diff --git a/src/server/cyberhex-code/system/insecure_zone/php/2fa.php b/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
index 9bec669..b8353e3 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/2fa.php
@@ -45,6 +45,7 @@ include "../../../api/php/notifications/sendmessage.php"; //to send user notific
 							<div class="col">
 									<button style="align:left" type="submit" class="btn btn-primary btn-block">Check pin</button>
 							</div>
+							<br>
 						</form>
 						<!-- php code to verify 2fa pin-->
 						<?php
diff --git a/src/server/cyberhex-code/system/insecure_zone/php/login.php b/src/server/cyberhex-code/system/insecure_zone/php/login.php
index 96d1db3..99146d7 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/login.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/login.php
@@ -71,7 +71,11 @@ async function checkRegistration() {
                     reloadServerPreview();
                     //window.alert(authenticatorAttestationServerResponse.msg || 'login success');
 					//auth success, send to index
-					window.location.href = "/system/secure_zone/php/index.php";
+					if(authenticatorAttestationServerResponse.msg=="send_to_2fa"){
+						window.location.href = "/system/insecure_zone/php/2fa.php";
+					}else{
+						window.location.href = "/system/secure_zone/php/index.php";
+					}
                 } else {
                     throw new Error(authenticatorAttestationServerResponse.msg);
                 }
diff --git a/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php b/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php
index bb95a5a..d37b734 100644
--- a/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php
+++ b/src/server/cyberhex-code/system/insecure_zone/php/login_backend.php
@@ -179,14 +179,27 @@ try {
 		$_SESSION["allow_pw_login"]=$row["allow_pw_login"];
 		$_SESSION["send_login_message"]=$row["send_login_message"];
 		$_SESSION["use_2fa"]=$row["use_2fa"];
-		if($_SESSION["send_login_message"]=="1"){
+		
+		$return = new stdClass();
+		$return->success = true;
+		
+		if($_SESSION["use_2fa"]=="1"){
+			unset($_SESSION["login"]); //set the login state to false
+			$_SESSION["2fa_auth"]=true;
+			$pin=mt_rand(100000, 999999);
+			$_SESSION["pin"]=$pin;
 			$ip = $_SERVER['REMOTE_ADDR'];
-			$username=$row["username"];
-			send_to_user("[LOGIN WARNING]\nHello $username\nSomebody has logged into Cyberhex with your account.\nIf this was you, you can ignore this message. Else please take steps to secure your account!\nIP: $ip\n",$username);
+			send_to_user("[2FA-Pin]\nHello $username\nHere is your pin to log into cyberhex: $pin. If you did not try to log in please take steps to secure your account!\nIP: $ip\n",$username);
+			//send the user to 2fa auth page
+			$return->msg="send_to_2fa";
+		}else{
+			if($_SESSION["send_login_message"]=="1"){
+				$ip = $_SERVER['REMOTE_ADDR'];
+				$username=$row["username"];
+				send_to_user("[LOGIN WARNING]\nHello $username\nSomebody has logged into Cyberhex with your account.\nIf this was you, you can ignore this message. Else please take steps to secure your account!\nIP: $ip\n",$username);
+			}
 		}
 		
-        $return = new stdClass();
-        $return->success = true;
         header('Content-Type: application/json');
         print(json_encode($return));
     }