diff --git a/common/auth.py b/common/auth.py
index 540fafc405..f26e081c84 100644
--- a/common/auth.py
+++ b/common/auth.py
@@ -109,33 +109,23 @@ def authenticate_entry(request):
         if SysConfig().get('enforce_2fa'):
             # 用户是否配置过2fa
             if twofa_enabled:
-                auth_type = twofa_enabled[0].auth_type
-                phone = twofa_enabled[0].phone
                 verify_mode = 'verify_only'
             else:
-                auth_type = 'totp'
-                phone = ''
                 verify_mode = 'verify_config'
             # 设置无登录状态session
             s = SessionStore()
             s['user'] = authenticated_user.username
-            s['auth_type'] = auth_type
             s['verify_mode'] = verify_mode
-            s['phone'] = phone
             s.set_expiry(300)
             s.create()
             result = {'status': 0, 'msg': 'ok', 'data': s.session_key}
         else:
             # 用户是否配置过2fa
             if twofa_enabled:
-                auth_type = twofa_enabled[0].auth_type
-                phone = twofa_enabled[0].phone
                 # 设置无登录状态session
                 s = SessionStore()
                 s['user'] = authenticated_user.username
-                s['auth_type'] = auth_type
                 s['verify_mode'] = 'verify_only'
-                s['phone'] = phone
                 s.set_expiry(300)
                 s.create()
                 result = {'status': 0, 'msg': 'ok', 'data': s.session_key}
diff --git a/common/templates/2fa.html b/common/templates/2fa.html
index 0515e7ce17..b4b22d14a2 100644
--- a/common/templates/2fa.html
+++ b/common/templates/2fa.html
@@ -27,7 +27,7 @@ <h4 style="font-weight: bold">启用两步验证</h4>
                 </div>
                 <div class="form-group">
                     <label for="auth_type">验证方式:</label>
-                    <select id="auth_type" class="form-control show-tick selectpicker" name="instances"
+                    <select id="auth_type" class="form-control show-tick selectpicker" name="auth_type"
                             title="选择额外验证方式:"
                             data-live-search="true">
                         <option value="totp" selected="selected">Google身份验证器</option>
@@ -44,34 +44,34 @@ <h4 style="font-weight: bold">启用两步验证</h4>
                     <input class="form-control ng-valid ng-dirty ng-touched" id="phone" name="phone" type="text"
                            oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
                 </div>
-                <div class="form-group"><label class="control-label" for="otpCode">2. 输入6位验证码完成验证：</label><input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text" oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
+                <div class="form-group">
+                    <label class="control-label" for="otpCode">2. 输入6位验证码完成验证：</label>
+                    <input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text"
+                           oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
                 </div>
                 <div class="form-group" style="text-align: center">
-                    <button id="btnCaptcha" type="button" class="btn btn-primary" style="display: none">获取验证码</button>
+                    <button id="btnCaptcha" type="button" class="btn btn-primary btn-block" style="display: none">获取验证码</button>
                     <button id="btnAuth" type="button" class="btn btn-success btn-block"><i class="fa-lock"></i>验证</button>
                 </div>
             {% else %}
-                {% if auth_type == 'totp' %}
-                    <div class="form-group is-focused">
-                        <label class="control-label" for="otpCode">OTP验证码</label>
-                        <input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text"
-                               oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
-
-                    </div>
-                    <div class="form-group">
-                        <button id="btnAuth" type="button" class="btn btn-success btn-block"><i class="fa-lock"></i>验证</button>
-                    </div>
-                {% else %}
-                    <div class="form-group is-focused">
-                        <label class="control-label" for="otpCode">短信验证码</label>
-                        <input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text"
-                               oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
-                    </div>
-                    <div class="form-group">
-                        <button id="btnCaptcha" type="button" class="btn btn-primary btn-block" >获取验证码</button>
-                        <button id="btnAuth" type="button" class="btn btn-success btn-block"><i class="fa-lock"></i>验证</button>
-                    </div>
-                {% endif %}
+                <div class="form-group">
+                    <label for="auth_type">选择验证方式:</label>
+                    <select id="auth_type" class="form-control show-tick selectpicker" name="auth_type"
+                            title="选择额外验证方式:"
+                            data-live-search="true">
+                    </select>
+                </div>
+                <div class="form-group">
+                    <label id="totp-form" class="control-label" for="otpCode">OTP验证码</label>
+                    <label id="sms-form" class="control-label" for="otpCode">短信验证码</label>
+                    <input class="form-control ng-valid ng-dirty ng-touched" id="otpCode" name="otpCode" type="text"
+                           oninput="value=value.replace(/[^\d]/g,'')" autocomplete="off" required>
+                </div>
+                <input id="phone" value="{{ phone }}" style="display: none">
+                <div class="form-group">
+                    <button id="btnCaptcha" type="button" class="btn btn-primary btn-block" >获取验证码</button>
+                    <button id="btnAuth" type="button" class="btn btn-success btn-block"><i class="fa-lock"></i>验证</button>
+                </div>
             {% endif %}
             <input type="text" style="display:none">
         </form>
@@ -120,6 +120,10 @@ <h4 style="font-weight: bold">启用两步验证</h4>
             //keycode==13为回车键
             if (event.keyCode === 13) {
                 let otp = $('#otpCode').val();
+                if (!otp) {
+                    alert('请输入验证码！')
+                    return
+                }
                 authOTP(otp);
             }
         });
@@ -127,10 +131,20 @@ <h4 style="font-weight: bold">启用两步验证</h4>
 
     $(document).ready(function () {
         if ('{{ verify_mode }}' === 'verify_config') {
-            if ('{{ auth_type }}' === 'totp') {
-                let data = config_2fa();
-                $("#qrcode-img").attr("key", data.data.key)
-                $("#qrcode-img").attr("src", "/user/qrcode/" + data.data.key)
+            let data = config_2fa();
+            $("#qrcode-img").attr("key", data.data.key)
+            $("#qrcode-img").attr("src", "/user/qrcode/" + data.data.key)
+        } else if ('{{ verify_mode }}' === 'verify_only') {
+            let auth_types = {{ auth_types|safe }};
+            for (i=0;i < auth_types.length;i++) {
+                let auth_type;
+                if (i === 0) {
+                    auth_type = '<option value="' + auth_types[i].code + '" selected="selected">' + auth_types[i].display + '</option>'
+                } else {
+                    auth_type = '<option value="' + auth_types[i].code + '">' + auth_types[i].display + '</option>'
+                }
+                $("#auth_type").append(auth_type)
+                $("#auth_type").trigger('change')
             }
         }
     })
@@ -160,33 +174,31 @@ <h4 style="font-weight: bold">启用两步验证</h4>
     })
 
     $("#auth_type").change(function () {
+        $("#otpCode").val('');
         let auth_type = $("#auth_type").val();
         if (auth_type === 'totp') {
             $("#totp-form").show();
             $("#sms-form").hide();
-            $("#btnCaptcha").hide();
-            $("#btnAuth").addClass('btn-block');
+            $("#btnCaptcha").hide()
         } else if (auth_type === 'sms') {
             $("#totp-form").hide();
             $("#sms-form").show();
-            $("#btnCaptcha").show();
-            $("#btnAuth").removeClass('btn-block');
+            $("#btnCaptcha").show()
         }
     })
 
     function config_2fa() {
         // 配置2fa
         let result;
-        let phone = $("#phone").val();
-        let auth_type = $("#auth_type").val();
         $.ajax({
             type: "post",
             url: "/api/v1/user/2fa/",
             dataType: "json",
             data: {
                 engineer: '{{ username }}',
-                auth_type: auth_type?auth_type:'{{ auth_type }}',
-                phone: phone?phone:'{{ phone }}'
+                enable: 'true',
+                auth_type: $("#auth_type").val(),
+                phone: $("#phone").val()
             },
             async: false,
             complete: function () {
diff --git a/common/templates/base.html b/common/templates/base.html
index 94e976fe59..f46c93c663 100644
--- a/common/templates/base.html
+++ b/common/templates/base.html
@@ -17,6 +17,7 @@
     <link href="{% static 'font-awesome/css/font-awesome.min.css' %}" rel="stylesheet">
     <link href="{% static 'bootstrap-select/css/bootstrap-select.min.css' %}" rel="stylesheet">
     <link href="{% static 'bootstrap-table/css/bootstrap-table.min.css' %}" rel="stylesheet">
+    <link href="{% static 'bootstrap-switch/css/bootstrap-switch.min.css' %}" rel="stylesheet">
     <style type="text/css">
     table{
         max-width: none !important;      /*解决 ios 横向滚动失效*/
@@ -287,31 +288,57 @@
             <div class="modal-header">
                 <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
                         aria-hidden="true">&times;</span></button>
-                <h4 class="modal-title" id="myModalLabel1">两步验证</h4>
+                <h4 class="modal-title" id="myModalLabel1" style="font-weight: bold">两步验证</h4>
             </div>
             <div class="modal-body">
+                <div class="form-horizontal">
                 <div class="form-group">
-                <label class="text-success">当前验证方式：</label>
-                <i>{% if twofa_type == 'disabled' %}
-                        未启用
-                    {% elif twofa_type == 'totp' %}
-                        TOTP验证
-                    {% elif twofa_type == 'sms' %}
-                        短信验证
-                    {% endif %}</i>
+                    <label for="totp-switch" class="col-sm-4 control-label">TOTP：</label>
+                    <div class="col-sm-8">
+                        <div class="switch switch-small">
+                            <label>
+                                <input id="totp-switch" name="2fa" auth_type="totp" type="checkbox">
+                            </label>
+                        </div>
+                    </div>
                 </div>
                 <div class="form-group">
-                    <label for="auth_type">验证方式:</label>
-                    <select id="auth_type" class="form-control show-tick selectpicker" name="instances"
-                                    title="选择额外验证方式:"
-                                    data-live-search="true">
-                        <option value="disabled">关闭两步验证</option>
-                        <option value="totp" selected="selected">Google身份验证器</option>
-                        <option value="sms">短信验证码</option>
-                    </select>
+                    <label for="sms-switch" class="col-sm-4 control-label">短信：</label>
+                    <div class="col-sm-8">
+                        <div class="switch switch-small">
+                            <label>
+                                <input id="sms-switch" name="2fa" auth_type="sms" type="checkbox">
+                            </label>
+                        </div>
+                    </div>
                 </div>
+                </div>
+                <input id="enable" style="display: none">
+                <input id="state" style="display: none">
+                <select id="auth_type" style="display:none">
+                    <option value="totp"></option>
+                    <option value="sms"></option>
+                </select>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-default" data-dismiss="modal">关闭</button>
+            </div>
+        </div>
+    </div>
+</div>
+
+<!-- 密码验证模态框-->
+<div class="modal fade" id="passwd-auth" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
+    <div class="modal-dialog modal-sm" role="document">
+        <div class="modal-content">
+            <div class="modal-header">
+                <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span
+                        aria-hidden="true">&times;</span></button>
+                <h4 class="modal-title" id="myModalLabel1">验证当前用户密码</h4>
+            </div>
+            <div class="modal-body">
                 <div class="form-group">
-                    <label for="passwd">需输入密码验证:</label>
+                    <label for="passwd">输入密码验证:</label>
                     <input type="password" class="form-control" id="passwd" placeholder="确认密码" required>
                 </div>
             </div>
@@ -323,7 +350,7 @@ <h4 class="modal-title" id="myModalLabel1">两步验证</h4>
     </div>
 </div>
 
-<!-- 验证模态框-->
+<!-- OTP验证模态框-->
 <div class="modal fade bs-example-modal-sm" id="2fa-auth" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
     <div class="modal-dialog modal-sm" role="document">
         <div class="modal-content">
@@ -382,6 +409,7 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
 <script src="{% static 'bootstrap-select/js/i18n/defaults-zh_CN.min.js' %}"></script>
 <script src="{% static 'bootstrap-table/js/bootstrap-table.min.js' %}"></script>
 <script src="{% static 'bootstrap-table/js/bootstrap-table-zh-CN.min.js' %}"></script>
+<script src="{% static 'bootstrap-switch/js/bootstrap-switch.min.js' %}"></script>
 <script src="{% static 'sql-formatter/sql-formatter.min.js' %}"></script>
 <script src="{% static 'dist/js/formatter.js' %}"></script>
 <script src="{% static 'dist/js/utils.js' %}"></script>
@@ -398,7 +426,7 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
     };
 </script>
 <script>
-    function twofa(auth_type) {
+    function twofa(enable, auth_type) {
         // 配置2fa
         let result;
         $.ajax({
@@ -407,6 +435,7 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
             dataType: "json",
             data: {
                 engineer: '{{ user.username }}',
+                enable: enable,
                 auth_type: auth_type,
                 phone: $("#phone").val()
             },
@@ -499,7 +528,6 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
             },
             success: function (data) {
                 if (data.status === 0) {
-                    $("#2fa").modal('hide');
                     result = true
                 } else {
                     alert(data.msg);
@@ -512,7 +540,7 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
         return result
     }
 
-    $("#auth_type").change(function () {
+    $("#auth_type").change(function() {
         let auth_type = $("#auth_type").val();
         if (auth_type === 'totp') {
             $("#totp-form").show();
@@ -545,12 +573,13 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
         $("#phone").val('')
     });
 
-    $('#2fa').on('hide.bs.modal', function () {
+    $('#passwd-auth').on('hide.bs.modal', function () {
         $("#passwd").val('')
     });
 
     $("#btnConfirm").click(function () {
         let auth_type = $("#auth_type").val();
+        let enable = $("#enable").val();
         let password = $("#passwd").val();
         password = password.replace(/(^\s*)|(\s*$)/g, "");
         if (!password) {
@@ -560,41 +589,118 @@ <h4 class="modal-title" id="myModalLabel2">扫码绑定</h4>
         $("#passwd").val('');
         let isAuthenticated = auth('{{ user.username }}', password);
         if (isAuthenticated) {
-            if (auth_type === 'sms') {
-                $("#2fa-auth").modal("show");
-            } else {
-                let data = twofa(auth_type);
+            $("#passwd-auth").modal("hide");
+            if (enable === 'false') {
+                let data = twofa(enable, auth_type);
                 if (data.status === 0) {
-                    if (auth_type === 'disabled') {
-                        alert("已关闭两步验证！")
-                    } else if (auth_type === 'totp') {
-                        let key = data.data.key;
-                        $("#qrcode-img").attr("key", key)
-                        $("#qrcode-img").attr("src", "/user/qrcode/" + key)
-                        // 展示二维码
-                        $("#2fa-auth").modal("show");
-                    }
+                    alert('配置成功')
                 } else {
                     alert(data.msg)
                 }
+            } else {
+                if (auth_type === 'sms') {
+                    $("#2fa-auth").modal("show");
+                } else {
+                    let data = twofa(enable, auth_type);
+                    if (data.status === 0) {
+                            if (auth_type === 'totp') {
+                                let key = data.data.key;
+                                $("#qrcode-img").attr("key", key)
+                                $("#qrcode-img").attr("src", "/user/qrcode/" + key)
+                            }
+                            $("#2fa-auth").modal("show");
+                    } else {
+                        alert(data.msg)
+                    }
+                }
             }
         }
     })
 
     $("#get_captcha").click(function () {
         let phone = $("#phone").val();
+        let enable = $("#enable").val();
         if (!phone) {
             alert('请输入手机号！')
             return
         }
 
         let auth_type = $("#auth_type").val();
-        let data = twofa(auth_type);
+        let data = twofa(enable, auth_type);
         if (data.status === 0) {
             init_countdown(this);
             alert('验证码已发送，5分钟内有效');
         }
     })
+
+    $("#2fa").on('show.bs.modal',function() {
+        $('input[name="2fa"]').each(function (i) {
+            $(this).bootstrapSwitch({
+                onText: "启用",
+                offText: "禁用",
+                onColor: "success",
+                size: "small",
+            })
+        })
+        $.ajax({
+            type: "post",
+            url: "/api/v1/user/2fa/state/",
+            dataType: "json",
+            data: {
+                engineer: '{{ user.username }}'
+            },
+            complete: function () {
+            },
+            success: function (data) {
+                if (data.status === 0) {
+                    if (data.data.totp === 'enabled') {
+                        $("#totp-switch").val('true');
+                    } else {
+                        $("#totp-switch").val('false');
+                    }
+                    if (data.data.sms === 'enabled') {
+                        $("#sms-switch").val('true');
+                    } else {
+                        $("#sms-switch").val('false');
+                    }
+                } else {
+                    alert(data.msg)
+                }
+            },
+            error: function (XMLHttpRequest, textStatus, errorThrown) {
+                alert(errorThrown + ' : ' + XMLHttpRequest.responseText)
+            }
+        })
+    })
+
+    $("#2fa").on('shown.bs.modal',function(){
+        $("#state").val('initial');
+        $('input[name="2fa"]').each(function (i) {
+            if ($(this).val() === 'true') {
+                $(this).bootstrapSwitch('state', true);
+            } else {
+                $(this).bootstrapSwitch('state', false);
+            }
+        });
+        $("#state").val('')
+    })
+
+    $('input[name="2fa"]').on('switchChange.bootstrapSwitch', function(event, state) {
+        if ($("#state").val() !== 'initial') {
+            $("#auth_type").val($(this).attr('auth_type'));
+            $("#auth_type").trigger('change');
+            $("#enable").val(state);
+            $("#2fa").modal("hide");
+            $("#passwd-auth").modal("show");
+            if (state) {
+                $(this).val(true);
+            } else {
+                $(this).val(false);
+            }
+        }
+    })
+
+
 </script>
 </body>
 <script>
diff --git a/common/templates/config.html b/common/templates/config.html
index 31b10d0298..afef26bb3c 100755
--- a/common/templates/config.html
+++ b/common/templates/config.html
@@ -1130,7 +1130,7 @@ <h5 class="control-label text-bold">当前审批流程：<b id="workflow_auditor
                 $("#div-system-config").show();
                 $("#div-workflow").hide();
                 $("#div-workflow-config").hide();
-                $('input[type="checkbox"]').each(function (i) {
+                $("#div-system-config").find('input[type="checkbox"]').each(function (i) {
                     if ($(this).val() === 'true') {
                         $(this).bootstrapSwitch('state', true);
                     } else {
diff --git a/common/twofa/__init__.py b/common/twofa/__init__.py
index 0430c9f281..58b8e75af0 100644
--- a/common/twofa/__init__.py
+++ b/common/twofa/__init__.py
@@ -17,11 +17,11 @@ def enable(self):
         result = {'status': 1, 'msg': 'failed'}
         return result
 
-    def disable(self):
+    def disable(self, auth_type):
         """禁用"""
         result = {'status': 0, 'msg': 'ok'}
         try:
-            TwoFactorAuthConfig.objects.get(user=self.user).delete()
+            TwoFactorAuthConfig.objects.get(user=self.user, auth_type=auth_type).delete()
         except TwoFactorAuthConfig.DoesNotExist as e:
             result = {'status': 0, 'msg': str(e)}
         return result
diff --git a/common/twofa/sms.py b/common/twofa/sms.py
index 5e729569ca..63e01cdeac 100644
--- a/common/twofa/sms.py
+++ b/common/twofa/sms.py
@@ -78,7 +78,7 @@ def save(self, phone):
         try:
             with transaction.atomic():
                 # 删除旧的2fa配置
-                self.disable()
+                self.disable(self.auth_type)
                 # 创建新的2fa配置
                 TwoFactorAuthConfig.objects.create(
                     username=self.user.username,
diff --git a/common/twofa/totp.py b/common/twofa/totp.py
index a563635df0..25a4aad2fb 100644
--- a/common/twofa/totp.py
+++ b/common/twofa/totp.py
@@ -24,7 +24,8 @@ def verify(self, otp, key=None):
         if key:
             secret_key = key
         else:
-            secret_key = TwoFactorAuthConfig.objects.get(username=self.user.username).secret_key
+            secret_key = TwoFactorAuthConfig.objects.get(username=self.user.username,
+                                                         auth_type=self.auth_type).secret_key
         t = pyotp.TOTP(secret_key)
         status = t.verify(otp)
         result['status'] = 0 if status else 1
@@ -51,7 +52,7 @@ def save(self, secret_key):
         try:
             with transaction.atomic():
                 # 删除旧的2fa配置
-                self.disable()
+                self.disable(self.auth_type)
                 # 创建新的2fa配置
                 TwoFactorAuthConfig.objects.create(
                     username=self.user.username,
diff --git a/sql/models.py b/sql/models.py
index 8e18ae2021..d53eff3e2a 100755
--- a/sql/models.py
+++ b/sql/models.py
@@ -74,7 +74,7 @@ class TwoFactorAuthConfig(models.Model):
     auth_type = fields.EncryptedCharField(verbose_name='认证类型', max_length=128, choices=auth_type_choice)
     phone = fields.EncryptedCharField(verbose_name='手机号码', max_length=64, null=True, default='')
     secret_key = fields.EncryptedCharField(verbose_name='用户密钥', max_length=256, null=True)
-    user = models.OneToOneField(Users, on_delete=models.CASCADE)
+    user = models.ForeignKey(Users, on_delete=models.CASCADE)
 
     def __int__(self):
         return self.username
@@ -84,6 +84,7 @@ class Meta:
         db_table = '2fa_config'
         verbose_name = u'2FA配置'
         verbose_name_plural = u'2FA配置'
+        unique_together = ('user', 'auth_type')
 
 
 class InstanceTag(models.Model):
diff --git a/sql/views.py b/sql/views.py
index e8b2191fbb..9bb67df090 100644
--- a/sql/views.py
+++ b/sql/views.py
@@ -21,7 +21,8 @@
 from sql.utils.tasks import task_info
 
 from .models import Users, SqlWorkflow, QueryPrivileges, ResourceGroup, \
-    QueryPrivilegesApply, Config, SQL_WORKFLOW_CHOICES, InstanceTag, Instance, QueryLog, ArchiveConfig, AuditEntry
+    QueryPrivilegesApply, Config, SQL_WORKFLOW_CHOICES, InstanceTag, Instance, \
+    QueryLog, ArchiveConfig, AuditEntry, TwoFactorAuthConfig
 from sql.utils.workflow_audit import Audit
 from sql.utils.sql_review import can_execute, can_timingtask, can_cancel, can_view, can_rollback
 from common.utils.const import Const, WorkflowDict
@@ -52,13 +53,27 @@ def twofa(request):
 
     username = request.session.get('user')
     if username:
-        auth_type = request.session.get('auth_type')
         verify_mode = request.session.get('verify_mode')
-        phone = request.session.get('phone')
+        twofa_enabled = TwoFactorAuthConfig.objects.filter(username=username)
+        user_auth_types = [twofa.auth_type for twofa in twofa_enabled]
+
+        auth_types = []
+        for user_auth_type in user_auth_types:
+            auth_type = {}
+            auth_type['code'] = user_auth_type
+            if user_auth_type == 'totp':
+                auth_type['display'] = 'Google身份验证器'
+            elif user_auth_type == 'sms':
+                auth_type['display'] = '短信验证码'
+            auth_types.append(auth_type)
+        if 'sms' in user_auth_types:
+            phone = TwoFactorAuthConfig.objects.get(username=username, auth_type='sms').phone
+        else:
+            phone = 0
     else:
         return HttpResponseRedirect('/login/')
 
-    return render(request, '2fa.html', context={'verify_mode': verify_mode, 'auth_type': auth_type,
+    return render(request, '2fa.html', context={'verify_mode': verify_mode, 'auth_types': auth_types,
                                                 'username': username, 'phone': phone})
 
 
diff --git a/sql_api/api_user.py b/sql_api/api_user.py
index dca84c39d1..5aec0a4151 100644
--- a/sql_api/api_user.py
+++ b/sql_api/api_user.py
@@ -2,7 +2,8 @@
 from rest_framework.response import Response
 from drf_spectacular.utils import extend_schema
 from .serializers import UserSerializer, UserDetailSerializer, GroupSerializer, \
-    ResourceGroupSerializer, TwoFASerializer, UserAuthSerializer, TwoFAVerifySerializer, TwoFASaveSerializer
+    ResourceGroupSerializer, TwoFASerializer, UserAuthSerializer, TwoFAVerifySerializer, \
+    TwoFASaveSerializer, TwoFAStateSerializer
 from .pagination import CustomizedPagination
 from .permissions import IsOwner
 from .filters import UserFilter
@@ -248,7 +249,7 @@ class TwoFA(views.APIView):
 
     @extend_schema(summary="配置2fa",
                    request=TwoFASerializer,
-                   description="启用或关闭2fa")
+                   description="配置2fa")
     def post(self, request):
         # 参数验证
         serializer = TwoFASerializer(data=request.data)
@@ -256,6 +257,7 @@ def post(self, request):
             return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
 
         engineer = request.data['engineer']
+        enable = request.data['enable']
         auth_type = request.data['auth_type']
         user = Users.objects.get(username=engineer)
         request_user = request.session.get('user')
@@ -267,28 +269,50 @@ def post(self, request):
             else:
                 return Response({'status': 1, 'msg': '需先校验用户密码！'})
 
-        if auth_type == 'disabled':
-            # 关闭2fa
-            authenticator = TwoFactorAuthBase(user=user)
-            result = authenticator.disable()
-        elif auth_type == 'totp':
-            # 启用2fa - 先生成secret key
-            authenticator = get_authenticator(user=user, auth_type=auth_type)
-            result = authenticator.generate_key()
-        elif auth_type == 'sms':
-            # 启用2fa - 先发送短信验证码
-            phone = request.data['phone']
-            otp = '{:06d}'.format(random.randint(0, 999999))
-            authenticator = get_authenticator(user=user, auth_type=auth_type)
-            result = authenticator.get_captcha(phone=phone, otp=otp)
-            if result['status'] == 0:
-                r = get_redis_connection('default')
-                data = {'otp': otp, 'update_time': int(time.time())}
-                r.set(f'captcha-{phone}', json.dumps(data), 300)
+        authenticator = get_authenticator(user=user, auth_type=auth_type)
+        if enable == 'true':
+            if auth_type == 'totp':
+                # 启用2fa - 先生成secret key
+                result = authenticator.generate_key()
+            elif auth_type == 'sms':
+                # 启用2fa - 先发送短信验证码
+                phone = request.data['phone']
+                otp = '{:06d}'.format(random.randint(0, 999999))
+                result = authenticator.get_captcha(phone=phone, otp=otp)
+                if result['status'] == 0:
+                    r = get_redis_connection('default')
+                    data = {'otp': otp, 'update_time': int(time.time())}
+                    r.set(f'captcha-{phone}', json.dumps(data), 300)
+            else:
+                # 启用2fa
+                result = authenticator.enable()
         else:
-            # 启用2fa
-            authenticator = get_authenticator(user=user, auth_type=auth_type)
-            result = authenticator.enable()
+            result = authenticator.disable(auth_type)
+
+        return Response(result)
+
+
+class TwoFAState(views.APIView):
+    """
+    查询用户2fa配置情况
+    """
+    permission_classes = [IsOwner]
+
+    @extend_schema(summary="查询2fa配置情况",
+                   request=TwoFAStateSerializer,
+                   description="查询2fa配置情况")
+    def post(self, request):
+        # 参数验证
+        serializer = TwoFAStateSerializer(data=request.data)
+        if not serializer.is_valid():
+            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+        result = {'status': 0, 'msg': 'ok', 'data': {}}
+        engineer = request.data['engineer']
+        user = Users.objects.get(username=engineer)
+        configs = TwoFactorAuthConfig.objects.filter(user=user)
+        result['data']['totp'] = 'enabled' if configs.filter(auth_type='totp') else 'disabled'
+        result['data']['sms'] = 'enabled' if configs.filter(auth_type='sms') else 'disabled'
 
         return Response(result)
 
@@ -354,15 +378,10 @@ def post(self, request):
 
             twofa_config = TwoFactorAuthConfig.objects.filter(user=user)
             if not twofa_config:
-                if key:
-                    auth_type = request.data['auth_type']
-                else:
+                if not key:
                     return Response({'status': 1, 'msg': '用户未配置2FA！'})
-            else:
-                auth_type = twofa_config[0].auth_type
-        else:
-            auth_type = request.data['auth_type']
 
+        auth_type = request.data['auth_type']
         authenticator = get_authenticator(user=user, auth_type=auth_type)
         if auth_type == 'sms':
             result = authenticator.verify(otp, phone)
diff --git a/sql_api/serializers.py b/sql_api/serializers.py
index 3298aed57e..874ef81352 100644
--- a/sql_api/serializers.py
+++ b/sql_api/serializers.py
@@ -97,26 +97,42 @@ class UserAuthSerializer(serializers.Serializer):
 
 class TwoFASerializer(serializers.Serializer):
     engineer = serializers.CharField(label='用户名')
+    enable = serializers.ChoiceField(choices=['true', 'false'], label='启用or禁用')
     phone = serializers.CharField(required=False, label='手机号码')
-    auth_type = serializers.ChoiceField(choices=['disabled', 'totp', 'sms'],
-                                        label='验证类型：disabled-关闭，totp-Google身份验证器，sms-短信验证码')
+    auth_type = serializers.ChoiceField(choices=['totp', 'sms'],
+                                        label='验证类型：totp-Google身份验证器，sms-短信验证码')
 
     def validate(self, attrs):
         auth_type = attrs.get('auth_type')
         engineer = attrs.get('engineer')
+        enable = attrs.get('enable')
 
         try:
             Users.objects.get(username=engineer)
         except Users.DoesNotExist:
             raise serializers.ValidationError({"errors": "不存在该用户"})
 
-        if auth_type == 'sms':
+        if auth_type == 'sms' and enable == 'true':
             if not attrs.get('phone'):
                 raise serializers.ValidationError({"errors": "缺少 phone"})
 
         return attrs
 
 
+class TwoFAStateSerializer(serializers.Serializer):
+    engineer = serializers.CharField(label='用户名')
+
+    def validate(self, attrs):
+        engineer = attrs.get('engineer')
+
+        try:
+            Users.objects.get(username=engineer)
+        except Users.DoesNotExist:
+            raise serializers.ValidationError({"errors": "不存在该用户"})
+
+        return attrs
+
+
 class TwoFASaveSerializer(serializers.Serializer):
     engineer = serializers.CharField(label='用户名')
     key = serializers.CharField(required=False, label='密钥')
@@ -151,17 +167,12 @@ class TwoFAVerifySerializer(serializers.Serializer):
     otp = serializers.IntegerField(label='一次性密码/验证码')
     key = serializers.CharField(required=False, label='密钥')
     phone = serializers.CharField(required=False, label='手机号码')
-    auth_type = serializers.CharField(required=False, label='验证方式')
+    auth_type = serializers.CharField(label='验证方式')
 
     def validate(self, attrs):
         engineer = attrs.get('engineer')
-        key = attrs.get('key')
         auth_type = attrs.get('auth_type')
 
-        if key:
-            if not auth_type:
-                raise serializers.ValidationError({"errors": "缺少 auth_type"})
-
         if auth_type == 'sms':
             if not attrs.get('phone'):
                 raise serializers.ValidationError({"errors": "缺少 phone"})
diff --git a/sql_api/tests.py b/sql_api/tests.py
index 5686af0c78..80b6ebe870 100644
--- a/sql_api/tests.py
+++ b/sql_api/tests.py
@@ -175,7 +175,8 @@ def test_2fa_config(self):
         """测试用户配置2fa"""
         json_data = {
             "engineer": "test_user",
-            "auth_type": "disabled"
+            "auth_type": "totp",
+            "enable": "false"
         }
         r = self.client.post(f'/api/v1/user/2fa/', json_data, format='json')
         self.assertEqual(r.status_code, status.HTTP_200_OK)
diff --git a/sql_api/urls.py b/sql_api/urls.py
index bfbe96e42a..a4c064b33b 100644
--- a/sql_api/urls.py
+++ b/sql_api/urls.py
@@ -23,6 +23,7 @@
     path('v1/user/resourcegroup/<int:pk>/', api_user.ResourceGroupDetail.as_view()),
     path('v1/user/auth/', api_user.UserAuth.as_view()),
     path('v1/user/2fa/', api_user.TwoFA.as_view()),
+    path('v1/user/2fa/state/', api_user.TwoFAState.as_view()),
     path('v1/user/2fa/save/', api_user.TwoFASave.as_view()),
     path('v1/user/2fa/verify/', api_user.TwoFAVerify.as_view()),
     path('v1/instance/', api_instance.InstanceList.as_view()),
diff --git a/src/init_sql/v1.9.0.sql b/src/init_sql/v1.9.0.sql
index 008d1ed160..566ee59b8f 100644
--- a/src/init_sql/v1.9.0.sql
+++ b/src/init_sql/v1.9.0.sql
@@ -1,5 +1,19 @@
 alter table sql_config add unique index uniq_item(item),drop primary key,
     add id bigint unsigned not null auto_increment primary key first ;
 
-# 2fa配置表增加phone字段
-alter table 2fa_config add column `phone` varchar(64) DEFAULT '' after `auth_type`;
+# 2fa配置表重构
+CREATE TABLE `2fa_config_new` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `username` varchar(200) NOT NULL,
+  `auth_type` varchar(128) NOT NULL,
+  `phone` varchar(64) DEFAULT '',
+  `secret_key` varchar(256) DEFAULT NULL,
+  `user_id` int(11) NOT NULL,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `2fa_config_user_id_auth_type_303171fc_uniq` (`user_id`,`auth_type`),
+  KEY `2fa_config_user_id_a0d1d7c2` (`user_id`),
+  CONSTRAINT `2fa_config_user_id_new_fk_sql_users_id` FOREIGN KEY (`user_id`) REFERENCES `sql_users` (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
+insert into `2fa_config_new`(id,username,auth_type,secret_key,user_id) select id,username,auth_type,secret_key,user_id from 2fa_config;
+rename table `2fa_config` to `2fa_config_old`, `2fa_config_new` to `2fa_config`;
+drop table `2fa_config_old`;