Integrate a TOTP library (e.g., speakeasy or pyotp).
Add backend endpoints to generate/verify OTP codes.
Modify the admin login flow:
Step 1: Username/password.
Step 2: Prompt for 6-digit OTP.
Provide recovery codes (PDF download) for lost devices. Acceptance Criteria:
Admins cannot log in without OTP after MFA activation.
System logs MFA attempts (success/fail).