app/controllers/sessions_controller.rb

@@ -21,6 +21,10 @@ class SessionsController < ApplicationController
           flash[:alert] = "Your account has been disabled!"
         elsif user.banned?
           flash[:alert] = "You are banned!"
+        elsif user.totp_enabled && !TOTP.verify?(user.totp_code, params[:totp_code])
+          flash[:alert] = "You're doing it wrong!"
+          render action: 'new'
+          return
         else
           session[:user_id] = user.id
           flash[:notice] = "Logged in!"
@@ -110,4 +114,4 @@ class SessionsController < ApplicationController
       redirect_to login_path
     end
   end
-end
+end

app/views/sessions/new.html.erb

@@ -16,6 +16,14 @@
       <td></td>
       <td><%= link_to "Lost your password?", lost_password_users_path %></td>
     </tr>
+    <tr>
+      <td><%= label_tag :totp_code %></td>
+      <td><%= text_field_tag :totp_code, nil, placeholder: "123456", required: false %></td>
+    </tr>
+    <tr>
+      <td></td>
+      <td>Leave this field blank if you do not have 2FA enabled.</td>
+    </tr>
   </table>
   <p><%= submit_tag "Log in", class: "btn blue" %></p>
 <% end %>