klBv0HCEso1OLOYcHuCv/cS6DNxKH+ZA==",
      "dev": true
    },
+    "node_modules/dijkstrajs": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz",
+      "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA=="
+    },
    "node_modules/dir-glob": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz",
@@ -14943,6 +14987,14 @@
        "node": ">=6.9.0"
      }
    },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
    "node_modules/get-intrinsic": {
      "version": "1.2.4",
      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.2.4.tgz",
@@ -16212,7 +16264,6 @@
      "version": "3.0.0",
      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
-      "dev": true,
      "engines": {
        "node": ">=8"
      }
@@ -19339,7 +19390,6 @@
      "version": "2.2.0",
      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
-      "dev": true,
      "engines": {
        "node": ">=6"
      }
@@ -19445,7 +19495,6 @@
      "version": "4.0.0",
      "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
      "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
-      "dev": true,
      "engines": {
        "node": ">=8"
      }
@@ -19666,6 +19715,14 @@
        "pathe": "^1.1.2"
      }
    },
+    "node_modules/pngjs": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
+      "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==",
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
    "node_modules/pnp-webpack-plugin": {
      "version": "1.7.0",
      "resolved": "https://registry.npmjs.org/pnp-webpack-plugin/-/pnp-webpack-plugin-1.7.0.tgz",
@@ -20550,6 +20607,22 @@
        "node": ">=6.0.0"
      }
    },
+    "node_modules/qrcode": {
+      "version": "1.5.4",
+      "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz",
+      "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==",
+      "dependencies": {
+        "dijkstrajs": "^1.0.1",
+        "pngjs": "^5.0.0",
+        "yargs": "^15.3.1"
+      },
+      "bin": {
+        "qrcode": "bin/qrcode"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
    "node_modules/qs": {
      "version": "6.13.0",
      "resolved": "https://registry.npmjs.org/qs/-/qs-6.13.0.tgz",
@@ -21846,6 +21919,14 @@
        "throttleit": "^1.0.0"
      }
    },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "node_modules/require-from-string": {
      "version": "2.0.2",
      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
@@ -21855,6 +21936,11 @@
        "node": ">=0.10.0"
      }
    },
+    "node_modules/require-main-filename": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg=="
+    },
    "node_modules/requireindex": {
      "version": "1.2.0",
      "resolved": "https://registry.npmjs.org/requireindex/-/requireindex-1.2.0.tgz",
@@ -22314,6 +22400,11 @@
        "node": ">= 0.8.0"
      }
    },
+    "node_modules/set-blocking": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
+      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw=="
+    },
    "node_modules/set-cookie-parser": {
      "version": "2.6.0",
      "resolved": "https://registry.npmjs.org/set-cookie-parser/-/set-cookie-parser-2.6.0.tgz",
@@ -22900,7 +22991,6 @@
      "version": "4.2.3",
      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
-      "dev": true,
      "dependencies": {
        "emoji-regex": "^8.0.0",
        "is-fullwidth-code-point": "^3.0.0",
@@ -22934,8 +23024,7 @@
    "node_modules/string-width/node_modules/emoji-regex": {
      "version": "8.0.0",
      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
-      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
-      "dev": true
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="
    },
    "node_modules/string.prototype.matchall": {
      "version": "4.0.10",
@@ -23006,7 +23095,6 @@
      "version": "6.0.1",
      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
-      "dev": true,
      "dependencies": {
        "ansi-regex": "^5.0.1"
      },
@@ -24902,6 +24990,11 @@
        "url": "https://github.com/sponsors/ljharb"
      }
    },
+    "node_modules/which-module": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
+      "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ=="
+    },
    "node_modules/which-typed-array": {
      "version": "1.1.13",
      "resolved": "https://registry.npmjs.org/which-typed-array/-/which-typed-array-1.1.13.tgz",
@@ -25066,6 +25159,11 @@
        "node": ">=0.4"
      }
    },
+    "node_modules/y18n": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ=="
+    },
    "node_modules/yallist": {
      "version": "3.1.1",
      "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
@@ -25079,6 +25177,87 @@
        "node": ">= 14"
      }
    },
+    "node_modules/yargs": {
+      "version": "15.4.1",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "dependencies": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "18.1.3",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz",
+      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+      "dependencies": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/yargs/node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/yargs/node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
    "node_modules/yauzl": {
      "version": "2.10.0",
      "resolved": "https://registry.npmjs.org/yauzl/-/yauzl-2.10.0.tgz",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -88,6 +88,7 @@
    "nprogress": "^0.2.0",
    "picomatch": "^2.3.1",
    "posthog-js": "^1.105.6",
+    "qrcode": "^1.5.4",
    "query-string": "^7.1.3",
    "react": "^17.0.2",
    "react-beautiful-dnd": "^13.1.1",
@@ -133,6 +134,7 @@
    "@types/jsrp": "^0.2.4",
    "@types/node": "^18.11.9",
    "@types/picomatch": "^2.3.0",
+    "@types/qrcode": "^1.5.5",
    "@types/react": "^18.0.26",
    "@types/sanitize-html": "^2.9.0",
    "@typescript-eslint/eslint-plugin": "^5.48.1",
--- a/frontend/src/components/dashboard/DropZone.tsx
+++ b/frontend/src/components/dashboard/DropZone.tsx
@@ -11,7 +11,7 @@ import { SecretType } from "@app/hooks/api/types";
 import Button from "../basic/buttons/Button";
 import Error from "../basic/Error";
 import { createNotification } from "../notifications";
-import { parseDotEnv } from "../utilities/parseDotEnv";
+import { parseDotEnv } from "../utilities/parseSecrets";
 import guidGenerator from "../utilities/randomId";

 interface DropZoneProps {
--- a/frontend/src/components/mfa/TotpRegistration.tsx
+++ b/frontend/src/components/mfa/TotpRegistration.tsx
@@ -0,0 +1,80 @@
+import { useEffect, useState } from "react";
+import QRCode from "qrcode";
+import { twMerge } from "tailwind-merge";
+
+import { useGetUserTotpRegistration } from "@app/hooks/api";
+import { useVerifyUserTotpRegistration } from "@app/hooks/api/users/mutation";
+
+import { createNotification } from "../notifications";
+import { Button, ContentLoader, Input } from "../v2";
+
+type Props = {
+  onComplete?: () => Promise<void>;
+  shouldCenterQr?: boolean;
+};
+
+const TotpRegistration = ({ onComplete, shouldCenterQr }: Props) => {
+  const { data: registration, isLoading } = useGetUserTotpRegistration();
+  const { mutateAsync: verifyUserTotp, isLoading: isVerifyLoading } =
+    useVerifyUserTotpRegistration();
+  const [qrCodeUrl, setQrCodeUrl] = useState("");
+  const [totp, setTotp] = useState("");
+
+  const handleTotpVerify = async (event: React.FormEvent<HTMLFormElement>) => {
+    event.preventDefault();
+    await verifyUserTotp({
+      totp
+    });
+
+    createNotification({
+      text: "Successfully configured mobile authenticator",
+      type: "success"
+    });
+
+    if (onComplete) {
+      onComplete();
+    }
+  };
+
+  useEffect(() => {
+    const generateQRCode = async () => {
+      if (registration?.otpUrl) {
+        const url = await QRCode.toDataURL(registration.otpUrl);
+        setQrCodeUrl(url);
+      }
+    };
+
+    generateQRCode();
+  }, [registration]);
+
+  if (isLoading) {
+    return <ContentLoader />;
+  }
+
+  return (
+    <div className="flex max-w-lg flex-col text-bunker-200">
+      <div className="mb-8">
+        1. Download a two-step verification app (Duo, Google Authenticator, etc.) and scan the QR
+        code.
+      </div>
+      <div className={twMerge("mb-8 flex items-center", shouldCenterQr && "justify-center")}>
+        <img src={qrCodeUrl} alt="registration-qr" />
+      </div>
+      <form onSubmit={handleTotpVerify}>
+        <div className="mb-4">2. Enter the resulting verification code</div>
+        <div className="mb-4 flex flex-row gap-2">
+          <Input
+            onChange={(e) => setTotp(e.target.value)}
+            value={totp}
+            placeholder="Verification code"
+          />
+          <Button isLoading={isVerifyLoading} type="submit">
+            Enable MFA
+          </Button>
+        </div>
+      </form>
+    </div>
+  );
+};
+
+export default TotpRegistration;
--- a/frontend/src/components/utilities/parseSecrets.ts
+++ b/frontend/src/components/utilities/parseSecrets.ts
@@ -6,7 +6,7 @@ const LINE =
 * @param {ArrayBuffer} src - source buffer
 * @returns {String} text - text of buffer
 */
-export function parseDotEnv(src: ArrayBuffer) {
+export function parseDotEnv(src: ArrayBuffer | string) {
  const object: {
    [key: string]: { value: string; comments: string[] };
  } = {};
@@ -65,3 +65,15 @@ export function parseDotEnv(src: ArrayBuffer) {

  return object;
 }
+
+export const parseJson = (src: ArrayBuffer | string) => {
+  const file = src.toString();
+  const formatedData: Record<string, string> = JSON.parse(file);
+  const env: Record<string, { value: string; comments: string[] }> = {};
+  Object.keys(formatedData).forEach((key) => {
+    if (typeof formatedData[key] === "string") {
+      env[key] = { value: formatedData[key], comments: [] };
+    }
+  });
+  return env;
+};
--- a/frontend/src/components/v2/FormControl/FormControl.tsx
+++ b/frontend/src/components/v2/FormControl/FormControl.tsx
@@ -83,6 +83,7 @@ export type FormControlProps = {
  className?: string;
  icon?: ReactNode;
  tooltipText?: ReactElement | string;
+  tooltipClassName?: string;
 };

 export const FormControl = ({
@@ -96,7 +97,8 @@ export const FormControl = ({
  isError,
  icon,
  className,
-  tooltipText
+  tooltipText,
+  tooltipClassName
 }: FormControlProps): JSX.Element => {
  return (
    <div className={twMerge("mb-4", className)}>
@@ -108,6 +110,7 @@ export const FormControl = ({
          id={id}
          icon={icon}
          tooltipText={tooltipText}
+          tooltipClassName={tooltipClassName}
        />
      ) : (
        label
--- a/frontend/src/hooks/api/auth/queries.tsx
+++ b/frontend/src/hooks/api/auth/queries.tsx
@@ -19,6 +19,7 @@ import {
  Login2Res,
  LoginLDAPDTO,
  LoginLDAPRes,
+  MfaMethod,
  ResetPasswordDTO,
  SendMfaTokenDTO,
  SRP1DTO,
@@ -65,10 +66,11 @@ export const selectOrganization = async (data: {
  organizationId: string;
  userAgent?: UserAgentType;
 }) => {
-  const { data: res } = await apiRequest.post<{ token: string; isMfaEnabled: boolean }>(
-    "/api/v3/auth/select-organization",
-    data
-  );
+  const { data: res } = await apiRequest.post<{
+    token: string;
+    isMfaEnabled: boolean;
+    mfaMethod?: MfaMethod;
+  }>("/api/v3/auth/select-organization", data);
  return res;
 };

@@ -154,10 +156,19 @@ export const useSendMfaToken = () => {
  });
 };

-export const verifyMfaToken = async ({ email, mfaCode }: { email: string; mfaCode: string }) => {
+export const verifyMfaToken = async ({
+  email,
+  mfaCode,
+  mfaMethod
+}: {
+  email: string;
+  mfaCode: string;
+  mfaMethod?: string;
+}) => {
  const { data } = await apiRequest.post("/api/v2/auth/mfa/verify", {
    email,
-    mfaToken: mfaCode
+    mfaToken: mfaCode,
+    mfaMethod
  });

  return data;
@@ -165,10 +176,11 @@ export const verifyMfaToken = async ({ email, mfaCode }: { email: string; mfaCod

 export const useVerifyMfaToken = () => {
  return useMutation<VerifyMfaTokenRes, {}, VerifyMfaTokenDTO>({
-    mutationFn: async ({ email, mfaCode }) => {
+    mutationFn: async ({ email, mfaCode, mfaMethod }) => {
      return verifyMfaToken({
        email,
-        mfaCode
+        mfaCode,
+        mfaMethod
      });
    }
  });
@@ -302,3 +314,9 @@ export const useGetAuthToken = () =>
    onSuccess: (data) => setAuthToken(data.token),
    retry: 0
  });
+
+export const checkUserTotpMfa = async () => {
+  const { data } = await apiRequest.get<{ isVerified: boolean }>("/api/v2/auth/mfa/check/totp");
+
+  return data.isVerified;
+};
--- a/frontend/src/hooks/api/auth/types.ts
+++ b/frontend/src/hooks/api/auth/types.ts
@@ -9,6 +9,7 @@ export type SendMfaTokenDTO = {
 export type VerifyMfaTokenDTO = {
  email: string;
  mfaCode: string;
+  mfaMethod: MfaMethod;
 };

 export type VerifyMfaTokenRes = {
@@ -149,3 +150,8 @@ export type GetBackupEncryptedPrivateKeyDTO = {
 export enum UserAgentType {
  CLI = "cli"
 }
+
+export enum MfaMethod {
+  EMAIL = "email",
+  TOTP = "totp"
+}
--- a/frontend/src/hooks/api/dashboard/queries.tsx
+++ b/frontend/src/hooks/api/dashboard/queries.tsx
@@ -5,6 +5,7 @@ import axios from "axios";
 import { createNotification } from "@app/components/notifications";
 import { apiRequest } from "@app/config/request";
 import {
+  DashboardProjectSecretsByKeys,
  DashboardProjectSecretsDetails,
  DashboardProjectSecretsDetailsResponse,
  DashboardProjectSecretsOverview,
@@ -12,6 +13,7 @@ import {
  DashboardSecretsOrderBy,
  TDashboardProjectSecretsQuickSearch,
  TDashboardProjectSecretsQuickSearchResponse,
+  TGetDashboardProjectSecretsByKeys,
  TGetDashboardProjectSecretsDetailsDTO,
  TGetDashboardProjectSecretsOverviewDTO,
  TGetDashboardProjectSecretsQuickSearchDTO
@@ -101,6 +103,23 @@ export const fetchProjectSecretsDetails = async ({
  return data;
 };

+export const fetchDashboardProjectSecretsByKeys = async ({
+  keys,
+  ...params
+}: TGetDashboardProjectSecretsByKeys) => {
+  const { data } = await apiRequest.get<DashboardProjectSecretsByKeys>(
+    "/api/v1/dashboard/secrets-by-keys",
+    {
+      params: {
+        ...params,
+        keys: encodeURIComponent(keys.join(","))
+      }
+    }
+  );
+
+  return data;
+};
+
 export const useGetProjectSecretsOverview = (
  {
    projectId,
--- a/frontend/src/hooks/api/dashboard/types.ts
+++ b/frontend/src/hooks/api/dashboard/types.ts
@@ -29,6 +29,10 @@ export type DashboardProjectSecretsDetailsResponse = {
  totalCount: number;
 };

+export type DashboardProjectSecretsByKeys = {
+  secrets: SecretV3Raw[];
+};
+
 export type DashboardProjectSecretsOverview = Omit<
  DashboardProjectSecretsOverviewResponse,
  "secrets"
@@ -89,3 +93,10 @@ export type TGetDashboardProjectSecretsQuickSearchDTO = {
  search: string;
  environments: string[];
 };
+
+export type TGetDashboardProjectSecretsByKeys = {
+  projectId: string;
+  secretPath: string;
+  environment: string;
+  keys: string[];
+};
--- a/frontend/src/hooks/api/integrationAuth/queries.tsx
+++ b/frontend/src/hooks/api/integrationAuth/queries.tsx
@@ -157,7 +157,8 @@ const fetchIntegrationAuthApps = async ({
    `/api/v1/integration-auth/${integrationAuthId}/apps`,
    { params: searchParams }
  );
-  return data.apps;
+
+  return data.apps.sort((a, b) => a.name.localeCompare(b.name));
 };

 const fetchIntegrationAuthTeams = async (integrationAuthId: string) => {
--- a/frontend/src/hooks/api/organization/queries.tsx
+++ b/frontend/src/hooks/api/organization/queries.tsx
@@ -91,7 +91,8 @@ export const useUpdateOrg = () => {
      slug,
      orgId,
      defaultMembershipRoleSlug,
-      enforceMfa
+      enforceMfa,
+      selectedMfaMethod
    }) => {
      return apiRequest.patch(`/api/v1/organization/${orgId}`, {
        name,
@@ -99,7 +100,8 @@ export const useUpdateOrg = () => {
        scimEnabled,
        slug,
        defaultMembershipRoleSlug,
-        enforceMfa
+        enforceMfa,
+        selectedMfaMethod
      });
    },
    onSuccess: () => {
--- a/frontend/src/hooks/api/organization/types.ts
+++ b/frontend/src/hooks/api/organization/types.ts
@@ -1,6 +1,8 @@
 import { OrderByDirection } from "@app/hooks/api/generic/types";
 import { IdentityMembershipOrg } from "@app/hooks/api/identities/types";

+import { MfaMethod } from "../auth/types";
+
 export type Organization = {
  id: string;
  name: string;
@@ -12,6 +14,7 @@ export type Organization = {
  slug: string;
  defaultMembershipRole: string;
  enforceMfa: boolean;
+  selectedMfaMethod?: MfaMethod;
 };

 export type UpdateOrgDTO = {
@@ -22,6 +25,7 @@ export type UpdateOrgDTO = {
  slug?: string;
  defaultMembershipRoleSlug?: string;
  enforceMfa?: boolean;
+  selectedMfaMethod?: MfaMethod;
 };

 export type BillingDetails = {
--- a/frontend/src/hooks/api/users/index.tsx
+++ b/frontend/src/hooks/api/users/index.tsx
@@ -21,12 +21,13 @@ export {
  useGetOrgUsers,
  useGetUser,
  useGetUserAction,
+  useGetUserTotpRegistration,
  useListUserGroupMemberships,
  useLogoutUser,
  useRegisterUserAction,
  useRevokeMySessions,
-  useUpdateMfaEnabled,
  useUpdateOrgMembership,
-  useUpdateUserAuthMethods
+  useUpdateUserAuthMethods,
+  useUpdateUserMfa
 } from "./queries";
 export { userKeys } from "./query-keys";
--- a/frontend/src/hooks/api/users/mutation.tsx
+++ b/frontend/src/hooks/api/users/mutation.tsx
@@ -114,3 +114,43 @@ export const useUpdateUserProjectFavorites = () => {
    }
  });
 };
+
+export const useVerifyUserTotpRegistration = () => {
+  return useMutation({
+    mutationFn: async ({ totp }: { totp: string }) => {
+      await apiRequest.post("/api/v1/user/me/totp/verify", {
+        totp
+      });
+
+      return {};
+    }
+  });
+};
+
+export const useDeleteUserTotpConfiguration = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async () => {
+      await apiRequest.delete("/api/v1/user/me/totp");
+
+      return {};
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(userKeys.totpConfiguration);
+    }
+  });
+};
+
+export const useCreateNewTotpRecoveryCodes = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async () => {
+      await apiRequest.post("/api/v1/user/me/totp/recovery-codes");
+
+      return {};
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries(userKeys.totpConfiguration);
+    }
+  });
+};
--- a/frontend/src/hooks/api/users/queries.tsx
+++ b/frontend/src/hooks/api/users/queries.tsx
@@ -1,10 +1,12 @@
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { AxiosError } from "axios";

 import { apiRequest } from "@app/config/request";
 import { SessionStorageKeys } from "@app/const";
 import { setAuthToken } from "@app/reactQuery";

 import { APIKeyDataV2 } from "../apiKeys/types";
+import { MfaMethod } from "../auth/types";
 import { TGroupWithProjectMemberships } from "../groups/types";
 import { workspaceKeys } from "../workspace";
 import { userKeys } from "./query-keys";
@@ -390,14 +392,21 @@ export const useRevokeMySessions = () => {
  });
 };

-export const useUpdateMfaEnabled = () => {
+export const useUpdateUserMfa = () => {
  const queryClient = useQueryClient();
  return useMutation({
-    mutationFn: async ({ isMfaEnabled }: { isMfaEnabled: boolean }) => {
+    mutationFn: async ({
+      isMfaEnabled,
+      selectedMfaMethod
+    }: {
+      isMfaEnabled?: boolean;
+      selectedMfaMethod?: MfaMethod;
+    }) => {
      const {
        data: { user }
      } = await apiRequest.patch("/api/v2/users/me/mfa", {
-        isMfaEnabled
+        isMfaEnabled,
+        selectedMfaMethod
      });

      return user;
@@ -446,3 +455,39 @@ export const useListUserGroupMemberships = (username: string) => {
    }
  });
 };
+
+export const useGetUserTotpRegistration = () => {
+  return useQuery({
+    queryKey: userKeys.totpRegistration,
+    queryFn: async () => {
+      const { data } = await apiRequest.post<{ otpUrl: string; recoveryCodes: string[] }>(
+        "/api/v1/user/me/totp/register"
+      );
+
+      return data;
+    }
+  });
+};
+
+export const useGetUserTotpConfiguration = () => {
+  return useQuery({
+    queryKey: userKeys.totpConfiguration,
+    queryFn: async () => {
+      try {
+        const { data } = await apiRequest.get<{ isVerified: boolean; recoveryCodes: string[] }>(
+          "/api/v1/user/me/totp"
+        );
+
+        return data;
+      } catch (error) {
+        if (error instanceof AxiosError && [404, 400].includes(error.response?.data?.statusCode)) {
+          return {
+            isVerified: false,
+            recoveryCodes: []
+          };
+        }
+        throw error;
+      }
+    }
+  });
+};
--- a/frontend/src/hooks/api/users/query-keys.tsx
+++ b/frontend/src/hooks/api/users/query-keys.tsx
@@ -16,6 +16,8 @@ export const userKeys = {
  myAPIKeysV2: ["api-keys-v2"] as const,
  mySessions: ["sessions"] as const,
  listUsers: ["user-list"] as const,
+  totpRegistration: ["totp-registration"],
+  totpConfiguration: ["totp-configuration"],
  listUserGroupMemberships: (username: string) => [{ username }, "user-group-memberships"] as const,
  myOrganizationProjects: (orgId: string) => [{ orgId }, "organization-projects"] as const
 };
--- a/frontend/src/hooks/api/users/types.ts
+++ b/frontend/src/hooks/api/users/types.ts
@@ -1,3 +1,4 @@
+import { MfaMethod } from "../auth/types";
 import { UserWsKeyPair } from "../keys/types";
 import { ProjectUserMembershipTemporaryMode } from "../workspace/types";

@@ -26,6 +27,7 @@ export type User = {
  authProvider?: AuthMethod;
  authMethods: AuthMethod[];
  isMfaEnabled: boolean;
+  selectedMfaMethod?: MfaMethod;
  seenIps: string[];
  id: string;
 };
--- a/frontend/src/layouts/AppLayout/AppLayout.tsx
+++ b/frontend/src/layouts/AppLayout/AppLayout.tsx
@@ -78,6 +78,7 @@ import {
  useLogoutUser,
  useSelectOrganization
 } from "@app/hooks/api";
+import { MfaMethod } from "@app/hooks/api/auth/types";
 import { INTERNAL_KMS_KEY_ID } from "@app/hooks/api/kms/types";
 import { InfisicalProjectTemplate, useListProjectTemplates } from "@app/hooks/api/projectTemplates";
 import { Workspace } from "@app/hooks/api/types";
@@ -143,6 +144,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
  const { data: projectFavorites } = useGetUserProjectFavorites(currentOrg?.id!);
  const { mutateAsync: updateUserProjectFavorites } = useUpdateUserProjectFavorites();
  const [shouldShowMfa, toggleShowMfa] = useToggle(false);
+  const [requiredMfaMethod, setRequiredMfaMethod] = useState(MfaMethod.EMAIL);
  const [mfaSuccessCallback, setMfaSuccessCallback] = useState<() => void>(() => {});

  const workspacesWithFaveProp = useMemo(
@@ -214,12 +216,15 @@ export const AppLayout = ({ children }: LayoutProps) => {
  };

  const changeOrg = async (orgId: string) => {
-    const { token, isMfaEnabled } = await selectOrganization({
+    const { token, isMfaEnabled, mfaMethod } = await selectOrganization({
      organizationId: orgId
    });

    if (isMfaEnabled) {
      SecurityClient.setMfaToken(token);
+      if (mfaMethod) {
+        setRequiredMfaMethod(mfaMethod);
+      }
      toggleShowMfa.on();
      setMfaSuccessCallback(() => () => changeOrg(orgId));
      return;
@@ -365,6 +370,7 @@ export const AppLayout = ({ children }: LayoutProps) => {
      <div className="flex max-h-screen min-h-screen flex-col items-center justify-center gap-2 overflow-y-auto bg-gradient-to-tr from-mineshaft-600 via-mineshaft-800 to-bunker-700">
        <Mfa
          email={user.email as string}
+          method={requiredMfaMethod}
          successCallback={mfaSuccessCallback}
          closeMfa={() => toggleShowMfa.off()}
        />
--- a/frontend/src/pages/login/select-organization.tsx
+++ b/frontend/src/pages/login/select-organization.tsx
@@ -22,7 +22,7 @@ import {
  useLogoutUser,
  useSelectOrganization
 } from "@app/hooks/api";
-import { UserAgentType } from "@app/hooks/api/auth/types";
+import { MfaMethod, UserAgentType } from "@app/hooks/api/auth/types";
 import { Organization } from "@app/hooks/api/types";
 import { AuthMethod } from "@app/hooks/api/users/types";
 import { getAuthToken, isLoggedIn } from "@app/reactQuery";
@@ -46,6 +46,7 @@ export default function LoginPage() {
  const selectOrg = useSelectOrganization();
  const { data: user, isLoading: userLoading } = useGetUser();
  const [shouldShowMfa, toggleShowMfa] = useToggle(false);
+  const [requiredMfaMethod, setRequiredMfaMethod] = useState(MfaMethod.EMAIL);
  const [isInitialOrgCheckLoading, setIsInitialOrgCheckLoading] = useState(true);

  const [mfaSuccessCallback, setMfaSuccessCallback] = useState<() => void>(() => {});
@@ -90,15 +91,19 @@ export default function LoginPage() {
        return;
      }

-      const { token, isMfaEnabled } = await selectOrg.mutateAsync({
-        organizationId: organization.id,
-        userAgent: callbackPort ? UserAgentType.CLI : undefined
-      });
+      const { token, isMfaEnabled, mfaMethod } = await selectOrg
+        .mutateAsync({
+          organizationId: organization.id,
+          userAgent: callbackPort ? UserAgentType.CLI : undefined
+        })
+        .finally(() => setIsInitialOrgCheckLoading(false));

      if (isMfaEnabled) {
        SecurityClient.setMfaToken(token);
+        if (mfaMethod) {
+          setRequiredMfaMethod(mfaMethod);
+        }
        toggleShowMfa.on();
-
        setMfaSuccessCallback(() => () => handleSelectOrganization(organization));
        return;
      }
@@ -213,7 +218,11 @@ export default function LoginPage() {
        <meta name="og:description" content={t("login.og-description") ?? ""} />
      </Head>
      {shouldShowMfa ? (
-        <Mfa email={user.email as string} successCallback={mfaSuccessCallback} />
+        <Mfa
+          email={user.email as string}
+          successCallback={mfaSuccessCallback}
+          method={requiredMfaMethod}
+        />
      ) : (
        <div className="mx-auto mt-20 w-fit rounded-lg border-2 border-mineshaft-500 p-10 shadow-lg">
          <Link href="/">
--- a/frontend/src/pages/signupinvite.tsx
+++ b/frontend/src/pages/signupinvite.tsx
@@ -29,8 +29,10 @@ import {
  useSelectOrganization,
  verifySignupInvite
 } from "@app/hooks/api/auth/queries";
+import { MfaMethod } from "@app/hooks/api/auth/types";
 import { fetchOrganizations } from "@app/hooks/api/organization/queries";
 import { navigateUserToOrg } from "@app/views/Login/Login.utils";
+import { Mfa } from "@app/views/Login/Mfa";

 // eslint-disable-next-line new-cap
 const client = new jsrp.client();
@@ -59,6 +61,7 @@ export default function SignupInvite() {
  const [errors, setErrors] = useState<Errors>({});

  const [shouldShowMfa, toggleShowMfa] = useToggle(false);
+  const [requiredMfaMethod, setRequiredMfaMethod] = useState(MfaMethod.EMAIL);
  const [mfaSuccessCallback, setMfaSuccessCallback] = useState<() => void>(() => {});
  const router = useRouter();
  const parsedUrl = queryString.parse(router.asPath.split("?")[1]);
@@ -184,12 +187,19 @@ export default function SignupInvite() {
              if (!orgId) throw new Error("You are not part of any organization");

              const completeSignupFlow = async () => {
-                const { token: mfaToken, isMfaEnabled } = await selectOrganization({
+                const {
+                  token: mfaToken,
+                  isMfaEnabled,
+                  mfaMethod
+                } = await selectOrganization({
                  organizationId: orgId
                });

                if (isMfaEnabled) {
                  SecurityClient.setMfaToken(mfaToken);
+                  if (mfaMethod) {
+                    setRequiredMfaMethod(mfaMethod);
+                  }
                  toggleShowMfa.on();
                  setMfaSuccessCallback(() => completeSignupFlow);
                  return;
@@ -390,12 +400,23 @@ export default function SignupInvite() {
        <title>Sign Up</title>
        <link rel="icon" href="/infisical.ico" />
      </Head>
-      <Link href="/">
-        <div className="mb-4 mt-20 flex justify-center">
-          <Image src="/images/gradientLogo.svg" height={90} width={120} alt="Infisical Logo" />
-        </div>
-      </Link>
-      {step === 1 ? stepConfirmEmail : step === 2 ? main : step4}
+      {shouldShowMfa ? (
+        <Mfa
+          email={email}
+          successCallback={mfaSuccessCallback}
+          method={requiredMfaMethod}
+          closeMfa={() => toggleShowMfa.off()}
+        />
+      ) : (
+        <>
+          <Link href="/">
+            <div className="mb-4 mt-20 flex justify-center">
+              <Image src="/images/gradientLogo.svg" height={90} width={120} alt="Infisical Logo" />
+            </div>
+          </Link>
+          {step === 1 ? stepConfirmEmail : step === 2 ? main : step4}
+        </>
+      )}
    </div>
  );
 }
--- a/frontend/src/views/Login/Mfa.tsx
+++ b/frontend/src/views/Login/Mfa.tsx
@@ -1,4 +1,4 @@
-import { useState } from "react";
+import React, { useEffect, useState } from "react";
 import ReactCodeInput from "react-code-input";
 import Image from "next/image";
 import Link from "next/link";
@@ -6,10 +6,12 @@ import { useRouter } from "next/router";
 import { t } from "i18next";

 import Error from "@app/components/basic/Error";
+import TotpRegistration from "@app/components/mfa/TotpRegistration";
 import SecurityClient from "@app/components/utilities/SecurityClient";
-import { Button } from "@app/components/v2";
+import { Button, Input } from "@app/components/v2";
 import { useSendMfaToken } from "@app/hooks/api";
-import { verifyMfaToken } from "@app/hooks/api/auth/queries";
+import { checkUserTotpMfa, verifyMfaToken } from "@app/hooks/api/auth/queries";
+import { MfaMethod } from "@app/hooks/api/auth/types";

 // The style for the verification code input
 const codeInputProps = {
@@ -36,23 +38,39 @@ type Props = {
  closeMfa?: () => void;
  hideLogo?: boolean;
  email: string;
+  method: MfaMethod;
 };

-export const Mfa = ({ successCallback, closeMfa, hideLogo, email }: Props) => {
+export const Mfa = ({ successCallback, closeMfa, hideLogo, email, method }: Props) => {
  const [mfaCode, setMfaCode] = useState("");
  const router = useRouter();
  const [isLoading, setIsLoading] = useState(false);
  const [isLoadingResend, setIsLoadingResend] = useState(false);
  const [triesLeft, setTriesLeft] = useState<number | undefined>(undefined);
+  const [shouldShowTotpRegistration, setShouldShowTotpRegistration] = useState(false);

  const sendMfaToken = useSendMfaToken();

-  const verifyMfa = async () => {
+  useEffect(() => {
+    if (method === MfaMethod.TOTP) {
+      checkUserTotpMfa().then((isVerified) => {
+        if (!isVerified) {
+          SecurityClient.setMfaToken("");
+          setShouldShowTotpRegistration(true);
+        }
+      });
+    }
+  }, []);
+
+  const verifyMfa = async (event: React.FormEvent<HTMLFormElement>) => {
+    event.preventDefault();
+
    setIsLoading(true);
    try {
      const { token } = await verifyMfaToken({
        email,
-        mfaCode
+        mfaCode,
+        mfaMethod: method
      });

      SecurityClient.setMfaToken("");
@@ -92,6 +110,25 @@ export const Mfa = ({ successCallback, closeMfa, hideLogo, email }: Props) => {
    }
  };

+  if (shouldShowTotpRegistration) {
+    return (
+      <>
+        <div className="mb-6 text-center text-lg font-bold text-white">
+          Your organization requires mobile authentication to be configured.
+        </div>
+        <div className="mx-auto w-max pb-4 pt-4 md:mb-16 md:px-8">
+          <TotpRegistration
+            shouldCenterQr
+            onComplete={async () => {
+              setShouldShowTotpRegistration(false);
+              await successCallback();
+            }}
+          />
+        </div>
+      </>
+    );
+  }
+
  return (
    <div className="mx-auto w-max pb-4 pt-4 md:mb-16 md:px-8">
      {!hideLogo && (
@@ -101,52 +138,87 @@ export const Mfa = ({ successCallback, closeMfa, hideLogo, email }: Props) => {
          </div>
        </Link>
      )}
-      <p className="text-l flex justify-center text-bunker-300">{t("mfa.step2-message")}</p>
-      <p className="text-l my-1 flex justify-center font-semibold text-bunker-300">{email}</p>
-      <div className="mx-auto hidden w-max min-w-[20rem] md:block">
-        <ReactCodeInput
-          name=""
-          inputMode="tel"
-          type="text"
-          fields={6}
-          onChange={setMfaCode}
-          className="mt-6 mb-2"
-          {...codeInputProps}
-        />
-      </div>
-      {typeof triesLeft === "number" && (
-        <Error text={`Invalid code. You have ${triesLeft} attempt(s) remaining.`} />
+      {method === MfaMethod.EMAIL && (
+        <>
+          <p className="text-l flex justify-center text-bunker-300">{t("mfa.step2-message")}</p>
+          <p className="text-l my-1 flex justify-center font-semibold text-bunker-300">{email}</p>
+        </>
      )}
-      <div className="mx-auto mt-2 flex w-1/4 min-w-[20rem] max-w-xs flex-col items-center justify-center text-center text-sm md:max-w-md md:text-left lg:w-[19%]">
-        <div className="text-l w-full py-1 text-lg">
-          <Button
-            onClick={() => verifyMfa()}
-            size="sm"
-            isFullWidth
-            className="h-14"
-            colorSchema="primary"
-            variant="outline_bg"
-            isLoading={isLoading}
-          >
-            {String(t("mfa.verify"))}
-          </Button>
+      {method === MfaMethod.TOTP && (
+        <>
+          <p className="text-l mb-4 flex max-w-xs justify-center text-center font-bold text-bunker-100">
+            Authenticator MFA Required
+          </p>
+          <p className="text-l flex max-w-xs justify-center text-center text-bunker-300">
+            Open the authenticator app on your mobile device to get your verification code or enter
+            a recovery code.
+          </p>
+        </>
+      )}
+      <form onSubmit={verifyMfa}>
+        <div className="mx-auto hidden w-max min-w-[20rem] md:block">
+          {method === MfaMethod.EMAIL && (
+            <ReactCodeInput
+              name=""
+              inputMode="tel"
+              type="text"
+              fields={6}
+              onChange={setMfaCode}
+              className="mt-6 mb-2"
+              {...codeInputProps}
+            />
+          )}
+          {method === MfaMethod.TOTP && (
+            <div className="mt-6 mb-4">
+              <Input value={mfaCode} onChange={(e) => setMfaCode(e.target.value)} />
+            </div>
+          )}
        </div>
-      </div>
-      <div className="mx-auto flex max-h-24 w-full max-w-md flex-col items-center justify-center pt-2">
-        <div className="flex flex-row items-baseline gap-1 text-sm">
-          <span className="text-bunker-400">{t("signup.step2-resend-alert")}</span>
-          <div className="text-md mt-2 flex flex-row text-bunker-400">
-            <button disabled={isLoadingResend} onClick={handleResendMfaCode} type="button">
-              <span className="cursor-pointer duration-200 hover:text-bunker-200 hover:underline hover:decoration-primary-700 hover:underline-offset-4">
-                {isLoadingResend
-                  ? t("signup.step2-resend-progress")
-                  : t("signup.step2-resend-submit")}
-              </span>
-            </button>
+        {typeof triesLeft === "number" && (
+          <Error text={`Invalid code. You have ${triesLeft} attempt(s) remaining.`} />
+        )}
+        <div className="mx-auto mt-2 flex w-1/4 min-w-[20rem] max-w-xs flex-col items-center justify-center text-center text-sm md:max-w-md md:text-left lg:w-[19%]">
+          <div className="text-l w-full py-1 text-lg">
+            <Button
+              size="sm"
+              type="submit"
+              isFullWidth
+              className="h-14"
+              colorSchema="primary"
+              variant="outline_bg"
+              isLoading={isLoading}
+            >
+              {String(t("mfa.verify"))}
+            </Button>
          </div>
        </div>
-        <p className="pb-2 text-sm text-bunker-400">{t("signup.step2-spam-alert")}</p>
-      </div>
+      </form>
+      {method === MfaMethod.TOTP && (
+        <div className="mt-2 flex flex-row justify-center text-sm text-bunker-400 ">
+          <Link href="/verify-email">
+            <span className="cursor-pointer duration-200 hover:text-bunker-200 hover:underline hover:decoration-primary-700 hover:underline-offset-4">
+              Lost your recovery codes? Reset your account
+            </span>
+          </Link>
+        </div>
+      )}
+      {method === MfaMethod.EMAIL && (
+        <div className="mx-auto flex max-h-24 w-full max-w-md flex-col items-center justify-center pt-2">
+          <div className="flex flex-row items-baseline gap-1 text-sm">
+            <span className="text-bunker-400">{t("signup.step2-resend-alert")}</span>
+            <div className="text-md mt-2 flex flex-row text-bunker-400">
+              <button disabled={isLoadingResend} onClick={handleResendMfaCode} type="button">
+                <span className="cursor-pointer duration-200 hover:text-bunker-200 hover:underline hover:decoration-primary-700 hover:underline-offset-4">
+                  {isLoadingResend
+                    ? t("signup.step2-resend-progress")
+                    : t("signup.step2-resend-submit")}
+                </span>
+              </button>
+            </div>
+          </div>
+          <p className="pb-2 text-sm text-bunker-400">{t("signup.step2-spam-alert")}</p>
+        </div>
+      )}
    </div>
  );
 };
--- a/frontend/src/views/Login/components/PasswordStep/PasswordStep.tsx
+++ b/frontend/src/views/Login/components/PasswordStep/PasswordStep.tsx
@@ -16,6 +16,7 @@ import { Button, Input, Spinner } from "@app/components/v2";
 import { SessionStorageKeys } from "@app/const";
 import { useToggle } from "@app/hooks";
 import { useOauthTokenExchange, useSelectOrganization } from "@app/hooks/api";
+import { MfaMethod } from "@app/hooks/api/auth/types";
 import { fetchOrganizations } from "@app/hooks/api/organization/queries";
 import { fetchMyPrivateKey } from "@app/hooks/api/users/queries";

@@ -36,6 +37,7 @@ export const PasswordStep = ({ providerAuthToken, email, password, setPassword }
  const { mutateAsync: selectOrganization } = useSelectOrganization();
  const { mutateAsync: oauthTokenExchange } = useOauthTokenExchange();
  const [shouldShowMfa, toggleShowMfa] = useToggle(false);
+  const [requiredMfaMethod, setRequiredMfaMethod] = useState(MfaMethod.EMAIL);
  const [mfaSuccessCallback, setMfaSuccessCallback] = useState<() => void>(() => {});

  const { navigateToSelectOrganization } = useNavigateToSelectOrganization();
@@ -66,12 +68,15 @@ export const PasswordStep = ({ providerAuthToken, email, password, setPassword }
      // case: organization ID is present from the provider auth token -- select the org and use the new jwt token in the CLI, then navigate to the org
      if (organizationId) {
        const finishWithOrgWorkflow = async () => {
-          const { token, isMfaEnabled } = await selectOrganization({ organizationId });
+          const { token, isMfaEnabled, mfaMethod } = await selectOrganization({ organizationId });

          if (isMfaEnabled) {
            SecurityClient.setMfaToken(token);
-            toggleShowMfa.on();
            setMfaSuccessCallback(() => finishWithOrgWorkflow);
+            if (mfaMethod) {
+              setRequiredMfaMethod(mfaMethod);
+            }
+            toggleShowMfa.on();
            return;
          }

@@ -167,10 +172,15 @@ export const PasswordStep = ({ providerAuthToken, email, password, setPassword }
          // case: organization ID is present from the provider auth token -- select the org and use the new jwt token in the CLI, then navigate to the org
          if (organizationId) {
            const finishWithOrgWorkflow = async () => {
-              const { token, isMfaEnabled } = await selectOrganization({ organizationId });
+              const { token, isMfaEnabled, mfaMethod } = await selectOrganization({
+                organizationId
+              });

              if (isMfaEnabled) {
                SecurityClient.setMfaToken(token);
+                if (mfaMethod) {
+                  setRequiredMfaMethod(mfaMethod);
+                }
                toggleShowMfa.on();
                setMfaSuccessCallback(() => finishWithOrgWorkflow);
                return;
@@ -283,6 +293,7 @@ export const PasswordStep = ({ providerAuthToken, email, password, setPassword }
        <Mfa
          email={email}
          successCallback={mfaSuccessCallback}
+          method={requiredMfaMethod}
          closeMfa={() => toggleShowMfa.off()}
        />
      </div>
--- a/frontend/src/views/SecretMainPage/SecretMainPage.tsx
+++ b/frontend/src/views/SecretMainPage/SecretMainPage.tsx
@@ -552,7 +552,6 @@ const SecretMainPageContent = () => {
            </ModalContent>
          </Modal>
          <SecretDropzone
-            secrets={secrets}
            environment={environment}
            workspaceId={workspaceId}
            secretPath={secretPath}
--- a/frontend/src/views/SecretMainPage/components/SecretDropzone/CopySecretsFromBoard.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretDropzone/CopySecretsFromBoard.tsx
@@ -3,6 +3,7 @@ import { Controller, useForm } from "react-hook-form";
 import { subject } from "@casl/ability";
 import {
  faClone,
+  faFileImport,
  faKey,
  faSearch,
  faSquareCheck,
@@ -151,6 +152,7 @@ export const CopySecretsFromBoard = ({
          >
            {(isAllowed) => (
              <Button
+                leftIcon={<FontAwesomeIcon icon={faFileImport} />}
                onClick={() => onToggle(true)}
                isDisabled={!isAllowed}
                variant="star"
--- a/frontend/src/views/SecretMainPage/components/SecretDropzone/PasteSecretEnvModal.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretDropzone/PasteSecretEnvModal.tsx
@@ -0,0 +1,165 @@
+import { useForm } from "react-hook-form";
+import { subject } from "@casl/ability";
+import { faInfoCircle, faPaste } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { ProjectPermissionCan } from "@app/components/permissions";
+import { parseDotEnv, parseJson } from "@app/components/utilities/parseSecrets";
+import {
+  Button,
+  FormControl,
+  Modal,
+  ModalContent,
+  ModalTrigger,
+  TextArea
+} from "@app/components/v2";
+import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
+
+type Props = {
+  isOpen?: boolean;
+  isSmaller?: boolean;
+  onToggle: (isOpen: boolean) => void;
+  onParsedEnv: (env: Record<string, { value: string; comments: string[] }>) => void;
+  environment: string;
+  secretPath: string;
+};
+
+const formSchema = z.object({
+  value: z.string().trim()
+});
+
+type TForm = z.infer<typeof formSchema>;
+
+const PasteEnvForm = ({ onParsedEnv }: Pick<Props, "onParsedEnv">) => {
+  const {
+    handleSubmit,
+    register,
+    formState: { isDirty, errors },
+    setError,
+    setFocus
+  } = useForm<TForm>({ defaultValues: { value: "" }, resolver: zodResolver(formSchema) });
+
+  const onSubmit = ({ value }: TForm) => {
+    let env: Record<string, { value: string; comments: string[] }>;
+    try {
+      env = parseJson(value);
+    } catch (e) {
+      // not json, parse as env
+      env = parseDotEnv(value);
+    }
+
+    if (!Object.keys(env).length) {
+      setError("value", {
+        message: "No secrets found. Please make sure the provided format is valid."
+      });
+      setFocus("value");
+      return;
+    }
+
+    onParsedEnv(env);
+  };
+
+  return (
+    <form onSubmit={handleSubmit(onSubmit)}>
+      <FormControl
+        label="Secret Values"
+        isError={Boolean(errors.value)}
+        errorText={errors.value?.message}
+        icon={<FontAwesomeIcon size="sm" className="text-mineshaft-400" icon={faInfoCircle} />}
+        tooltipClassName="max-w-lg px-2 whitespace-pre-line"
+        tooltipText={
+          <div className="flex flex-col gap-2">
+            <p>Example Formats:</p>
+            <pre className="rounded-md bg-mineshaft-900 p-3 text-xs">
+              {/* eslint-disable-next-line react/jsx-no-comment-textnodes */}
+              <p className="text-mineshaft-400">// .json</p>
+              {JSON.stringify(
+                {
+                  APP_NAME: "example-service",
+                  APP_VERSION: "1.2.3",
+                  NODE_ENV: "production"
+                },
+                null,
+                2
+              )}
+            </pre>
+            <pre className="rounded-md bg-mineshaft-900 p-3 text-xs">
+              <p className="text-mineshaft-400"># .env</p>
+              <p>APP_NAME=&quot;example-service&quot;</p>
+              <p>APP_VERSION=&quot;1.2.3&quot;</p>
+              <p>NODE_ENV=&quot;production&quot;</p>
+            </pre>
+            <pre className="rounded-md bg-mineshaft-900 p-3 text-xs">
+              <p className="text-mineshaft-400"># .yml</p>
+              <p>APP_NAME: example-service</p>
+              <p>APP_VERSION: 1.2.3</p>
+              <p>NODE_ENV: production</p>
+            </pre>
+          </div>
+        }
+      >
+        <TextArea
+          {...register("value")}
+          placeholder="Paste secrets in .json, .yml or .env format..."
+          className="h-[60vh] !resize-none"
+        />
+      </FormControl>
+      <Button isDisabled={!isDirty} type="submit">
+        Import Secrets
+      </Button>
+    </form>
+  );
+};
+
+export const PasteSecretEnvModal = ({
+  isSmaller,
+  isOpen,
+  onParsedEnv,
+  onToggle,
+  environment,
+  secretPath
+}: Props) => {
+  return (
+    <Modal isOpen={isOpen} onOpenChange={onToggle}>
+      <ModalTrigger asChild>
+        <div>
+          <ProjectPermissionCan
+            I={ProjectPermissionActions.Create}
+            a={subject(ProjectPermissionSub.Secrets, {
+              environment,
+              secretPath,
+              secretName: "*",
+              secretTags: ["*"]
+            })}
+          >
+            {(isAllowed) => (
+              <Button
+                leftIcon={<FontAwesomeIcon icon={faPaste} />}
+                onClick={() => onToggle(true)}
+                isDisabled={!isAllowed}
+                variant="star"
+                size={isSmaller ? "xs" : "sm"}
+              >
+                Paste Secrets
+              </Button>
+            )}
+          </ProjectPermissionCan>
+        </div>
+      </ModalTrigger>
+      <ModalContent
+        className="max-w-2xl"
+        title="Past Secret Values"
+        subTitle="Paste values in .env, .json or .yml format"
+      >
+        <PasteEnvForm
+          onParsedEnv={(value) => {
+            onToggle(false);
+            onParsedEnv(value);
+          }}
+        />
+      </ModalContent>
+    </Modal>
+  );
+};
--- a/frontend/src/views/SecretMainPage/components/SecretDropzone/SecretDropzone.tsx
+++ b/frontend/src/views/SecretMainPage/components/SecretDropzone/SecretDropzone.tsx
@@ -1,7 +1,7 @@
 import { ChangeEvent, DragEvent } from "react";
 import { useTranslation } from "react-i18next";
 import { subject } from "@casl/ability";
-import { faUpload } from "@fortawesome/free-solid-svg-icons";
+import { faPlus, faUpload } from "@fortawesome/free-solid-svg-icons";
 import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
 import { useQueryClient } from "@tanstack/react-query";
 import { twMerge } from "tailwind-merge";
@@ -9,30 +9,22 @@ import { twMerge } from "tailwind-merge";
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
 // TODO:(akhilmhdh) convert all the util functions like this into a lib folder grouped by functionality
-import { parseDotEnv } from "@app/components/utilities/parseDotEnv";
+import { parseDotEnv, parseJson } from "@app/components/utilities/parseSecrets";
 import { Button, Modal, ModalContent } from "@app/components/v2";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
 import { usePopUp, useToggle } from "@app/hooks";
 import { useCreateSecretBatch, useUpdateSecretBatch } from "@app/hooks/api";
-import { dashboardKeys } from "@app/hooks/api/dashboard/queries";
+import {
+  dashboardKeys,
+  fetchDashboardProjectSecretsByKeys
+} from "@app/hooks/api/dashboard/queries";
 import { secretApprovalRequestKeys } from "@app/hooks/api/secretApprovalRequest/queries";
 import { secretKeys } from "@app/hooks/api/secrets/queries";
-import { SecretType, SecretV3RawSanitized } from "@app/hooks/api/types";
+import { SecretType } from "@app/hooks/api/types";

 import { PopUpNames, usePopUpAction } from "../../SecretMainPage.store";
 import { CopySecretsFromBoard } from "./CopySecretsFromBoard";
-
-const parseJson = (src: ArrayBuffer) => {
-  const file = src.toString();
-  const formatedData: Record<string, string> = JSON.parse(file);
-  const env: Record<string, { value: string; comments: string[] }> = {};
-  Object.keys(formatedData).forEach((key) => {
-    if (typeof formatedData[key] === "string") {
-      env[key] = { value: formatedData[key], comments: [] };
-    }
-  });
-  return env;
-};
+import { PasteSecretEnvModal } from "./PasteSecretEnvModal";

 type TParsedEnv = Record<string, { value: string; comments: string[] }>;
 type TSecOverwriteOpt = { update: TParsedEnv; create: TParsedEnv };
@@ -43,7 +35,6 @@ type Props = {
  workspaceId: string;
  environment: string;
  secretPath: string;
-  secrets?: SecretV3RawSanitized[];
  isProtectedBranch?: boolean;
 };

@@ -53,7 +44,6 @@ export const SecretDropzone = ({
  workspaceId,
  environment,
  secretPath,
-  secrets = [],
  isProtectedBranch = false
 }: Props): JSX.Element => {
  const { t } = useTranslation();
@@ -62,7 +52,8 @@ export const SecretDropzone = ({

  const { popUp, handlePopUpToggle, handlePopUpOpen, handlePopUpClose } = usePopUp([
    "importSecEnv",
-    "overlapKeyWarning"
+    "confirmUpload",
+    "pasteSecEnv"
  ] as const);
  const queryClient = useQueryClient();
  const { openPopUp } = usePopUpAction();
@@ -86,20 +77,10 @@ export const SecretDropzone = ({
    }
  };

-  const handleParsedEnv = (env: TParsedEnv) => {
-    const secretsGroupedByKey = secrets?.reduce<Record<string, boolean>>(
-      (prev, curr) => ({ ...prev, [curr.key]: true }),
-      {}
-    );
-    const overlappedSecrets = Object.keys(env)
-      .filter((secKey) => secretsGroupedByKey?.[secKey])
-      .reduce<TParsedEnv>((prev, curr) => ({ ...prev, [curr]: env[curr] }), {});
+  const handleParsedEnv = async (env: TParsedEnv) => {
+    const envSecretKeys = Object.keys(env);

-    const nonOverlappedSecrets = Object.keys(env)
-      .filter((secKey) => !secretsGroupedByKey?.[secKey])
-      .reduce<TParsedEnv>((prev, curr) => ({ ...prev, [curr]: env[curr] }), {});
-
-    if (!Object.keys(overlappedSecrets).length && !Object.keys(nonOverlappedSecrets).length) {
+    if (!envSecretKeys.length) {
      createNotification({
        type: "error",
        text: "Failed to find secrets"
@@ -107,10 +88,42 @@ export const SecretDropzone = ({
      return;
    }

-    handlePopUpOpen("overlapKeyWarning", {
-      update: overlappedSecrets,
-      create: nonOverlappedSecrets
-    });
+    try {
+      setIsLoading.on();
+      const { secrets: existingSecrets } = await fetchDashboardProjectSecretsByKeys({
+        secretPath,
+        environment,
+        projectId: workspaceId,
+        keys: envSecretKeys
+      });
+
+      const secretsGroupedByKey = existingSecrets.reduce<Record<string, boolean>>(
+        (prev, curr) => ({ ...prev, [curr.secretKey]: true }),
+        {}
+      );
+
+      const updateSecrets = Object.keys(env)
+        .filter((secKey) => secretsGroupedByKey[secKey])
+        .reduce<TParsedEnv>((prev, curr) => ({ ...prev, [curr]: env[curr] }), {});
+
+      const createSecrets = Object.keys(env)
+        .filter((secKey) => !secretsGroupedByKey[secKey])
+        .reduce<TParsedEnv>((prev, curr) => ({ ...prev, [curr]: env[curr] }), {});
+
+      handlePopUpOpen("confirmUpload", {
+        update: updateSecrets,
+        create: createSecrets
+      });
+    } catch (e) {
+      console.error(e);
+      createNotification({
+        text: "Failed to check for secret conflicts",
+        type: "error"
+      });
+      handlePopUpClose("confirmUpload");
+    } finally {
+      setIsLoading.off();
+    }
  };

  const parseFile = (file?: File, isJson?: boolean) => {
@@ -160,7 +173,7 @@ export const SecretDropzone = ({
  };

  const handleSaveSecrets = async () => {
-    const { update, create } = popUp?.overlapKeyWarning?.data as TSecOverwriteOpt;
+    const { update, create } = popUp?.confirmUpload?.data as TSecOverwriteOpt;
    try {
      if (Object.keys(create || {}).length) {
        await createSecretBatch({
@@ -195,7 +208,7 @@ export const SecretDropzone = ({
        dashboardKeys.getDashboardSecrets({ projectId: workspaceId, secretPath })
      );
      queryClient.invalidateQueries(secretApprovalRequestKeys.count({ workspaceId }));
-      handlePopUpClose("overlapKeyWarning");
+      handlePopUpClose("confirmUpload");
      createNotification({
        type: "success",
        text: isProtectedBranch
@@ -211,10 +224,16 @@ export const SecretDropzone = ({
    }
  };

-  const isUploadedDuplicateSecretsEmpty = !Object.keys(
-    (popUp.overlapKeyWarning?.data as TSecOverwriteOpt)?.update || {}
+  const createSecretCount = Object.keys(
+    (popUp.confirmUpload?.data as TSecOverwriteOpt)?.create || {}
  ).length;

+  const updateSecretCount = Object.keys(
+    (popUp.confirmUpload?.data as TSecOverwriteOpt)?.update || {}
+  ).length;
+
+  const isNonConflictingUpload = !updateSecretCount;
+
  return (
    <div>
      <div
@@ -278,7 +297,15 @@ export const SecretDropzone = ({
              <p className="mx-4 text-xs text-mineshaft-400">OR</p>
              <div className="w-1/5 border-t border-mineshaft-700" />
            </div>
-            <div className="flex items-center justify-center space-x-8">
+            <div className="flex flex-col items-center justify-center gap-4 lg:flex-row">
+              <PasteSecretEnvModal
+                isOpen={popUp.pasteSecEnv.isOpen}
+                onToggle={(isOpen) => handlePopUpToggle("pasteSecEnv", isOpen)}
+                onParsedEnv={handleParsedEnv}
+                environment={environment}
+                secretPath={secretPath}
+                isSmaller={isSmaller}
+              />
              <CopySecretsFromBoard
                isOpen={popUp.importSecEnv.isOpen}
                onToggle={(isOpen) => handlePopUpToggle("importSecEnv", isOpen)}
@@ -301,11 +328,12 @@ export const SecretDropzone = ({
                >
                  {(isAllowed) => (
                    <Button
+                      leftIcon={<FontAwesomeIcon icon={faPlus} />}
                      onClick={() => openPopUp(PopUpNames.CreateSecretForm)}
                      variant="star"
                      isDisabled={!isAllowed}
                    >
-                      Add a new secret
+                      Add a New Secret
                    </Button>
                  )}
                </ProjectPermissionCan>
@@ -315,25 +343,25 @@ export const SecretDropzone = ({
        )}
      </div>
      <Modal
-        isOpen={popUp?.overlapKeyWarning?.isOpen}
-        onOpenChange={(open) => handlePopUpToggle("overlapKeyWarning", open)}
+        isOpen={popUp?.confirmUpload?.isOpen}
+        onOpenChange={(open) => handlePopUpToggle("confirmUpload", open)}
      >
        <ModalContent
-          title={isUploadedDuplicateSecretsEmpty ? "Confirmation" : "Duplicate Secrets!!"}
+          title="Confirm Secret Upload"
          footerContent={[
            <Button
              isLoading={isSubmitting}
              isDisabled={isSubmitting}
-              colorSchema={isUploadedDuplicateSecretsEmpty ? "primary" : "danger"}
+              colorSchema={isNonConflictingUpload ? "primary" : "danger"}
              key="overwrite-btn"
              onClick={handleSaveSecrets}
            >
-              {isUploadedDuplicateSecretsEmpty ? "Upload" : "Overwrite"}
+              {isNonConflictingUpload ? "Upload" : "Overwrite"}
            </Button>,
            <Button
              key="keep-old-btn"
-              className="mr-4"
-              onClick={() => handlePopUpClose("overlapKeyWarning")}
+              className="ml-4"
+              onClick={() => handlePopUpClose("confirmUpload")}
              variant="outline_bg"
              isDisabled={isSubmitting}
            >
@@ -341,17 +369,27 @@ export const SecretDropzone = ({
            </Button>
          ]}
        >
-          {isUploadedDuplicateSecretsEmpty ? (
-            <div>Upload secrets from this file</div>
+          {isNonConflictingUpload ? (
+            <div>
+              Are you sure you want to import {createSecretCount} secret
+              {createSecretCount > 1 ? "s" : ""} to this environment?
+            </div>
          ) : (
-            <div className="flex flex-col space-y-2 text-gray-300">
-              <div>Your file contains following duplicate secrets</div>
-              <div className="text-sm text-gray-400">
-                {Object.keys((popUp?.overlapKeyWarning?.data as TSecOverwriteOpt)?.update || {})
+            <div className="flex flex-col text-gray-300">
+              <div>Your project already contains the following {updateSecretCount} secrets:</div>
+              <div className="mt-2 text-sm text-gray-400">
+                {Object.keys((popUp?.confirmUpload?.data as TSecOverwriteOpt)?.update || {})
                  ?.map((key) => key)
                  .join(", ")}
              </div>
-              <div>Are you sure you want to overwrite these secrets and create other ones?</div>
+              <div className="mt-6">
+                Are you sure you want to overwrite these secrets
+                {createSecretCount > 0
+                  ? ` and import ${createSecretCount} new
+                one${createSecretCount > 1 ? "s" : ""}`
+                  : ""}
+                ?
+              </div>
            </div>
          )}
        </ModalContent>
--- a/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgGenericAuthSection.tsx
+++ b/frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgGenericAuthSection.tsx
@@ -1,6 +1,6 @@
 import { createNotification } from "@app/components/notifications";
 import { OrgPermissionCan } from "@app/components/permissions";
-import { Switch, UpgradePlanModal } from "@app/components/v2";
+import { FormControl, Select, SelectItem, Switch, UpgradePlanModal } from "@app/components/v2";
 import {
  OrgPermissionActions,
  OrgPermissionSubjects,
@@ -8,6 +8,7 @@ import {
  useSubscription
 } from "@app/context";
 import { useUpdateOrg } from "@app/hooks/api";
+import { MfaMethod } from "@app/hooks/api/auth/types";
 import { usePopUp } from "@app/hooks/usePopUp";

 export const OrgGenericAuthSection = () => {
@@ -43,6 +44,32 @@ export const OrgGenericAuthSection = () => {
    }
  };

+  const handleUpdateSelectedMfa = async (selectedMfaMethod: MfaMethod) => {
+    try {
+      if (!currentOrg?.id) return;
+      if (!subscription?.enforceMfa) {
+        handlePopUpOpen("upgradePlan");
+        return;
+      }
+
+      await mutateAsync({
+        orgId: currentOrg?.id,
+        selectedMfaMethod
+      });
+
+      createNotification({
+        text: "Successfully updated selected MFA method",
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: (err as { response: { data: { message: string } } }).response.data.message,
+        type: "error"
+      });
+    }
+  };
+
  return (
    <div className="mb-4 rounded-lg border border-mineshaft-600 bg-mineshaft-900 p-6">
      <div className="py-4">
@@ -62,6 +89,22 @@ export const OrgGenericAuthSection = () => {
        <p className="text-sm text-mineshaft-300">
          Enforce members to authenticate with MFA in order to access the organization
        </p>
+        {currentOrg?.enforceMfa && (
+          <FormControl label="Selected 2FA method" className="mt-3">
+            <Select
+              className="min-w-[20rem] border border-mineshaft-500"
+              onValueChange={handleUpdateSelectedMfa}
+              defaultValue={currentOrg.selectedMfaMethod ?? MfaMethod.EMAIL}
+            >
+              <SelectItem value={MfaMethod.EMAIL} key="mfa-method-email">
+                Email
+              </SelectItem>
+              <SelectItem value={MfaMethod.TOTP} key="mfa-method-totp">
+                Mobile Authenticator
+              </SelectItem>
+            </Select>
+          </FormControl>
+        )}
      </div>
      <UpgradePlanModal
        isOpen={popUp.upgradePlan.isOpen}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Hougaard	6685f8aa0a	fix(identity): remove access tokens when auth method is removed	2024-11-19 22:24:17 +04:00
Maidul Islam	54f3f94185	Merge pull request #2741 from phamleduy04/sort-repo-github-intergration-app Add sort to Github integration dropdown box	2024-11-19 11:46:43 -05:00
Scott Wilson	907537f7c0	Merge pull request #2755 from Infisical/empty-secret-value-fixes Fix: Handle Empty Secret Values in Update, Bulk Create and Bulk Update Secret(s)	2024-11-19 08:45:38 -08:00
Scott Wilson	61263b9384	fix: unhandle empty value in bulk create/insert secrets	2024-11-19 08:30:58 -08:00
Scott Wilson	b6d8be2105	fix: handle empty string to allow clearing secret on update	2024-11-19 08:16:30 -08:00
Maidul Islam	61d516ef35	Merge pull request #2754 from Infisical/daniel/azure-auth-better-error	2024-11-19 09:00:23 -05:00
Daniel Hougaard	31fc64fb4c	Update identity-azure-auth-service.ts	2024-11-19 17:54:31 +04:00
Maidul Islam	8bf7e4c4d1	Merge pull request #2743 from akhilmhdh/fix/auth-method-migration fix: migration in loop due to cornercase	2024-11-18 16:01:04 -05:00
=	2027d4b44e	feat: moved auth method deletion to top	2024-11-19 02:17:25 +05:30
Maidul Islam	d401c9074e	Merge pull request #2715 from Infisical/misc/finalize-org-migration-script misc: finalize org migration script	2024-11-18 14:15:20 -05:00
Sheen	afe35dbbb5	Merge pull request #2747 from Infisical/misc/finalized-design-of-totp-registration misc: finalized design of totp registration	2024-11-19 02:13:54 +08:00
Maidul Islam	6ff1602fd5	Merge pull request #2708 from Infisical/misc/oidc-setup-extra-handling misc: added OIDC error and edge-case handling	2024-11-18 10:56:09 -05:00
Maidul Islam	6603364749	Merge pull request #2750 from Infisical/daniel/migrate-unlock-command fix: add migration unlock command	2024-11-18 10:28:43 -05:00
Daniel Hougaard	53bea22b85	fix: added unlock command	2024-11-18 19:22:43 +04:00
Sheen	d521ee7b7e	Merge pull request #2748 from Infisical/misc/address-role-slugs-issue-invite-user-endpoint misc: address role slug issue in invite user endpoint	2024-11-18 21:58:31 +08:00
Sheen Capadngan	827931e416	misc: addressed comment	2024-11-18 21:52:36 +08:00
Sheen Capadngan	faa83344a7	misc: address role slug issue in invite user endpoint	2024-11-18 21:43:06 +08:00
Sheen Capadngan	089a7e880b	misc: added message for bypass	2024-11-18 17:29:01 +08:00
Sheen Capadngan	64ec741f1a	misc: updated documentation totp ui	2024-11-18 17:24:03 +08:00
Sheen Capadngan	c98233ddaf	misc: finalized design of totp registration	2024-11-18 17:14:21 +08:00
Maidul Islam	ae17981c41	Merge pull request #2746 from Infisical/vmatsiiako-changelog-patch-1 added handbook updates	2024-11-17 23:44:49 -05:00
Vladyslav Matsiiako	6c49c7da3c	added handbook updates	2024-11-17 23:43:57 -05:00
Vlad Matsiiako	2de04b6fe5	Merge pull request #2745 from Infisical/vmatsiiako-docs-patch-1-1 Fix typo in docs	2024-11-17 23:01:15 -05:00
Vlad Matsiiako	5c9ec1e4be	Fix typo in docs	2024-11-17 09:55:32 -05:00
Sheen	ba89491d4c	Merge pull request #2731 from Infisical/feat/totp-authenticator feat: TOTP authenticator	2024-11-16 11:58:39 +08:00
Maidul Islam	483e596a7a	Merge pull request #2744 from Infisical/daniel/npm-cli-windows-fix fix: NPM-based CLI windows symlink	2024-11-15 15:37:32 -07:00
Daniel Hougaard	65f122bd41	Update index.cjs	2024-11-16 01:37:43 +04:00
Sheen Capadngan	682b552fdc	misc: addressed remaining comments	2024-11-16 03:15:39 +08:00
=	d4cfd0b6ed	fix: migration in loop due to cornercase	2024-11-16 00:37:57 +05:30
Duy Pham Le	e8f09d2c7b	fix(ui): add sort to github integration dropdown box	2024-11-15 10:26:38 -06:00
Sheen Capadngan	774371a218	misc: added mention of authenticator in the docs	2024-11-16 00:10:56 +08:00
Sheen Capadngan	c4b54de303	misc: migrated to switch component	2024-11-15 23:49:20 +08:00
Sheen Capadngan	433971a72d	misc: addressed comments 1	2024-11-15 23:25:32 +08:00
Maidul Islam	4acf9413f0	Merge pull request #2737 from Infisical/backfill-identity-metadata Fix: Handle Missing User/Identity Metadata Keys in Permissions Check	2024-11-15 01:34:45 -07:00
Maidul Islam	f0549cab98	Merge pull request #2739 from Infisical/fix-ca-alert-migrations only create triggers when create new table	2024-11-15 00:56:39 -07:00
Maidul Islam	d75e49dce5	update trigegr to only create if it doesn't exit	2024-11-15 00:52:08 -07:00
Maidul Islam	8819abd710	only create triggers when create new table	2024-11-15 00:42:30 -07:00
Maidul Islam	796f76da46	Merge pull request #2738 from Infisical/fix-cert-migration Fix ca version migration	2024-11-14 23:20:09 -07:00
Maidul Islam	d6e1ed4d1e	revert docker compose changes	2024-11-14 23:10:54 -07:00
Maidul Islam	1295b68d80	Fix ca version migration We didn't do a check to see if the column already exists. Because of this, we get this error during migrations: ``` \| migration file "20240802181855_ca-cert-version.ts" failed infisical-db-migration \| migration failed with error: alter table "certificates" add column "caCertId" uuid null - column "caCertId" of relation "certificates" already exists ```	2024-11-14 23:07:30 -07:00
Scott Wilson	c79f84c064	fix: use proxy on metadata permissions check to handle missing keys	2024-11-14 11:36:07 -08:00
BlackMagiq	d0c50960ef	Merge pull request #2735 from Infisical/doc/add-gitlab-oidc-auth-documentation doc: add docs for gitlab oidc auth	2024-11-14 10:44:01 -07:00
Sheen	85089a08e1	Merge pull request #2736 from Infisical/misc/update-login-self-hosting-label misc: updated login self-hosting label to include dedicated	2024-11-15 01:41:45 +08:00
Sheen Capadngan	4053078d95	misc: updated login self-hosting label for dedicated	2024-11-15 01:36:33 +08:00
Sheen Capadngan	6bae3628c0	misc: readded saml email error	2024-11-14 19:37:13 +08:00
Sheen Capadngan	4cb935dae7	misc: addressed signupinvite issue	2024-11-14 19:10:21 +08:00
Maidul Islam	ccad684ab2	Merge pull request #2734 from Infisical/docs-for-linux-ha linux HA reference architecture	2024-11-14 02:04:13 -07:00
Maidul Islam	fd77708cad	add docs for linux ha	2024-11-14 02:02:23 -07:00
Maidul Islam	9aebd712d1	Merge pull request #2732 from Infisical/daniel/npm-cli-fixes fix: cli npm release windows and symlink bugs	2024-11-13 20:58:22 -07:00
Daniel Hougaard	05f07b25ac	fix: cli npm release windows and symlink bugs	2024-11-14 06:13:14 +04:00
Sheen Capadngan	5b0dbf04b2	misc: minor ui	2024-11-14 03:22:02 +08:00
Sheen Capadngan	b050db84ab	feat: added totp support for cli	2024-11-14 02:27:33 +08:00
Sheen Capadngan	8fef6911f1	misc: addressed lint	2024-11-14 01:25:23 +08:00
Sheen Capadngan	44ba31a743	misc: added org mfa settings update and other fixes	2024-11-14 01:16:15 +08:00
Sheen Capadngan	6bdbac4750	feat: initial implementation for totp authenticator	2024-11-14 00:07:35 +08:00
Scott Wilson	60fb195706	Merge pull request #2726 from Infisical/scott/paste-secrets Feat: Paste Secrets for Upload	2024-11-12 17:57:13 -08:00
Scott Wilson	c8109b4e84	improvement: add example paste value formats	2024-11-12 16:46:35 -08:00
Scott Wilson	1f2b0443cc	improvement: address requested changes	2024-11-12 16:11:47 -08:00
Daniel Hougaard	dd1cabf9f6	Merge pull request #2727 from Infisical/daniel/fix-npm-cli-symlink fix: npm cli symlink	2024-11-12 22:47:01 +04:00
Daniel Hougaard	8b781b925a	fix: npm cli symlink	2024-11-12 22:45:37 +04:00
Scott Wilson	ddcf5b576b	improvement: improve field error message	2024-11-12 10:25:23 -08:00
Scott Wilson	7138b392f2	Feature: add ability to paste .env, .yml or .json secrets for upload and also fix upload when keys conflict but are not on current page	2024-11-12 10:21:07 -08:00
Daniel Hougaard	bfce1021fb	Merge pull request #1076 from G3root/infisical-npm feat: infisical cli for npm	2024-11-12 21:48:47 +04:00
Daniel Hougaard	93c0313b28	docs: added NPM install option	2024-11-12 21:48:04 +04:00
Daniel Hougaard	8cfc217519	Update README.md	2024-11-12 21:38:34 +04:00
Akhil Mohan	d272c6217a	Merge pull request #2722 from Infisical/scott/secret-refrence-fixes Fix: Secret Reference Multiple References and Special Character Stripping	2024-11-12 22:49:18 +05:30
Daniel Hougaard	2fe2ddd9fc	Update package.json	2024-11-12 21:17:53 +04:00
Daniel Hougaard	e330ddd5ee	fix: remove dry run	2024-11-12 20:56:18 +04:00
Daniel Hougaard	7aba9c1a50	Update index.cjs	2024-11-12 20:54:55 +04:00
Daniel Hougaard	4cd8e0fa67	fix: workflow fixes	2024-11-12 20:47:10 +04:00
Daniel Hougaard	ea3d164ead	Update release_build_infisical_cli.yml	2024-11-12 20:40:45 +04:00
Daniel Hougaard	df468e4865	Update release_build_infisical_cli.yml	2024-11-12 20:39:16 +04:00
Daniel Hougaard	66e96018c4	Update release_build_infisical_cli.yml	2024-11-12 20:37:28 +04:00
Daniel Hougaard	3b02eedca6	feat: npm CLI	2024-11-12 20:36:09 +04:00
nafees nazik	a55fe2b788	chore: add git ignore	2024-11-12 17:40:46 +04:00
nafees nazik	5d7a267f1d	chore: add package.json	2024-11-12 17:40:37 +04:00
nafees nazik	b16ab6f763	feat: add script	2024-11-12 17:40:37 +04:00
Scott Wilson	334a728259	chore: remove console log	2024-11-11 14:06:12 -08:00
Scott Wilson	4a3143e689	fix: correct unique secret check to account for env and path	2024-11-11 14:04:36 -08:00
Scott Wilson	14810de054	fix: correct secret reference value replacement to support special characters	2024-11-11 13:46:39 -08:00
Scott Wilson	8cfcbaa12c	fix: correct secret reference validation check to permit referencing the same secret multiple times and improve error message	2024-11-11 13:17:25 -08:00
Sheen Capadngan	ada63b9e7d	misc: finalize org migration script	2024-11-10 11:49:25 +08:00
Sheen Capadngan	3f6a0c77f1	misc: finalized user messages	2024-11-09 01:51:11 +08:00
Sheen Capadngan	9e4b66e215	misc: made users automatically verified	2024-11-09 00:38:45 +08:00
Sheen Capadngan	8a14914bc3	misc: added more error handling	2024-11-08 21:43:25 +08:00