+the 'TOTP' key, by typing the current 'OTP' value into the 'Verification Code'
+field and pressing the 'Apply' button.
+
+[[user_tfa_setup_totp]]
+=== TOTP
+
+[thumbnail="screenshot/pve-gui-tfa-add-totp.png"]
+
+There is no server setup required. Simply install a TOTP app on your
+smartphone (for example, https://freeotp.github.io/[FreeOTP]) and use
+the Proxmox Backup Server web-interface to add a TOTP factor.
+
+[[user_tfa_setup_webauthn]]
+=== WebAuthn
+
+For WebAuthn to work, you need to have two things:
+
+* A trusted HTTPS certificate (for example, by using
+ https://pve.proxmox.com/wiki/Certificate_Management[Let's Encrypt]).
+ While it probably works with an untrusted certificate, some browsers may
+ warn or refuse WebAuthn operations if it is not trusted.
+* Setup the WebAuthn configuration (see *Datacenter -> Options ->
+ WebAuthn Settings* in the Proxmox VE web interface). This can be
+ auto-filled in most setups.
+
+Once you have fulfilled both of these requirements, you can add a WebAuthn
+configuration in the *Two Factor* panel under *Datacenter -> Permissions -> Two
+Factor*.
+
+[[user_tfa_setup_recovery_keys]]
+=== Recovery Keys
+
+[thumbnail="screenshot/pve-gui-tfa-add-recovery-keys.png"]
+
+Recovery key codes do not need any preparation; you can simply create a
+set of recovery keys in the *Two Factor* panel under *Datacenter -> Permissions
+-> Two Factor*.
+
+NOTE: There can only be one set of single-use recovery keys per user at any
+time.
+
+
+[[pveum_configure_webauthn]]
+Server Side Webauthn Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+[thumbnail="screenshot/gui-datacenter-webauthn-edit.png"]
+
+To allow users to use 'WebAuthn' authentication, it is necessaary to use a valid
+domain with a valid SSL certificate, otherwise some browsers may warn or refuse
+to authenticate altogether.
+
+NOTE: Changing the 'WebAuthn' configuration may render all existing 'WebAuthn'
+registrations unusable!
+
+This is done via `/etc/pve/datacenter.cfg`. For instance:
+
+----
+webauthn:
+rp=mypve.example.com,origin=https://mypve.example.com:8006,id=mypve.example.com
+----