diff --git a/authenticator.php b/authenticator.php
new file mode 100644
index 0000000..05d3d92
--- /dev/null
+++ b/authenticator.php
@@ -0,0 +1,125 @@
+<?php
+include_once('includes/config.php');
+include_once('includes/umf.php');
+include_once('includes/authenticator.php');
+if(!isset($_SESSION['UM_DATA'])){
+	header('Location: login.php');
+	exit;
+}
+$SUCCESS=false;
+$ERROR=false;
+if(isset($_POST['code'])){
+    $ga = new PHPGangsta_GoogleAuthenticator();
+
+    $ok=$ga->verifyCode($_POST['secret'], $_POST['code'], UM_AUTHENTICATOR_TOL);
+
+    if($ok){
+        $st=$DB->prepare("update users set authen_secret=? where _id=?");
+        $st->bind_param('si',$_POST['secret'],$_SESSION['UM_DATA']['_id']);
+        $st->execute();
+        $SUCCESS="Setup Completed. Your Secret Is <b>{$_POST['secret']}</b>, Please write this down SomeWhere Safe";
+    }else{
+        $ERROR="Wrong Code!";
+    }
+}
+?>
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <meta name="description" content="">
+    <meta name="author" content="">
+    <link rel="icon" href="/img/favicon.png">
+    <title>2-Step Verification</title>
+    <link href="css/bootstrap.min.css" rel="stylesheet">
+    <link href="css/dashboard.css" rel="stylesheet">
+    <script src="js/jquery-3.4.1.min.js"></script>
+    <script src="js/bootstrap.bundle.js"></script>
+	 <script src="/js/jquery.validate.min.js"></script>
+<script type="text/javascript">
+$( document ).ready(function(){
+	
+});
+</script>
+  </head>
+
+  <body>
+    <nav class="navbar navbar-dark sticky-top bg-dark flex-md-nowrap p-0">
+      <a class="navbar-brand col-sm-3 col-md-2 col-4 mr-0" href="#"><?php echo $UM_CONFIG['TITLE'];?></a>
+      <ul class="navbar-nav px-3">
+        <li class="nav-item text-nowrap">
+          <a class="nav-link" href="login.php?logout">Sign out</a>
+        </li>
+      </ul>
+    </nav>
+
+    <div class="container-fluid">
+      <div class="row">
+        <nav class="col-md-2 col-sm-1 col-1 d-inline d-md-block bg-light sidebar" style="top:48px">
+          <div class="sidebar-sticky">
+            <ul class="nav flex-column">
+            <?php
+            	include('includes/dashboard_sidebar.php');
+            ?>
+            </ul>
+          </div>
+        </nav>
+
+        <main role="main" class="col-md-9 offset-md-2 col-sm-11 offset-sm-1 col-11 offset-1 pt-3 px-4">
+          <div class="d-flex justify-content-between flex-wrap flex-md-nowrap align-items-center pb-2 mb-3 border-bottom">
+<div class="container">
+<?php
+if(@$ERROR){
+	echo '<div class="alert alert-danger" role="alert">'.$ERROR.'</div>';
+}else if(@$SUCCESS){
+	echo '<div class="alert alert-success" role="alert">'.$SUCCESS.'</div>';
+}
+
+$DATA=$DB->query("select * from users where _id={$_SESSION['UM_DATA']['_id']}")->fetch_assoc();
+if($DATA['authen_secret']){
+    echo '<div class="alert alert-primary" role="alert">2FAuthentication is Activated</div>';
+}else{
+    $ga = new PHPGangsta_GoogleAuthenticator();
+    $secret = $_POST['secret']?$_POST['secret']:$ga->createSecret();
+
+    $qrCodeUrl = $ga->getQRCodeGoogleUrl($UM_CONFIG['TITLE']."({$DATA['email']})", $secret);
+?>
+<form id="regForm1" action="authenticator.php" method="post">
+    <input type="hidden" value="<?php echo $secret;?>" name="secret"/>
+    <p>
+        <h4>Setup 2 Factor Verification</h4>
+        <ul>
+            <li>Get the Authenticator from The <a href="https://apps.apple.com/app/google-authenticator/id388497605" target="_blank">App store (IOS)</a> or <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2" target="_blank">Google Play (Android)</a></li>
+            <li>After opening App Click on <b>Plus or Add button</b> And Then Select <b>Scan a QR Code</b></li>
+            <li>Scan Below QRCode</li>
+        <img src="<?php echo $qrCodeUrl;?>"/>
+            <li>Enter Generated Code in Below Field</li>
+        </ul>
+    </p>
+  <div class="form-group">
+    <input type="text" class="form-control" name="code" placeholder="000000" autocomplete="off"/>
+  </div>
+  <br/><input type="submit" class="btn btn-primary my-1" value="Verify" name="verify"/>
+</form>
+<?php
+}
+?>
+</div>
+          </div>
+        </main>
+      </div>
+    </div>
+    <script src="js/feather.min.js"></script>
+    <script>
+      feather.replace()
+    </script>
+<hr>
+<footer>
+<p class="text-center text-ltr engFont">&copy; <a href="http://h.sandbad.biz/User-Manager/" target="_blank">UserManager</a></p>
+</footer>
+  </body>
+</html>
+<?php
+$DB->close();
+?>
diff --git a/includes/authenticator.php b/includes/authenticator.php
new file mode 100644
index 0000000..bf7d116
--- /dev/null
+++ b/includes/authenticator.php
@@ -0,0 +1,252 @@
+<?php
+
+/**
+ * PHP Class for handling Google Authenticator 2-factor authentication.
+ *
+ * @author Michael Kliewe
+ * @copyright 2012 Michael Kliewe
+ * @license http://www.opensource.org/licenses/bsd-license.php BSD License
+ *
+ * @link http://www.phpgangsta.de/
+ */
+class PHPGangsta_GoogleAuthenticator
+{
+    protected $_codeLength = 6;
+
+    /**
+     * Create new secret.
+     * 16 characters, randomly chosen from the allowed base32 characters.
+     *
+     * @param int $secretLength
+     *
+     * @return string
+     */
+    public function createSecret($secretLength = 16)
+    {
+        $validChars = $this->_getBase32LookupTable();
+
+        // Valid secret lengths are 80 to 640 bits
+        if ($secretLength < 16 || $secretLength > 128) {
+            throw new Exception('Bad secret length');
+        }
+        $secret = '';
+        $rnd = false;
+        if (function_exists('random_bytes')) {
+            $rnd = random_bytes($secretLength);
+        } elseif (function_exists('mcrypt_create_iv')) {
+            $rnd = mcrypt_create_iv($secretLength, MCRYPT_DEV_URANDOM);
+        } elseif (function_exists('openssl_random_pseudo_bytes')) {
+            $rnd = openssl_random_pseudo_bytes($secretLength, $cryptoStrong);
+            if (!$cryptoStrong) {
+                $rnd = false;
+            }
+        }
+        if ($rnd !== false) {
+            for ($i = 0; $i < $secretLength; ++$i) {
+                $secret .= $validChars[ord($rnd[$i]) & 31];
+            }
+        } else {
+            throw new Exception('No source of secure random');
+        }
+
+        return $secret;
+    }
+
+    /**
+     * Calculate the code, with given secret and point in time.
+     *
+     * @param string   $secret
+     * @param int|null $timeSlice
+     *
+     * @return string
+     */
+    public function getCode($secret, $timeSlice = null)
+    {
+        if ($timeSlice === null) {
+            $timeSlice = floor(time() / 30);
+        }
+
+        $secretkey = $this->_base32Decode($secret);
+
+        // Pack time into binary string
+        $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
+        // Hash it with users secret key
+        $hm = hash_hmac('SHA1', $time, $secretkey, true);
+        // Use last nipple of result as index/offset
+        $offset = ord(substr($hm, -1)) & 0x0F;
+        // grab 4 bytes of the result
+        $hashpart = substr($hm, $offset, 4);
+
+        // Unpak binary value
+        $value = unpack('N', $hashpart);
+        $value = $value[1];
+        // Only 32 bits
+        $value = $value & 0x7FFFFFFF;
+
+        $modulo = pow(10, $this->_codeLength);
+
+        return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT);
+    }
+
+    /**
+     * Get QR-Code URL for image, from google charts.
+     *
+     * @param string $name
+     * @param string $secret
+     * @param string $title
+     * @param array  $params
+     *
+     * @return string
+     */
+    public function getQRCodeGoogleUrl($name, $secret, $title = null, $params = array())
+    {
+        $width = !empty($params['width']) && (int) $params['width'] > 0 ? (int) $params['width'] : 200;
+        $height = !empty($params['height']) && (int) $params['height'] > 0 ? (int) $params['height'] : 200;
+        $level = !empty($params['level']) && array_search($params['level'], array('L', 'M', 'Q', 'H')) !== false ? $params['level'] : 'M';
+
+        $urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
+        if (isset($title)) {
+            $urlencoded .= urlencode('&issuer='.urlencode($title));
+        }
+
+        return "https://api.qrserver.com/v1/create-qr-code/?data=$urlencoded&size=${width}x${height}&ecc=$level";
+    }
+
+    /**
+     * Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now.
+     *
+     * @param string   $secret
+     * @param string   $code
+     * @param int      $discrepancy      This is the allowed time drift in 30 second units (8 means 4 minutes before or after)
+     * @param int|null $currentTimeSlice time slice if we want use other that time()
+     *
+     * @return bool
+     */
+    public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null)
+    {
+        if ($currentTimeSlice === null) {
+            $currentTimeSlice = floor(time() / 30);
+        }
+
+        if (strlen($code) != 6) {
+            return false;
+        }
+
+        for ($i = -$discrepancy; $i <= $discrepancy; ++$i) {
+            $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
+            if ($this->timingSafeEquals($calculatedCode, $code)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Set the code length, should be >=6.
+     *
+     * @param int $length
+     *
+     * @return PHPGangsta_GoogleAuthenticator
+     */
+    public function setCodeLength($length)
+    {
+        $this->_codeLength = $length;
+
+        return $this;
+    }
+
+    /**
+     * Helper class to decode base32.
+     *
+     * @param $secret
+     *
+     * @return bool|string
+     */
+    protected function _base32Decode($secret)
+    {
+        if (empty($secret)) {
+            return '';
+        }
+
+        $base32chars = $this->_getBase32LookupTable();
+        $base32charsFlipped = array_flip($base32chars);
+
+        $paddingCharCount = substr_count($secret, $base32chars[32]);
+        $allowedValues = array(6, 4, 3, 1, 0);
+        if (!in_array($paddingCharCount, $allowedValues)) {
+            return false;
+        }
+        for ($i = 0; $i < 4; ++$i) {
+            if ($paddingCharCount == $allowedValues[$i] &&
+                substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) {
+                return false;
+            }
+        }
+        $secret = str_replace('=', '', $secret);
+        $secret = str_split($secret);
+        $binaryString = '';
+        for ($i = 0; $i < count($secret); $i = $i + 8) {
+            $x = '';
+            if (!in_array($secret[$i], $base32chars)) {
+                return false;
+            }
+            for ($j = 0; $j < 8; ++$j) {
+                $x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
+            }
+            $eightBits = str_split($x, 8);
+            for ($z = 0; $z < count($eightBits); ++$z) {
+                $binaryString .= (($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48) ? $y : '';
+            }
+        }
+
+        return $binaryString;
+    }
+
+    /**
+     * Get array with all 32 characters for decoding from/encoding to base32.
+     *
+     * @return array
+     */
+    protected function _getBase32LookupTable()
+    {
+        return array(
+            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', //  7
+            'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
+            'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
+            'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
+            '=',  // padding char
+        );
+    }
+
+    /**
+     * A timing safe equals comparison
+     * more info here: http://blog.ircmaxell.com/2014/11/its-all-about-time.html.
+     *
+     * @param string $safeString The internal (safe) value to be checked
+     * @param string $userString The user submitted (unsafe) value
+     *
+     * @return bool True if the two strings are identical
+     */
+    private function timingSafeEquals($safeString, $userString)
+    {
+        if (function_exists('hash_equals')) {
+            return hash_equals($safeString, $userString);
+        }
+        $safeLen = strlen($safeString);
+        $userLen = strlen($userString);
+
+        if ($userLen != $safeLen) {
+            return false;
+        }
+
+        $result = 0;
+
+        for ($i = 0; $i < $userLen; ++$i) {
+            $result |= (ord($safeString[$i]) ^ ord($userString[$i]));
+        }
+
+        // They are only identical strings if $result is exactly 0...
+        return $result === 0;
+    }
+}
diff --git a/includes/umf.php b/includes/umf.php
index 44e49f5..8eb706b 100644
--- a/includes/umf.php
+++ b/includes/umf.php
@@ -40,25 +40,26 @@ function UM_VerifyCaptcha($response){
 	return @$json['success'];
 }
 function decodeConfig($c){
-	global $UM_PERM;
 	$c=intval($c);
-	$o=array();
-	foreach($UM_PERM as $k=>$v){
-		$k=intval($k);
-		$o[$k]=((($c&pow(2,$k))>>$k)==1);
-	}
-	return $o;
+	return array(
+		'admin'=>((($c&1)>>0)==1)
+		,'edit_admin'=>((($c&2)>>1)==1)
+		,'edit_password'=>((($c&4)>>2)==1)
+		,'payout'=>((($c&8)>>3)==1)
+	);
 }
 function encodeConfig($setting){
 	if(!$setting)
 		return 0;
-	global $UM_PERM;
 	$o=0;
-	foreach($UM_PERM as $k=>$v){
-		$k=intval($k);
-		if($setting[$v])
-			$o+=pow(2,$k);
-	}
+	if($setting['admin'])
+		$o+=(1);
+	if($setting['edit_admin'])
+		$o+=(2);
+	if($setting['edit_password'])
+		$o+=(4);
+	if($setting['payout'])
+		$o+=(8);
 	return $o;
 }
 ?>
diff --git a/install/fields.php b/install/fields.php
index c743351..b976dcc 100644
--- a/install/fields.php
+++ b/install/fields.php
@@ -44,6 +44,7 @@
   `ref` varchar(50) DEFAULT NULL,
   `email` varchar(50) NULL,
   `email_temp` varchar(50) NOT NULL,
+  `authen_secret` varchar(50) NULL,
   `password` varchar(255) NOT NULL,
   `reg_date` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
   `perm` int(4) NOT NULL DEFAULT 0,
@@ -80,7 +81,7 @@
 		$ERROR="there was an error while creating tables: ".$DB->error;
 	}
 	$password=UM_randomString(8);
-	if($_SESSION['email_admin'] && $DB->query("INSERT INTO users set email='{$_SESSION['email_admin']}',password='".UM_PASSWORD($password)."'")){
+	if($_SESSION['email_admin'] && $DB->query("INSERT INTO users set email='{$_SESSION['email_admin']}',password='".UM_PASSWORD($password)."',perm=15")){
 		$_SESSION['UM_ADMIN']=array($_SESSION['email_admin'],$password);
 	}
 	$rules=array();
diff --git a/install/index.php b/install/index.php
index ae86997..3013edf 100644
--- a/install/index.php
+++ b/install/index.php
@@ -28,6 +28,7 @@
 	$db.="\n\ndefine('UM_DOMAIN','{$d}');";
 	$db.="\ndefine('UM_EMAIL_FROM','{$_POST['email']}');";
 	$db.="\n\ndefine('UM_REFERRAL_ACTIVE',".(isset($_POST['referral'])?'true':'false').");//activates referral system in user dashboard";
+	$db.="\n\ndefine('UM_AUTHENTICATOR_ACTIVE',".(isset($_POST['authenticator'])?'true':'false').");//activates authenticator system in user dashboard\ndefine('UM_AUTHENTICATOR_TOL',2);//time tolerance for code verification(minutes)";
 	$data=preg_replace('%UM_CONFIG\*\/[\s\S]+\/\*UM_CONFIG%',"UM_CONFIG*/\n{$db}\n/*UM_CONFIG",$data);
 	$_SESSION['email_admin']=strtolower($_POST['email_admin']);
 	if(file_put_contents('../includes/config.php',$data)){
@@ -105,7 +106,13 @@
 	<div class="form-check">
 		<input class="form-check-input" type="checkbox" value="" id="referral" name="referral" checked="">
 		<label class="form-check-label" for="referral">
-		 Activate Referral System
+			Activate Referral System
+		</label>
+	</div><br/><br/>
+	<div class="form-check">
+		<input class="form-check-input" type="checkbox" value="" id="authenticator" name="authenticator" checked="">
+		<label class="form-check-label" for="referral">
+			Activate Google Authenticator Support
 		</label>
 	</div><br/><br/>
   <div class="form-group">
diff --git a/login.php b/login.php
index ac98d8f..e30b739 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,7 @@
 <?php
 include_once('includes/config.php');
 include_once('includes/umf.php');
+include_once('includes/authenticator.php');
 if(isset($_GET['logout'])){
 	unset($_SESSION['UM_DATA']);
 	setcookie('UM_LOGIN','',-1);
@@ -11,6 +12,7 @@
 }
 $SUCCESS=false;
 $ERROR=false;
+$Request2FA=false;
 if(isset($_POST['forget'])){
 	if(UM_CAPTCHA_SITE && !UM_VerifyCaptcha($_POST['captcha'])){
 		$ERROR='ARE YOU A BOT??';
@@ -50,23 +52,39 @@
 		if($st->execute()){
 			$data=$st->get_result()->fetch_assoc();
 			if(UM_PASSWORD_VERIFY($_POST['password'],$data['password'])){
-				$SUCCESS=true;
-				$ip=(isset($_SERVER['HTTP_CF_CONNECTING_IP'])?$_SERVER['HTTP_CF_CONNECTING_IP']:$_SERVER['REMOTE_ADDR']);
-				$ip=preg_replace('%[^0-9.]+%','',$ip);
-				$DB->query("insert into login_log set user_id={$data['_id']},ip='{$ip}'{$e},secret='{$p}'");
-				$cookie="{$DB->insert_id}_{$p}";
-				$_SESSION['UM_DATA']=array('_id'=>$data['_id'],'cookie'=>$cookie);
-				$_SESSION['UM_DATA']['perm']=decodeConfig($data['perm']);
-				if(isset($_POST['remember'])){
-					setcookie('UM_LOGIN',$cookie,array('expires'=>time()+((UM_LOGIN_EXPIRE>0?UM_LOGIN_EXPIRE:365)*24*3600),'httponly'=>true));
+				$SUCCESS=false;
+				if(UM_AUTHENTICATOR_ACTIVE && $data['authen_secret']){
+					if($_POST['2FA']){
+						$ga = new PHPGangsta_GoogleAuthenticator();
+						if($ga->verifyCode($data['authen_secret'], $_POST['2FA'], UM_AUTHENTICATOR_TOL)){
+							$SUCCESS=true;
+						}else{
+							$Request2FA=true;
+							$ERROR="Wrong Code";
+						}
+					}else{
+						$Request2FA=true;
+					}
+				}else
+					$SUCCESS=true;
+				if($SUCCESS){
+					$ip=(isset($_SERVER['HTTP_CF_CONNECTING_IP'])?$_SERVER['HTTP_CF_CONNECTING_IP']:$_SERVER['REMOTE_ADDR']);
+					$ip=preg_replace('%[^0-9.]+%','',$ip);
+					$DB->query("insert into login_log set user_id={$data['_id']},ip='{$ip}'{$e},secret='{$p}'");
+					$cookie="{$DB->insert_id}_{$p}";
+					$_SESSION['UM_DATA']=array('_id'=>$data['_id'],'cookie'=>$cookie);
+					$_SESSION['UM_DATA']['perm']=decodeConfig($data['perm']);
+					if(isset($_POST['remember'])){
+						setcookie('UM_LOGIN',$cookie,array('expires'=>time()+((UM_LOGIN_EXPIRE>0?UM_LOGIN_EXPIRE:365)*24*3600),'httponly'=>true));
+					}
+					if(isset($_POST['return']) && $_POST['return'][0]=='/'){
+						$return=$_POST['return'];
+					}else{
+						$return='user.php';
+					}
+					header("Location: {$return}");
+					exit;
 				}
-				if(isset($_POST['return']) && $_POST['return'][0]=='/'){
-					$return=$_POST['return'];
-				}else{
-					$return='user.php';
-				}
-				header("Location: {$return}");
-				exit;
 			}
 		}else{
 			
@@ -74,7 +92,7 @@
 	}catch(Exception $e){
 		$ERROR=$e->getMessage();
 	}
-	if(!$SUCCESS && !$ERROR)
+	if(!$Request2FA && !$SUCCESS && !$ERROR)
 		$ERROR='Invalid username or password!';
 }
 ?>
@@ -184,8 +202,19 @@
 <?php
 }else{
 ?>
-<h1>Login Form</h1>
 <form id="form" action="login.php" method="post">
+	<?php
+	if($Request2FA){
+		echo '<input type="hidden" name="email" value="'.$_POST['email'].'"/><input type="hidden" name="password" value="'.$_POST['password'].'"/>';
+	?>
+	<div class="form-group">
+		<label for="input_email">Enter Code From Google Authenticator App</label>
+		<input type="number" class="form-control" name="2FA" placeholder="000000" autocomplete="off"/>
+	</div>
+	<?php
+	}else{
+	?>
+	<h1>Login Form</h1>
   <div class="form-group">
     <label for="input_email">Email address</label>
     <input type="email" class="form-control" name="email" required id="input_email" value="<?php echo @$_POST['email'];?>"/>
@@ -198,12 +227,13 @@
     <input type="checkbox" class="form-check-input" name="remember" id="input_remember"/>
     <label for="input_remember" class="form-check-label">Remember Me</label>
   </div>
-  <input type="hidden" name="captcha" id="captcha"/>
-  <?php
+	<?php
+	}
 	if(isset($_GET['return'])){
 		echo '<input type="hidden" name="return" value="'.$_GET['return'].'">';
 	}
 	?>
+	<input type="hidden" name="captcha" id="captcha"/>
   <br/><button type="submit" class="btn btn-primary my-1" id="submit">Submit</button>
 	<?php
 	if(UM_CAPTCHA_SITE){
diff --git a/user.php b/user.php
index 8a236ed..1f010cc 100644
--- a/user.php
+++ b/user.php
@@ -201,6 +201,9 @@
 if(UM_REFERRAL_ACTIVE){
 	echo '<div class="alert alert-light border-green rounded p-3">Your Referral Link:<div class="font-weight-bold rounded border border-primary text-center alert alert-primary text-dark">'.UM_DOMAIN.sprintf(UM_REFERRAL_FORMAT,$DATA['_id']).'</div></div>';
 }
+if(UM_AUTHENTICATOR_ACTIVE && $DATA['email'] && !$DATA['authen_secret']){
+	echo '<div class="alert alert-warning border-green rounded p-3">2 Step Authentication Is not Enabled. Activate it <a href="authenticator.php">Here</a></div>';
+}
 ?>
 <form id="regForm2" action="user.php" method="post">
   <hr/>