diff --git a/conf/cmi/core.extension.yml b/conf/cmi/core.extension.yml
index 5f4ca7fa..12f5f99a 100644
--- a/conf/cmi/core.extension.yml
+++ b/conf/cmi/core.extension.yml
@@ -24,6 +24,7 @@ module:
   easy_breadcrumb: 0
   editor: 0
   editoria11y: 0
+  encrypt: 0
   entity: 0
   entity_reference_revisions: 0
   entity_usage: 0
@@ -78,6 +79,7 @@ module:
   helfi_platform_config_base: 0
   helfi_proxy: 0
   helfi_react_search: 0
+  helfi_tfa: 0
   helfi_toc: 0
   helfi_tpr: 0
   helfi_tpr_config: 0
@@ -91,6 +93,7 @@ module:
   inline_form_errors: 0
   jquery_ui: 0
   jquery_ui_draggable: 0
+  key: 0
   language: 0
   link: 0
   linkit: 0
@@ -128,6 +131,7 @@ module:
   raven: 0
   rdf: 0
   readonly_field_widget: 0
+  real_aes: 0
   redirect: 0
   redis: 0
   responsive_image: 0
@@ -145,6 +149,7 @@ module:
   taxonomy: 0
   telephone: 0
   text: 0
+  tfa: 0
   token: 0
   toolbar: 0
   translatable_menu_link_uri: 0
diff --git a/conf/cmi/encrypt.profile.real_aes.yml b/conf/cmi/encrypt.profile.real_aes.yml
new file mode 100644
index 00000000..94b4ba51
--- /dev/null
+++ b/conf/cmi/encrypt.profile.real_aes.yml
@@ -0,0 +1,15 @@
+uuid: 90d7b880-aa02-4cff-aeb9-69e03db7a21b
+langcode: en
+status: true
+dependencies:
+  config:
+    - key.key.tfa
+  module:
+    - real_aes
+_core:
+  default_config_hash: lDV_LbRGbNBnnVa6X72NK7xH7A1T9tasNNgP2hOhHKs
+id: real_aes
+label: 'Real AES'
+encryption_method: real_aes
+encryption_key: tfa
+encryption_method_configuration: {  }
diff --git a/conf/cmi/encrypt.settings.yml b/conf/cmi/encrypt.settings.yml
new file mode 100644
index 00000000..dbd39266
--- /dev/null
+++ b/conf/cmi/encrypt.settings.yml
@@ -0,0 +1,4 @@
+_core:
+  default_config_hash: CMyccvAuba2yH-HYmcEL0pq1Seyxzq9VHhKbQKwAWY4
+check_profile_status: true
+allow_deprecated_plugins: false
diff --git a/conf/cmi/hdbt_admin_tools.site_settings.yml b/conf/cmi/hdbt_admin_tools.site_settings.yml
index 8e8b3b31..8cc3abf1 100644
--- a/conf/cmi/hdbt_admin_tools.site_settings.yml
+++ b/conf/cmi/hdbt_admin_tools.site_settings.yml
@@ -1,10 +1,10 @@
 _core:
   default_config_hash: OgPHnjkIjDn42IHAwLRXhNzdhX825gq2SrlYKw4kbQ8
 langcode: en
-path_to_json: /themes/contrib/hdbt/src/icons/editor-selectable-icons.json
 site_settings:
   default_icon: star-fill
   theme_color: gold
   koro: vibration
 footer_settings:
   footer_color: dark
+path_to_json: /themes/contrib/hdbt/src/icons/editor-selectable-icons.json
diff --git a/conf/cmi/key.key.tfa.yml b/conf/cmi/key.key.tfa.yml
new file mode 100644
index 00000000..f241a8d1
--- /dev/null
+++ b/conf/cmi/key.key.tfa.yml
@@ -0,0 +1,19 @@
+uuid: 05f354f6-4d19-4cb0-9d95-0d16a1573e58
+langcode: en
+status: true
+dependencies: {  }
+_core:
+  default_config_hash: ARfRhKTJUSFXqKkDFwUncBUg8-5v7z_we3DETbYMYB0
+id: tfa
+label: TFA
+description: ''
+key_type: encryption
+key_type_settings:
+  key_size: 256
+key_provider: config
+key_provider_settings:
+  key_value: thisvaluewillbeoverridden1234567
+  base64_encoded: true
+key_input: text_field
+key_input_settings:
+  base64_encoded: false
diff --git a/conf/cmi/tfa.settings.yml b/conf/cmi/tfa.settings.yml
new file mode 100644
index 00000000..851f5c80
--- /dev/null
+++ b/conf/cmi/tfa.settings.yml
@@ -0,0 +1,47 @@
+_core:
+  default_config_hash: JyIkFj38h-aTLsrCfejAfP277qBJ61tlaLEBH44IHhg
+langcode: en
+enabled: true
+required_roles:
+  content_producer: content_producer
+  editor: editor
+  admin: admin
+  super_administrator: super_administrator
+send_plugins: {  }
+login_plugins: {  }
+login_plugin_settings:
+  tfa_trusted_browser:
+    cookie_allow_subdomains: true
+    cookie_expiration: 30
+    cookie_name: tfa-trusted-browser
+allowed_validation_plugins:
+  tfa_totp: tfa_totp
+default_validation_plugin: tfa_totp
+validation_plugin_settings:
+  tfa_recovery_code:
+    recovery_codes_amount: 10
+  tfa_hotp:
+    counter_window: 10
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: Drupal
+  tfa_totp:
+    time_skew: 2
+    site_name_prefix: 1
+    name_prefix: TFA
+    issuer: Hel.fi
+validation_skip: 3
+users_without_tfa_redirect: false
+reset_pass_skip_enabled: true
+encryption: real_aes
+tfa_flood_uid_only: 1
+tfa_flood_window: 300
+tfa_flood_threshold: 6
+help_text: 'Contact support to reset your access'
+mail:
+  tfa_enabled_configuration:
+    subject: 'Your [site:name] account now has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nThanks for configuring two-factor authentication on your [site:name] account!\r\n\r\nThis additional level of security will help to ensure that only you are able to log in to your account.\r\n\r\nIf you ever lose the device you configured, you should act quickly to delete its association with this account.\r\n\r\n--\r\n[site:name] team"
+  tfa_disabled_configuration:
+    subject: 'Your [site:name] account no longer has two-factor authentication'
+    body: "[user:display-name],\r\n\r\nTwo-factor authentication has been disabled on your [site:name] account.\r\n\r\nIf you did not take this action, please contact a site administrator immediately.\r\n\r\n--\r\n[site:name] team"
diff --git a/conf/cmi/user.role.admin.yml b/conf/cmi/user.role.admin.yml
index ee3c580f..cc55ff30 100644
--- a/conf/cmi/user.role.admin.yml
+++ b/conf/cmi/user.role.admin.yml
@@ -45,6 +45,7 @@ dependencies:
     - siteimprove
     - system
     - taxonomy
+    - tfa
     - toolbar
     - view_unpublished
     - views_bulk_edit
@@ -134,6 +135,7 @@ permissions:
   - 'delete remote entities'
   - 'delete terms in keywords'
   - 'delete terms in news_tags'
+  - 'disable own tfa'
   - 'edit any announcement content'
   - 'edit any file media'
   - 'edit any hel_map media'
@@ -169,6 +171,7 @@ permissions:
   - 'set landing_page published on date'
   - 'set news_item published on date'
   - 'set page published on date'
+  - 'setup own tfa'
   - 'translate announcement node'
   - 'translate any entity'
   - 'translate configuration'
diff --git a/conf/cmi/user.role.authenticated.yml b/conf/cmi/user.role.authenticated.yml
index 911782a7..76b7c0d8 100644
--- a/conf/cmi/user.role.authenticated.yml
+++ b/conf/cmi/user.role.authenticated.yml
@@ -14,6 +14,7 @@ dependencies:
     - paragraphs
     - rest
     - system
+    - tfa
     - toolbar
 _core:
   default_config_hash: 83Nuup-6oYkkdAsvg3nrR2pBOgtTXEV1JrzpCCLkYLM
@@ -25,8 +26,10 @@ permissions:
   - 'access content'
   - 'access toolbar'
   - 'delete own files'
+  - 'disable own tfa'
   - 'display eu cookie compliance popup'
   - 'restful get helfi_global_mobile_menu'
+  - 'setup own tfa'
   - 'view helfi_announcements external entity'
   - 'view helfi_news external entity'
   - 'view helfi_news_groups external entity'
diff --git a/conf/cmi/user.role.content_producer.yml b/conf/cmi/user.role.content_producer.yml
index 77c6ff2f..a9700564 100644
--- a/conf/cmi/user.role.content_producer.yml
+++ b/conf/cmi/user.role.content_producer.yml
@@ -34,6 +34,7 @@ dependencies:
     - siteimprove
     - system
     - taxonomy
+    - tfa
     - toolbar
     - view_unpublished
 _core:
@@ -81,6 +82,7 @@ permissions:
   - 'delete own news_item content'
   - 'delete own page content'
   - 'delete own remote_video media'
+  - 'disable own tfa'
   - 'edit any announcement content'
   - 'edit any file media'
   - 'edit any hel_map media'
@@ -111,6 +113,7 @@ permissions:
   - 'set landing_page published on date'
   - 'set news_item published on date'
   - 'set page published on date'
+  - 'setup own tfa'
   - 'translate editable entities'
   - 'translate file media'
   - 'translate image media'
diff --git a/conf/cmi/user.role.editor.yml b/conf/cmi/user.role.editor.yml
index 85affd19..0bc6dffa 100644
--- a/conf/cmi/user.role.editor.yml
+++ b/conf/cmi/user.role.editor.yml
@@ -38,6 +38,7 @@ dependencies:
     - siteimprove
     - system
     - taxonomy
+    - tfa
     - toolbar
     - view_unpublished
 id: editor
@@ -106,6 +107,7 @@ permissions:
   - 'delete page revisions'
   - 'delete remote entities'
   - 'delete terms in keywords'
+  - 'disable own tfa'
   - 'edit any announcement content'
   - 'edit any file media'
   - 'edit any hel_map media'
@@ -139,6 +141,7 @@ permissions:
   - 'set landing_page published on date'
   - 'set news_item published on date'
   - 'set page published on date'
+  - 'setup own tfa'
   - 'translate announcement node'
   - 'translate any entity'
   - 'translate editable entities'
diff --git a/conf/cmi/user.role.read_only.yml b/conf/cmi/user.role.read_only.yml
index 3bd64799..8e835e15 100644
--- a/conf/cmi/user.role.read_only.yml
+++ b/conf/cmi/user.role.read_only.yml
@@ -2,11 +2,17 @@ uuid: fe94da85-14ae-456a-bfe6-039dcecba0df
 langcode: en
 status: true
 dependencies:
+  config:
+    - node.type.announcement
+    - node.type.landing_page
+    - node.type.news_item
+    - node.type.page
   module:
     - file
     - helfi_tpr
     - node
     - paragraphs
+    - tfa
     - toolbar
     - view_unpublished
 id: read_only
@@ -16,6 +22,8 @@ is_admin: null
 permissions:
   - 'access toolbar'
   - 'delete own files'
+  - 'disable own tfa'
+  - 'setup own tfa'
   - 'view any unpublished announcement content'
   - 'view any unpublished landing_page content'
   - 'view any unpublished news_item content'