diff --git a/admin/accounthttp.go b/admin/accounthttp.go
index fc4fed1..b5deca2 100644
--- a/admin/accounthttp.go
+++ b/admin/accounthttp.go
@@ -3,6 +3,7 @@ package admin
 import (
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"time"
 
@@ -15,6 +16,10 @@ import (
 func accountHandler(app *model.AppState) http.Handler {
     mux := http.NewServeMux()
 
+    mux.Handle("/totp-setup", totpSetupHandler(app))
+    mux.Handle("/totp-confirm", totpConfirmHandler(app))
+    mux.Handle("/totp-delete/", http.StripPrefix("/totp-delete", totpDeleteHandler(app)))
+
     mux.Handle("/password", changePasswordHandler(app))
     mux.Handle("/delete", deleteAccountHandler(app))
 
@@ -169,3 +174,178 @@ func deleteAccountHandler(app *model.AppState) http.Handler {
         http.Redirect(w, r, "/admin/login", http.StatusFound)
     })
 }
+
+func totpSetupHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method == http.MethodGet {
+            type totpSetupData struct {
+                Session *model.Session
+            }
+
+            session := r.Context().Value("session").(*model.Session)
+
+            err := pages["totp-setup"].Execute(w, totpSetupData{ Session: session })
+            if err != nil {
+                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+            return
+        }
+
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r)
+            return
+        }
+
+        type totpSetupData struct {
+            Session *model.Session
+            TOTP *model.TOTP
+            NameEscaped string
+        }
+
+        err := r.ParseForm()
+        if err != nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        name := r.FormValue("totp-name")
+        if len(name) == 0 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+
+        secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH)
+        totp := model.TOTP {
+            AccountID: session.Account.ID,
+            Name: name,
+            Secret: string(secret),
+        }
+        err = controller.CreateTOTP(app.DB, &totp)
+        if err != nil {
+            fmt.Printf("WARN: Failed to create TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            err := pages["totp-setup"].Execute(w, totpSetupData{ Session: session })
+            if err != nil {
+                fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err)
+                http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+            }
+            return
+        }
+
+        err = pages["totp-confirm"].Execute(w, totpSetupData{
+            Session: session,
+            TOTP: &totp,
+            NameEscaped: url.PathEscape(totp.Name),
+        })
+        if err != nil {
+            fmt.Printf("WARN: Failed to render TOTP confirm page: %s\n", err)
+            http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+        }
+    })
+}
+
+func totpConfirmHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method != http.MethodPost {
+            http.NotFound(w, r)
+            return
+        }
+
+        type totpConfirmData struct {
+            Session *model.Session
+            TOTP *model.TOTP
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+
+        err := r.ParseForm()
+        if err != nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+        name := r.FormValue("totp-name")
+        if len(name) == 0 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+        code := r.FormValue("totp")
+        if len(code) != controller.TOTP_CODE_LENGTH {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        totp, err := controller.GetTOTP(app.DB, session.Account.ID, name)
+        if err != nil {
+            fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
+        }
+        if totp == nil {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        confirmCode := controller.GenerateTOTP(totp.Secret, 0)
+        if code != confirmCode {
+            confirmCodeOffset := controller.GenerateTOTP(totp.Secret, 1)
+            if code != confirmCodeOffset {
+                controller.SetSessionError(app.DB, session, "Incorrect TOTP code. Please try again.")
+                err = pages["totp-confirm"].Execute(w, totpConfirmData{
+                    Session: session,
+                    TOTP: totp,
+                })
+                return
+            }
+        }
+
+        controller.SetSessionError(app.DB, session, "")
+        controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" created successfully.", totp.Name))
+        http.Redirect(w, r, "/admin/account", http.StatusFound)
+    })
+}
+
+func totpDeleteHandler(app *model.AppState) http.Handler {
+    return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+        if r.Method != http.MethodGet {
+            http.NotFound(w, r)
+            return
+        }
+
+        name := r.URL.Path
+        fmt.Printf("%s\n", name);
+        if len(name) == 0 {
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+            return
+        }
+
+        session := r.Context().Value("session").(*model.Session)
+
+        totp, err := controller.GetTOTP(app.DB, session.Account.ID, name)
+        if err != nil {
+            fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
+        }
+        if totp == nil {
+            http.NotFound(w, r)
+            return
+        }
+
+        err = controller.DeleteTOTP(app.DB, session.Account.ID, totp.Name)
+        if err != nil {
+            fmt.Printf("WARN: Failed to delete TOTP method: %s\n", err)
+            controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.")
+            http.Redirect(w, r, "/admin/account", http.StatusFound)
+            return
+        }
+
+        controller.SetSessionError(app.DB, session, "")
+        controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" deleted successfully.", totp.Name))
+        http.Redirect(w, r, "/admin/account", http.StatusFound)
+    })
+}
diff --git a/admin/http.go b/admin/http.go
index 5fcce01..7dd5207 100644
--- a/admin/http.go
+++ b/admin/http.go
@@ -93,8 +93,6 @@ func AdminIndexHandler(app *model.AppState) http.Handler {
 func registerAccountHandler(app *model.AppState) http.Handler {
     return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
         session := r.Context().Value("session").(*model.Session)
-        controller.SetSessionError(app.DB, session, "")
-        controller.SetSessionMessage(app.DB, session, "")
 
         if session.Account != nil {
             // user is already logged in
@@ -126,8 +124,7 @@ func registerAccountHandler(app *model.AppState) http.Handler {
 
         err := r.ParseForm()
         if err != nil {
-            controller.SetSessionError(app.DB, session, "Malformed data.")
-            render()
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
             return
         }
 
@@ -201,6 +198,8 @@ func registerAccountHandler(app *model.AppState) http.Handler {
 
         // registration success!
         controller.SetSessionAccount(app.DB, session, &account)
+        controller.SetSessionMessage(app.DB, session, "")
+        controller.SetSessionError(app.DB, session, "")
         http.Redirect(w, r, "/admin", http.StatusFound)
     })
 }
@@ -240,8 +239,7 @@ func loginHandler(app *model.AppState) http.Handler {
 
         err := r.ParseForm()
         if err != nil {
-            controller.SetSessionError(app.DB, session, "Malformed data.")
-            render()
+            http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
             return
         }
 
@@ -309,6 +307,8 @@ func loginHandler(app *model.AppState) http.Handler {
 
         // login success!
         controller.SetSessionAccount(app.DB, session, account)
+        controller.SetSessionMessage(app.DB, session, "")
+        controller.SetSessionError(app.DB, session, "")
         http.Redirect(w, r, "/admin", http.StatusFound)
     })
 }
diff --git a/admin/static/admin.css b/admin/static/admin.css
index 45d67a4..cbb827e 100644
--- a/admin/static/admin.css
+++ b/admin/static/admin.css
@@ -146,7 +146,7 @@ a img.icon {
 
 
 
-a.delete {
+a.delete:not(.button) {
     color: #d22828;
 }
 
@@ -197,3 +197,30 @@ button:active, .button:active {
     opacity: .5;
     cursor: not-allowed !important;
 }
+
+
+
+form {
+    width: 100%;
+    display: block;
+}
+label {
+    width: 100%;
+    margin: 1rem 0 .5rem 0;
+    display: block;
+    color: #10101080;
+}
+input {
+    margin: .5rem 0;
+    padding: .3rem .5rem;
+    display: block;
+    border-radius: 4px;
+    border: 1px solid #808080;
+    font-size: inherit;
+    font-family: inherit;
+    color: inherit;
+}
+input[disabled] {
+    opacity: .5;
+    cursor: not-allowed;
+}
diff --git a/admin/static/edit-account.css b/admin/static/edit-account.css
index 52fb756..37351b2 100644
--- a/admin/static/edit-account.css
+++ b/admin/static/edit-account.css
@@ -4,10 +4,6 @@ div.card {
     margin-bottom: 2rem;
 }
 
-form button {
-    margin-top: 1rem;
-}
-
 label {
     width: 100%;
     margin: 1rem 0 .5rem 0;
diff --git a/admin/templates.go b/admin/templates.go
index 1021832..3bae106 100644
--- a/admin/templates.go
+++ b/admin/templates.go
@@ -33,6 +33,16 @@ var pages = map[string]*template.Template{
         filepath.Join("views", "prideflag.html"),
         filepath.Join("admin", "views", "edit-account.html"),
     )),
+    "totp-setup": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "totp-setup.html"),
+    )),
+    "totp-confirm": template.Must(template.ParseFiles(
+        filepath.Join("admin", "views", "layout.html"),
+        filepath.Join("views", "prideflag.html"),
+        filepath.Join("admin", "views", "totp-confirm.html"),
+    )),
 
     "release": template.Must(template.ParseFiles(
         filepath.Join("admin", "views", "layout.html"),
diff --git a/admin/views/edit-account.html b/admin/views/edit-account.html
index 18a6dca..b1d083a 100644
--- a/admin/views/edit-account.html
+++ b/admin/views/edit-account.html
@@ -44,7 +44,7 @@
                 <p class="mfa-device-date">Added: {{.CreatedAt}}</p>
             </div>
             <div>
-                <a class="delete">Delete</a>
+                <a class="button delete" href="/admin/account/totp-delete/{{.Name}}">Delete</a>
             </div>
         </div>
         {{end}}
diff --git a/admin/views/login.html b/admin/views/login.html
index e8581e8..b77af83 100644
--- a/admin/views/login.html
+++ b/admin/views/login.html
@@ -11,7 +11,7 @@ a.discord {
     color: #5865F2;
 }
 
-form {
+form#login {
     width: 100%;
     display: flex;
     flex-direction: column;
@@ -26,26 +26,8 @@ form button {
     margin-top: 1rem;
 }
 
-label {
-    width: 100%;
-    margin: 1rem 0 .5rem 0;
-    display: block;
-    color: #10101080;
-}
 input {
     width: 100%;
-    margin: .5rem 0;
-    padding: .3rem .5rem;
-    display: block;
-    border-radius: 4px;
-    border: 1px solid #808080;
-    font-size: inherit;
-    font-family: inherit;
-    color: inherit;
-}
-input[disabled] {
-    opacity: .5;
-    cursor: not-allowed;
 }
 </style>
 {{end}}
diff --git a/admin/views/register.html b/admin/views/register.html
index 8899fd9..94170c9 100644
--- a/admin/views/register.html
+++ b/admin/views/register.html
@@ -11,7 +11,7 @@ a.discord {
     color: #5865F2;
 }
 
-form {
+form#register {
     width: 100%;
     display: flex;
     flex-direction: column;
@@ -26,22 +26,8 @@ form button {
     margin-top: 1rem;
 }
 
-label {
-    width: 100%;
-    margin: 1rem 0 .5rem 0;
-    display: block;
-    color: #10101080;
-}
 input {
     width: 100%;
-    margin: .5rem 0;
-    padding: .3rem .5rem;
-    display: block;
-    border-radius: 4px;
-    border: 1px solid #808080;
-    font-size: inherit;
-    font-family: inherit;
-    color: inherit;
 }
 </style>
 {{end}}
@@ -52,7 +38,7 @@ input {
     <p id="error">{{html .Session.Error.String}}</p>
     {{end}}
 
-    <form action="/admin/register" method="POST" id="create-account">
+    <form action="/admin/register" method="POST" id="register">
         <div>
             <label for="username">Username</label>
             <input type="text" name="username" value="" autocomplete="username" required>
diff --git a/admin/views/totp-confirm.html b/admin/views/totp-confirm.html
new file mode 100644
index 0000000..af6b6e1
--- /dev/null
+++ b/admin/views/totp-confirm.html
@@ -0,0 +1,34 @@
+{{define "head"}}
+<title>TOTP Confirmation - ari melody 💫</title>
+<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
+<link rel="stylesheet" href="/admin/static/admin.css">
+<style>
+code {
+    user-select: all;
+}
+</style>
+{{end}}
+
+{{define "content"}}
+<main>
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
+    {{end}}
+
+    <form action="/admin/account/totp-confirm?totp-name={{.NameEscaped}}" method="POST" id="totp-setup">
+        <p><strong>Your TOTP secret: </strong><code>{{.TOTP.Secret}}</code></p>
+
+        <!-- TODO: TOTP secret QR codes -->
+
+        <p>
+        Please store this into your two-factor authentication app or
+        password manager, then enter your code below:
+        </p>
+
+        <label for="totp">TOTP:</label>
+        <input type="text" name="totp" value="" autocomplete="one-time-code" required>
+
+        <button type="submit" class="new">Create</button>
+    </form>
+</main>
+{{end}}
diff --git a/admin/views/totp-setup.html b/admin/views/totp-setup.html
new file mode 100644
index 0000000..62b9daf
--- /dev/null
+++ b/admin/views/totp-setup.html
@@ -0,0 +1,20 @@
+{{define "head"}}
+<title>TOTP Setup - ari melody 💫</title>
+<link rel="shortcut icon" href="/img/favicon.png" type="image/x-icon">
+<link rel="stylesheet" href="/admin/static/admin.css">
+{{end}}
+
+{{define "content"}}
+<main>
+    {{if .Session.Error.Valid}}
+    <p id="error">{{html .Session.Error.String}}</p>
+    {{end}}
+
+    <form action="/admin/account/totp-setup" method="POST" id="totp-setup">
+        <label for="totp-name">TOTP Device Name:</label>
+        <input type="text" name="totp-name" value="" autocomplete="off" required>
+
+        <button type="submit" class="new">Create</button>
+    </form>
+</main>
+{{end}}
diff --git a/controller/totp.go b/controller/totp.go
index 83a5b1c..02f1c4b 100644
--- a/controller/totp.go
+++ b/controller/totp.go
@@ -17,9 +17,9 @@ import (
 	"github.com/jmoiron/sqlx"
 )
 
-const TOTP_SECRET_LENGTH = 64
-const TIME_STEP int64 = 30
-const CODE_LENGTH = 6
+const TOTP_SECRET_LENGTH = 32
+const TOTP_TIME_STEP int64 = 30
+const TOTP_CODE_LENGTH = 6
 
 func GenerateTOTP(secret string, timeStepOffset int) string {
     decodedSecret, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret)
@@ -27,7 +27,7 @@ func GenerateTOTP(secret string, timeStepOffset int) string {
         fmt.Fprintf(os.Stderr, "WARN: Invalid Base32 secret\n")
     }
 
-    counter := time.Now().Unix() / TIME_STEP - int64(timeStepOffset)
+    counter := time.Now().Unix() / TOTP_TIME_STEP - int64(timeStepOffset)
     counterBytes := make([]byte, 8)
     binary.BigEndian.PutUint64(counterBytes, uint64(counter))
 
@@ -37,9 +37,9 @@ func GenerateTOTP(secret string, timeStepOffset int) string {
 
     offset := hash[len(hash) - 1] & 0x0f
     binaryCode := int32(binary.BigEndian.Uint32(hash[offset : offset + 4]) & 0x7FFFFFFF)
-    code := binaryCode % int32(math.Pow10(CODE_LENGTH))
+    code := binaryCode % int32(math.Pow10(TOTP_CODE_LENGTH))
 
-    return fmt.Sprintf(fmt.Sprintf("%%0%dd", CODE_LENGTH), code)
+    return fmt.Sprintf(fmt.Sprintf("%%0%dd", TOTP_CODE_LENGTH), code)
 }
 
 func GenerateTOTPSecret(length int) string {
@@ -65,8 +65,8 @@ func GenerateTOTPURI(username string, secret string) string {
     query.Set("secret", secret)
     query.Set("issuer", "arimelody.me")
     query.Set("algorithm", "SHA1")
-    query.Set("digits", fmt.Sprintf("%d", CODE_LENGTH))
-    query.Set("period", fmt.Sprintf("%d", TIME_STEP))
+    query.Set("digits", fmt.Sprintf("%d", TOTP_CODE_LENGTH))
+    query.Set("period", fmt.Sprintf("%d", TOTP_TIME_STEP))
     url.RawQuery = query.Encode()
 
     return url.String()
@@ -98,7 +98,11 @@ func CheckTOTPForAccount(db *sqlx.DB, accountID string, totp string) (*model.TOT
     for _, method := range totps {
         check := GenerateTOTP(method.Secret, 0)
         if check == totp {
-            // return the whole TOTP method as it may be useful for logging
+            return &method, nil
+        }
+        // try again with offset- maybe user input the code late?
+        check = GenerateTOTP(method.Secret, 1)
+        if check == totp {
             return &method, nil
         }
     }