diff --git a/2fa/code.php b/2fa/code.php
new file mode 100644
index 0000000..a61b8a4
--- /dev/null
+++ b/2fa/code.php
@@ -0,0 +1,91 @@
+<?php
+require_once("../inc/conx.php");
+if($logged_in == true) {
+  header("location: /");
+  exit();
+}
+?>
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Misdew</title>
+  <meta charset="utf-8">
+  <meta name="description" content="We are a fairly cool social network.">
+  <meta name="keywords" content="Misdew, MD, Social, Network, Communication, 3DS, DSi, Nintendo">
+  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
+  <meta name="google" value="notranslate">
+  <meta name="theme-color" content="#a64ca6">
+  <link rel="stylesheet" type="text/css" href="/css/consistent.css">
+  <link rel="icon" type="image/png" href="/img/favicon.png">
+  <link rel="apple-touch-icon" href="/img/logo.png">
+</head>
+<body>
+  <center>
+    <?php
+    session_start();
+    $back_button = yes;
+    $linebreak = true;
+    require_once("../inc/header.php");
+    // possible session messages
+    if (isset($_SESSION['m']) == 'all_req') {
+      echo "<div class=\"error_msg\">All fields are required.</div> <br>";
+      unset($_SESSION['m']);
+    }
+    elseif (isset($_SESSION['m4']) == 'user_leng') {
+      echo "<div class=\"error_msg\">Your username must not be greater than 13 characters.</div> <br>";
+      unset($_SESSION['m4']);
+    }
+    elseif (isset($_SESSION['m5']) == 'user_exi') {
+      echo "<div class=\"error_msg\">That username already exists.</div> <br>";
+      unset($_SESSION['m5']);
+    }
+    elseif (isset($_SESSION['m3']) == 'pdnm_aumna') {
+      echo "<div class=\"error_msg\">Your username must be alphanumeric and the passwords you entered did not match.</div> <br>";
+      unset($_SESSION['m3']);
+    }
+    elseif (isset($_SESSION['m2']) == 'user_alnum') {
+      echo "<div class=\"error_msg\">Your username must be alphanumeric.</div> <br>";
+      unset($_SESSION['m2']);
+    }
+    elseif (isset($_SESSION['m1']) == 'chec_yapass') {
+      echo "<div class=\"error_msg\">The passwords you entered did not match.</div> <br>";
+      unset($_SESSION['m1']);
+    }
+    elseif (isset($_SESSION['m6']) == 'gen_error') {
+      echo "<div class=\"error_msg\">There was an error.</div> <br>";
+      unset($_SESSION['m6']);
+    }
+    session_destroy();
+    ?>
+    <span style="color: #888; font-weight: bold; font-family: 'Dosis', sans-serif;">Enter your login details one last time. <br> Enter the 2FA code that was sent to your linked email. <br> You will be redirected to the Hub if it is correct.</span> <br><br>
+    <form action="verifycode.php" method="post" autocomplete="off">
+      <table class="form_tble">
+        <tr>
+          <td>
+            <input name="username" type="text" placeholder="username" class="form_input">
+          </td>
+        </tr>
+        <tr>
+          <td>
+            <input name="password" type="password" placeholder="password" class="form_input">
+          </td>
+        </tr>
+        <tr>
+          <td>
+            <input name="2facode" type="text" placeholder="enter 2FA code" class="form_input">
+          </td>
+        </tr>
+        <tr>
+          <td class="form_tdpad">
+            <input type="submit" value="verify & login" class="form_submit" onclick="this.disabled=true;this.value='verifying...';this.form.submit();">
+          </td>
+        </tr>
+      </table>
+    </form>
+    <?php
+
+    require_once("../inc/footer.php");
+    ?>
+  </center>
+</body>
+</html>
diff --git a/2fa/email_hasher_sajfljasfjaw7483ufj.php b/2fa/email_hasher_sajfljasfjaw7483ufj.php
new file mode 100644
index 0000000..1413ade
--- /dev/null
+++ b/2fa/email_hasher_sajfljasfjaw7483ufj.php
@@ -0,0 +1,11 @@
+<?php
+header("location: /");
+// hash the email
+/*
+$email_p = "";
+
+$email_hasher = "mdasdfnASUF;Q92jvna.fk2";
+$email_hashed = hash("sha256",$email_hasher.$email_p);
+echo $email_hashed;
+*/
+?>
diff --git a/2fa/sendcode.php b/2fa/sendcode.php
new file mode 100644
index 0000000..e13f61e
--- /dev/null
+++ b/2fa/sendcode.php
@@ -0,0 +1,96 @@
+<?php
+session_start();
+require_once("../inc/conx.php");
+if($logged_in == true) {
+  header("location: /");
+  exit();
+}
+# POST DATA
+$username_p = safe($_POST['username']);
+$password_p = safe($_POST['password']);
+$email_p = safe($_POST['email']);
+if($username_p && $password_p && $email_p) {
+  $cs = mysqli_query($conx, "SELECT uid,username,verified,password,2fa,email_secure FROM accounts WHERE username='$username_p'");
+  $ccnt = mysqli_num_rows($cs);
+  $cr = @mysqli_fetch_assoc($cs);
+  $c_username = $cr['username'];
+  $c_uuid = $cr['uid'];
+  $c_eemailhash = $cr['email_secure'];
+  $c_password = $cr['password'];
+  $c_verified = $cr['verified'];
+  $c_2fa = $cr['2fa'];
+  # ACCOUNT IS NOT VERIFIED
+  if($c_verified != 'yes') {
+    $kill = '';
+    $msg = 'nvdjrj6jfnxalpowqnzaiywliz';
+    setcookie("akgnxoPwqlIs", $kill, time()+3600*24*30, '/', '.misdew.com');
+    setcookie("LoILilzcnmwe", $kill, time()+3600*24*30, '/', '.misdew.com');
+    setcookie("puTtxXvbEkOo", $kill, time()+3600*24*30, '/', '.misdew.com');
+    setcookie("hwsmnzeiopqm", $msg, time()+3600*24*30, '/', '.misdew.com');
+    echo "error";
+    exit();
+  }
+  # IF THE USERNAME DOES NOT EXIST
+  if($ccnt == 0) {
+    echo "error";
+    exit();
+  }
+  // check and require 2FA
+  if($c_2fa == 'enabled') {
+    function genTFAc($length = 6) {
+      return substr(str_shuffle("0123456789"), 0, $length);
+    }
+    $rand2facode = genTFAc();
+
+    // hash the email
+    $email_hasher = "make this ur own random string sht like askdlfjask;ldfjkl534jkl3j but make sure it matches in other files where email is encrypted like join and stuff ok";
+    $email_hashed = hash("sha256",$email_hasher.$email_p);
+
+    // hash the password
+    $password_hashed = hash("sha256",$c_username.$password_p);
+    # IF PASSWORD IS INCORRECT
+    if($password_hashed != $c_password) {
+      echo "error";
+      exit();
+    }
+
+    if($email_hashed == $c_eemailhash && $password_hashed == $c_password) {
+      // hash the 2fa code
+      $tfa_hasher = "read above bro make ur own";
+      $tfa_hashed = hash("sha256",$tfa_hasher.$rand2facode);
+      mysqli_query($conx, "UPDATE accounts SET 2fa_code='$tfa_hashed' WHERE uid='$c_uuid'");
+      # PUSH OUT EMAIL
+      $to = $email_p;
+      $subject = "misdew.com 2FA";
+      $txt = "$c_username, <br>
+            Your account was successfully logged into. <br>
+            2FA has been enabled for your account so the code below is needed to fully login. <br>
+            If you did not login, your account has been compromised. Please update your password immediately if you did not request a 2FA code. <br>
+            Contact me@justa.us if you need any help. <br><br>
+            Use this code on the 2FA page: $rand2facode
+            <br><br>
+          </span>
+        </center>";
+      $headers = "Content-Type: text/html; charset=utf-8";
+      mail($to,$subject,$txt,$headers);
+      header("location: /2fa/code.php");
+      exit();
+    }
+    else {
+      echo "error";
+      exit();
+    }
+
+
+  }
+  else {
+    echo "error";
+    exit();
+  }
+
+}
+else {
+echo "error";
+exit();
+}
+?>
diff --git a/2fa/verifycode.php b/2fa/verifycode.php
new file mode 100644
index 0000000..2eeaaba
--- /dev/null
+++ b/2fa/verifycode.php
@@ -0,0 +1,94 @@
+<?php
+session_start();
+require_once("../inc/conx.php");
+if($logged_in == true) {
+  header("location: /");
+  exit();
+}
+# POST DATA
+$username_p = safe($_POST['username']);
+$password_p = safe($_POST['password']);
+$t2facode = safe($_POST['2facode']);
+if($username_p && $password_p && $t2facode) {
+  $cs = mysqli_query($conx, "SELECT 2fa_code,uid,username,verified,password,2fa,email_secure,rstringa,rstringb,rstringc FROM accounts WHERE username='$username_p'");
+  $ccnt = mysqli_num_rows($cs);
+  $cr = @mysqli_fetch_assoc($cs);
+  $c_username = $cr['username'];
+  $c_uuid = $cr['uid'];
+  $c_eemailhash = $cr['email_secure'];
+  $c_password = $cr['password'];
+  $c_verified = $cr['verified'];
+  $c_2fa = $cr['2fa'];
+  $c_2fa_code = $cr['2fa_code'];
+  $c_rstringa = $cr['rstringa'];
+  $c_rstringb = $cr['rstringb'];
+  $c_rstringc = $cr['rstringc'];
+  # ACCOUNT IS NOT VERIFIED
+  if($c_verified != 'yes') {
+    $kill = '';
+    $msg = 'nvdjrj6jfnxalpowqnzaiywliz';
+    setcookie("akgnxoPwqlIs", $kill, time()+3600*24*30, '/', '.misdew.com');
+    setcookie("LoILilzcnmwe", $kill, time()+3600*24*30, '/', '.misdew.com');
+    setcookie("puTtxXvbEkOo", $kill, time()+3600*24*30, '/', '.misdew.com');
+    setcookie("hwsmnzeiopqm", $msg, time()+3600*24*30, '/', '.misdew.com');
+    echo "error";
+    exit();
+  }
+  # IF THE USERNAME DOES NOT EXIST
+  if($ccnt == 0) {
+    echo "error";
+    exit();
+  }
+  // check and require 2FA
+  if($c_2fa == 'enabled') {
+    function genTFAc($length = 10) {
+      return substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
+    }
+    $rand2facode = genTFAc();
+
+    // hash the 2fa code
+    $t2facodehasher = "make ur own but keep it consistent between files";
+    $posted_2fahash = hash("sha256",$t2facodehasher.$t2facode);
+
+    // hash the password
+    $password_hashed = hash("sha256",$c_username.$password_p);
+    # IF PASSWORD IS INCORRECT
+    if($password_hashed != $c_password) {
+      echo "error";
+      exit();
+    }
+    if($c_2fa_code != $posted_2fahash) {
+      echo "2FA code wrong, please go back and try again; email me@justa.us if you need help";
+      exit();
+    }
+
+
+    if($password_hashed == $c_password && $posted_2fahash == $c_2fa_code) {
+      // log the user in and delete 2FA entry from their account
+      mysqli_query($conx, "UPDATE accounts SET 2fa_code='' WHERE uid='$c_uuid'");
+      setcookie("akgnxoPwqlIs", $c_rstringa, time()+3600*24*30, '/', '.misdew.com');
+      setcookie("LoILilzcnmwe", $c_rstringb, time()+3600*24*30, '/', '.misdew.com');
+      setcookie("puTtxXvbEkOo", $c_rstringc, time()+3600*24*30, '/', '.misdew.com');
+      $kill = '';
+      setcookie("hwsmnzeiopqm", $kill, time()+3600*24*30, '/', '.misdew.com');
+      header("location: /hub");
+      exit();
+    }
+    else {
+      echo "error";
+      exit();
+    }
+
+
+  }
+  else {
+    echo "error";
+    exit();
+  }
+
+}
+else {
+echo "error";
+exit();
+}
+?>