diff --git a/core/core-frontend/src/assets/authenticator_android.png b/core/core-frontend/src/assets/authenticator_android.png
new file mode 100644
index 0000000000..9387e83ee2
Binary files /dev/null and b/core/core-frontend/src/assets/authenticator_android.png differ
diff --git a/core/core-frontend/src/assets/authenticator_iphone.png b/core/core-frontend/src/assets/authenticator_iphone.png
new file mode 100644
index 0000000000..57f9e69104
Binary files /dev/null and b/core/core-frontend/src/assets/authenticator_iphone.png differ
diff --git a/de-xpack b/de-xpack
index d3b0867dda..cac37fbedd 160000
--- a/de-xpack
+++ b/de-xpack
@@ -1 +1 @@
-Subproject commit d3b0867dda8112d038fc4aec5845391ffc2202eb
+Subproject commit cac37fbedde6e095a2c0b52326336a969e102b24
diff --git a/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/api/LoginApi.java b/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/api/LoginApi.java
index f1e99050f7..820add62e8 100644
--- a/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/api/LoginApi.java
+++ b/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/api/LoginApi.java
@@ -3,7 +3,9 @@ package io.dataease.api.permissions.login.api;
 
 import com.github.xiaoymin.knife4j.annotations.ApiOperationSupport;
 import com.github.xiaoymin.knife4j.annotations.ApiSupport;
+import io.dataease.api.permissions.login.dto.MfaLoginDTO;
 import io.dataease.api.permissions.login.dto.PwdLoginDTO;
+import io.dataease.api.permissions.login.vo.MfaQrVO;
 import io.dataease.auth.vo.TokenVO;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
@@ -45,4 +47,10 @@ public interface LoginApi {
     @GetMapping("/logout")
     void logout();
 
+    @PostMapping("/mfa/qr/{id}")
+    MfaQrVO mfaQr(@PathVariable("id") Long id);
+
+    @PostMapping("/mfa/login")
+    TokenVO mfaLogin(@RequestBody MfaLoginDTO dto);
+
 }
diff --git a/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/dto/MfaLoginDTO.java b/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/dto/MfaLoginDTO.java
new file mode 100644
index 0000000000..e636a75571
--- /dev/null
+++ b/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/dto/MfaLoginDTO.java
@@ -0,0 +1,18 @@
+package io.dataease.api.permissions.login.dto;
+
+import lombok.Data;
+
+import java.io.Serial;
+import java.io.Serializable;
+
+@Data
+public class MfaLoginDTO implements Serializable {
+    @Serial
+    private static final long serialVersionUID = -8218773323394184937L;
+
+    private Long id;
+
+    private String code;
+
+    private String key;
+}
diff --git a/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/vo/MfaQrVO.java b/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/vo/MfaQrVO.java
new file mode 100644
index 0000000000..17733ea28a
--- /dev/null
+++ b/sdk/api/api-permissions/src/main/java/io/dataease/api/permissions/login/vo/MfaQrVO.java
@@ -0,0 +1,16 @@
+package io.dataease.api.permissions.login.vo;
+
+import lombok.Data;
+
+import java.io.Serial;
+import java.io.Serializable;
+
+@Data
+public class MfaQrVO implements Serializable {
+    @Serial
+    private static final long serialVersionUID = -3465640829593927730L;
+
+    private String img;
+
+    private String key;
+}
diff --git a/sdk/common/src/main/java/io/dataease/auth/vo/MfaItem.java b/sdk/common/src/main/java/io/dataease/auth/vo/MfaItem.java
index 80a1122bcb..b89687715e 100644
--- a/sdk/common/src/main/java/io/dataease/auth/vo/MfaItem.java
+++ b/sdk/common/src/main/java/io/dataease/auth/vo/MfaItem.java
@@ -1,5 +1,7 @@
 package io.dataease.auth.vo;
 
+import com.fasterxml.jackson.databind.annotation.JsonSerialize;
+import com.fasterxml.jackson.databind.ser.std.ToStringSerializer;
 import lombok.Data;
 
 import java.io.Serial;
@@ -13,4 +15,7 @@ public class MfaItem implements Serializable {
     private boolean enabled;
 
     private boolean ready;
+
+    @JsonSerialize(using= ToStringSerializer.class)
+    private Long uid;
 }
diff --git a/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java b/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java
index 2dd9125645..e7ed3196dd 100644
--- a/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java
+++ b/sdk/common/src/main/java/io/dataease/utils/WhitelistUtils.java
@@ -78,6 +78,8 @@ public class WhitelistUtils {
                 || StringUtils.startsWithAny(requestURI, "/websocket")
                 || StringUtils.startsWithAny(requestURI, "/map/")
                 || StringUtils.startsWithAny(requestURI, "/oauth2/")
+                || StringUtils.startsWithAny(requestURI, "/mfa/qr/")
+                || StringUtils.startsWithAny(requestURI, "/mfa/login")
                 || StringUtils.startsWithAny(requestURI, "/typeface/download")
                 || StringUtils.startsWithAny(requestURI, "/typeface/defaultFont")
                 || StringUtils.startsWithAny(requestURI, "/typeface/listFont")