diff --git a/app/Http/Controllers/Admin/SettingController.php b/app/Http/Controllers/Admin/SettingController.php
index 3e6c8bd..d0a7a60 100644
--- a/app/Http/Controllers/Admin/SettingController.php
+++ b/app/Http/Controllers/Admin/SettingController.php
@@ -5,10 +5,14 @@ namespace App\Http\Controllers\Admin;
 use App\Http\Controllers\Controller;
 use App\Services\SiteSettingsService;
 use App\Services\UpdateService;
+use Illuminate\Http\JsonResponse;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\View\View;
+use Symfony\Component\Mailer\Transport\Smtp\EsmtpTransport;
+use Symfony\Component\Mime\Address;
+use Symfony\Component\Mime\Email;
 
 class SettingController extends Controller
 {
@@ -61,6 +65,87 @@ class SettingController extends Controller
         return back()->with('success', 'Logo supprimé.');
     }
 
+    // ── SMTP ──────────────────────────────────────────────────────────────────
+
+    public function updateSmtp(Request $request): RedirectResponse
+    {
+        $data = $request->validate([
+            'smtp_host'         => ['required', 'string', 'max:255'],
+            'smtp_port'         => ['required', 'integer', 'min:1', 'max:65535'],
+            'smtp_encryption'   => ['nullable', 'in:tls,ssl'],
+            'smtp_username'     => ['nullable', 'string', 'max:255'],
+            'smtp_password'     => ['nullable', 'string', 'max:255'],
+            'smtp_from_address' => ['required', 'email', 'max:255'],
+            'smtp_from_name'    => ['required', 'string', 'max:255'],
+        ]);
+
+        SiteSettingsService::set('smtp', [
+            'host'         => $data['smtp_host'],
+            'port'         => (int) $data['smtp_port'],
+            'encryption'   => $data['smtp_encryption'] ?? null,
+            'username'     => $data['smtp_username'] ?? null,
+            'password'     => $data['smtp_password'] ?? null,
+            'from_address' => $data['smtp_from_address'],
+            'from_name'    => $data['smtp_from_name'],
+        ]);
+
+        return back()->with('success', 'Configuration SMTP enregistrée. Le 2FA par e-mail est maintenant actif.');
+    }
+
+    public function deleteSmtp(): RedirectResponse
+    {
+        SiteSettingsService::set('smtp', []);
+
+        return back()->with('success', 'Configuration SMTP supprimée. Le 2FA est désactivé.');
+    }
+
+    public function testSmtp(Request $request): JsonResponse
+    {
+        $data = $request->validate([
+            'smtp_host'         => ['required', 'string'],
+            'smtp_port'         => ['required', 'integer'],
+            'smtp_encryption'   => ['nullable', 'in:tls,ssl'],
+            'smtp_username'     => ['nullable', 'string'],
+            'smtp_password'     => ['nullable', 'string'],
+            'smtp_from_address' => ['required', 'email'],
+            'smtp_from_name'    => ['required', 'string'],
+        ]);
+
+        try {
+            $useSsl    = ($data['smtp_encryption'] ?? '') === 'ssl';
+            $transport = new EsmtpTransport($data['smtp_host'], (int) $data['smtp_port'], $useSsl);
+
+            if (! empty($data['smtp_username'])) {
+                $transport->setUsername($data['smtp_username']);
+                $transport->setPassword($data['smtp_password'] ?? '');
+            }
+
+            $mailer = new \Symfony\Component\Mailer\Mailer($transport);
+
+            $email = (new Email())
+                ->from(new Address($data['smtp_from_address'], $data['smtp_from_name']))
+                ->to(auth()->user()->email)
+                ->subject('Test SMTP — ' . config('app.name'))
+                ->text(
+                    "Ce message confirme que votre configuration SMTP fonctionne correctement.\n\n" .
+                    "Serveur : {$data['smtp_host']}:{$data['smtp_port']}\n" .
+                    "Chiffrement : " . ($data['smtp_encryption'] ?: 'aucun') . "\n\n" .
+                    "— " . config('app.name')
+                );
+
+            $mailer->send($email);
+
+            return response()->json([
+                'ok'      => true,
+                'message' => 'E-mail de test envoyé à ' . auth()->user()->email . '. Vérifiez votre boîte de réception.',
+            ]);
+        } catch (\Throwable $e) {
+            return response()->json(['ok' => false, 'message' => $e->getMessage()], 422);
+        }
+    }
+
+    // ── Paramètres généraux ───────────────────────────────────────────────────
+
     public function updateSettings(Request $request): RedirectResponse
     {
         $data = $request->validate([
diff --git a/app/Http/Controllers/Auth/AuthenticatedSessionController.php b/app/Http/Controllers/Auth/AuthenticatedSessionController.php
index 613bcd9..f27ffa4 100644
--- a/app/Http/Controllers/Auth/AuthenticatedSessionController.php
+++ b/app/Http/Controllers/Auth/AuthenticatedSessionController.php
@@ -4,42 +4,68 @@ namespace App\Http\Controllers\Auth;
 
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Auth\LoginRequest;
+use App\Mail\TwoFactorPinMail;
+use App\Services\SiteSettingsService;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
 use Illuminate\View\View;
 
 class AuthenticatedSessionController extends Controller
 {
-    /**
-     * Display the login view.
-     */
     public function create(): View
     {
         return view('auth.login');
     }
 
-    /**
-     * Handle an incoming authentication request.
-     */
     public function store(LoginRequest $request): RedirectResponse
     {
         $request->authenticate();
 
+        // Si SMTP configuré → 2FA par code PIN
+        if (SiteSettingsService::smtpConfigured()) {
+            $user     = Auth::user();
+            $intended = $request->session()->pull('url.intended', route('dashboard'));
+
+            $pin = str_pad(random_int(0, 999999), 6, '0', STR_PAD_LEFT);
+
+            // Déconnecter et stocker les données 2FA dans la session
+            Auth::logout();
+            $request->session()->regenerate();
+            $request->session()->put([
+                '2fa.user_id'    => $user->id,
+                '2fa.pin_hash'   => Hash::make($pin),
+                '2fa.expires_at' => now()->addMinutes(10)->timestamp,
+                '2fa.intended'   => $intended,
+            ]);
+
+            try {
+                Mail::to($user->email)->send(new TwoFactorPinMail($pin, $user->name));
+            } catch (\Exception $e) {
+                // Si l'envoi échoue, on logue l'erreur et on laisse passer sans 2FA
+                Log::error('2FA: envoi du PIN impossible.', ['error' => $e->getMessage()]);
+                $request->session()->forget('2fa');
+                Auth::login($user);
+                $request->session()->regenerate();
+                return redirect($intended);
+            }
+
+            return redirect()->route('2fa.challenge');
+        }
+
         $request->session()->regenerate();
 
         return redirect()->intended(route('dashboard', absolute: false));
     }
 
-    /**
-     * Destroy an authenticated session.
-     */
     public function destroy(Request $request): RedirectResponse
     {
         Auth::guard('web')->logout();
 
         $request->session()->invalidate();
-
         $request->session()->regenerateToken();
 
         return redirect('/');
diff --git a/app/Http/Controllers/Auth/TwoFactorController.php b/app/Http/Controllers/Auth/TwoFactorController.php
new file mode 100644
index 0000000..491130d
--- /dev/null
+++ b/app/Http/Controllers/Auth/TwoFactorController.php
@@ -0,0 +1,103 @@
+<?php
+
+namespace App\Http\Controllers\Auth;
+
+use App\Http\Controllers\Controller;
+use App\Mail\TwoFactorPinMail;
+use App\Models\User;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Mail;
+use Illuminate\View\View;
+
+class TwoFactorController extends Controller
+{
+    public function challenge(Request $request): View|RedirectResponse
+    {
+        if (! $request->session()->has('2fa.user_id')) {
+            return redirect()->route('login');
+        }
+
+        $user = User::find($request->session()->get('2fa.user_id'));
+        if (! $user) {
+            $request->session()->forget('2fa');
+            return redirect()->route('login');
+        }
+
+        return view('auth.two-factor', [
+            'maskedEmail' => $this->maskEmail($user->email),
+        ]);
+    }
+
+    public function verify(Request $request): RedirectResponse
+    {
+        $request->validate(['pin' => ['required', 'string', 'digits:6']]);
+
+        $userId    = $request->session()->get('2fa.user_id');
+        $pinHash   = $request->session()->get('2fa.pin_hash');
+        $expiresAt = $request->session()->get('2fa.expires_at');
+
+        if (! $userId || ! $pinHash) {
+            return redirect()->route('login')
+                ->withErrors(['email' => 'Session expirée. Veuillez vous reconnecter.']);
+        }
+
+        if (now()->timestamp > (int) $expiresAt) {
+            $request->session()->forget('2fa');
+            return redirect()->route('login')
+                ->withErrors(['email' => 'Le code PIN a expiré. Veuillez vous reconnecter.']);
+        }
+
+        if (! Hash::check($request->input('pin'), $pinHash)) {
+            return back()->withErrors(['pin' => 'Code incorrect. Vérifiez votre e-mail et réessayez.']);
+        }
+
+        // PIN valide — authentifier l'utilisateur
+        $user     = User::findOrFail($userId);
+        $intended = $request->session()->pull('2fa.intended', route('dashboard'));
+
+        $request->session()->forget('2fa');
+        Auth::login($user);
+        $request->session()->regenerate();
+
+        return redirect($intended);
+    }
+
+    public function resend(Request $request): RedirectResponse
+    {
+        $userId = $request->session()->get('2fa.user_id');
+        if (! $userId) {
+            return redirect()->route('login');
+        }
+
+        $user = User::find($userId);
+        if (! $user) {
+            return redirect()->route('login');
+        }
+
+        $pin = str_pad(random_int(0, 999999), 6, '0', STR_PAD_LEFT);
+
+        $request->session()->put([
+            '2fa.pin_hash'   => Hash::make($pin),
+            '2fa.expires_at' => now()->addMinutes(10)->timestamp,
+        ]);
+
+        try {
+            Mail::to($user->email)->send(new TwoFactorPinMail($pin, $user->name));
+        } catch (\Exception $e) {
+            return back()->withErrors(['pin' => "Impossible d'envoyer le code : " . $e->getMessage()]);
+        }
+
+        return back()->with('resent', true);
+    }
+
+    private function maskEmail(string $email): string
+    {
+        [$local, $domain] = explode('@', $email, 2);
+        $visible = min(2, strlen($local));
+        $masked  = substr($local, 0, $visible) . str_repeat('*', max(strlen($local) - $visible, 3));
+        return $masked . '@' . $domain;
+    }
+}
diff --git a/app/Mail/TwoFactorPinMail.php b/app/Mail/TwoFactorPinMail.php
new file mode 100644
index 0000000..3529e66
--- /dev/null
+++ b/app/Mail/TwoFactorPinMail.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Mail;
+
+use Illuminate\Bus\Queueable;
+use Illuminate\Mail\Mailable;
+use Illuminate\Mail\Mailables\Content;
+use Illuminate\Mail\Mailables\Envelope;
+
+class TwoFactorPinMail extends Mailable
+{
+    use Queueable;
+
+    public function __construct(
+        public readonly string $pin,
+        public readonly string $userName,
+    ) {}
+
+    public function envelope(): Envelope
+    {
+        return new Envelope(
+            subject: 'Votre code de connexion — ' . config('app.name'),
+        );
+    }
+
+    public function content(): Content
+    {
+        return new Content(
+            view: 'emails.two-factor-pin',
+        );
+    }
+}
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index 76ec882..3e7f738 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -13,11 +13,26 @@ class AppServiceProvider extends ServiceProvider
     public function boot(): void
     {
         // Partage les paramètres globaux du site avec toutes les vues
-        View::share('siteLogoUrl',          SiteSettingsService::logoUrl());
-        View::share('registrationEnabled',  SiteSettingsService::registrationEnabled());
-        View::share('siteName',             SiteSettingsService::siteName());
+        View::share('siteLogoUrl',         SiteSettingsService::logoUrl());
+        View::share('registrationEnabled', SiteSettingsService::registrationEnabled());
+        View::share('siteName',            SiteSettingsService::siteName());
 
-        // Remplace config('app.name') par le titre du site défini dans les paramètres
+        // Remplace config('app.name') par le titre défini dans les paramètres
         config(['app.name' => SiteSettingsService::siteName()]);
+
+        // Applique la configuration SMTP si elle est définie dans les paramètres
+        if (SiteSettingsService::smtpConfigured()) {
+            $smtp = SiteSettingsService::smtpConfig();
+            config([
+                'mail.default'                 => 'smtp',
+                'mail.mailers.smtp.host'       => $smtp['host'],
+                'mail.mailers.smtp.port'       => (int) ($smtp['port'] ?? 587),
+                'mail.mailers.smtp.encryption' => $smtp['encryption'] ?: null,
+                'mail.mailers.smtp.username'   => $smtp['username'] ?? null,
+                'mail.mailers.smtp.password'   => $smtp['password'] ?? null,
+                'mail.from.address'            => $smtp['from_address'] ?? null,
+                'mail.from.name'               => $smtp['from_name'] ?? SiteSettingsService::siteName(),
+            ]);
+        }
     }
 }
diff --git a/app/Services/SiteSettingsService.php b/app/Services/SiteSettingsService.php
index f52e68d..0b0e879 100644
--- a/app/Services/SiteSettingsService.php
+++ b/app/Services/SiteSettingsService.php
@@ -60,6 +60,19 @@ class SiteSettingsService
         }
     }
 
+    // ── SMTP ─────────────────────────────────────────────────────────────────
+
+    public static function smtpConfig(): array
+    {
+        return self::get('smtp', []);
+    }
+
+    public static function smtpConfigured(): bool
+    {
+        $smtp = self::smtpConfig();
+        return ! empty($smtp['host']) && ! empty($smtp['port']);
+    }
+
     // ── Titre du site ─────────────────────────────────────────────────────────
 
     public static function siteName(): string
diff --git a/resources/views/admin/parametres/index.blade.php b/resources/views/admin/parametres/index.blade.php
index 9125309..0c3b46e 100644
--- a/resources/views/admin/parametres/index.blade.php
+++ b/resources/views/admin/parametres/index.blade.php
@@ -48,6 +48,168 @@
             </form>
         </div>
 
+        {{-- SMTP --}}
+        @php $smtp = \App\Services\SiteSettingsService::smtpConfig(); @endphp
+        <div class="bg-white shadow rounded-lg p-6 space-y-5"
+             x-data="{
+                host:        '{{ $smtp['host'] ?? '' }}',
+                port:        '{{ $smtp['port'] ?? 587 }}',
+                encryption:  '{{ $smtp['encryption'] ?? 'tls' }}',
+                username:    '{{ $smtp['username'] ?? '' }}',
+                password:    '{{ $smtp['password'] ?? '' }}',
+                fromAddress: '{{ $smtp['from_address'] ?? '' }}',
+                fromName:    '{{ $smtp['from_name'] ?? $siteName }}',
+                testing: false,
+                tested: false,
+                testOk: false,
+                testMsg: '',
+
+                async testSmtp() {
+                    this.testing = true;
+                    this.tested  = false;
+                    try {
+                        const resp = await fetch('{{ route('admin.parametres.smtp.test') }}', {
+                            method: 'POST',
+                            headers: {
+                                'Content-Type': 'application/json',
+                                'X-CSRF-TOKEN': document.querySelector('meta[name=csrf-token]').content,
+                            },
+                            body: JSON.stringify({
+                                smtp_host:         this.host,
+                                smtp_port:         parseInt(this.port),
+                                smtp_encryption:   this.encryption,
+                                smtp_username:     this.username,
+                                smtp_password:     this.password,
+                                smtp_from_address: this.fromAddress,
+                                smtp_from_name:    this.fromName,
+                            }),
+                        });
+                        const data = await resp.json();
+                        this.testOk  = data.ok;
+                        this.testMsg = data.message;
+                    } catch (e) {
+                        this.testOk  = false;
+                        this.testMsg = 'Erreur réseau : ' + e.message;
+                    }
+                    this.testing = false;
+                    this.tested  = true;
+                }
+             }">
+
+            <div class="flex items-start justify-between">
+                <div>
+                    <h3 class="text-sm font-semibold text-gray-700 uppercase tracking-wide">Serveur SMTP</h3>
+                    <p class="text-xs text-gray-400 mt-0.5">
+                        Quand configuré, la connexion nécessitera un code PIN envoyé par e-mail (2FA).
+                    </p>
+                </div>
+                @if(\App\Services\SiteSettingsService::smtpConfigured())
+                    <span class="inline-flex items-center gap-1.5 text-xs text-green-700 bg-green-50 border border-green-200 px-2.5 py-1 rounded-full">
+                        <svg class="w-3 h-3 fill-current" viewBox="0 0 20 20">
+                            <path fill-rule="evenodd" d="M10 18a8 8 0 100-16 8 8 0 000 16zm3.707-9.293a1 1 0 00-1.414-1.414L9 10.586 7.707 9.293a1 1 0 00-1.414 1.414l2 2a1 1 0 001.414 0l4-4z" clip-rule="evenodd"/>
+                        </svg>
+                        Configuré — 2FA actif
+                    </span>
+                @endif
+            </div>
+
+            <form method="POST" action="{{ route('admin.parametres.smtp.update') }}" class="space-y-4">
+                @csrf
+
+                <div class="grid grid-cols-3 gap-4">
+                    <div class="col-span-2">
+                        <label class="block text-sm font-medium text-gray-700 mb-1">Hôte SMTP</label>
+                        <input type="text" name="smtp_host" x-model="host"
+                               placeholder="smtp.exemple.fr"
+                               class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500">
+                        @error('smtp_host') <p class="mt-1 text-xs text-red-600">{{ $message }}</p> @enderror
+                    </div>
+                    <div>
+                        <label class="block text-sm font-medium text-gray-700 mb-1">Port</label>
+                        <input type="number" name="smtp_port" x-model="port"
+                               class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500">
+                        @error('smtp_port') <p class="mt-1 text-xs text-red-600">{{ $message }}</p> @enderror
+                    </div>
+                </div>
+
+                <div>
+                    <label class="block text-sm font-medium text-gray-700 mb-1">Chiffrement</label>
+                    <select name="smtp_encryption" x-model="encryption"
+                            class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500">
+                        <option value="tls">TLS / STARTTLS (port 587 recommandé)</option>
+                        <option value="ssl">SSL (port 465)</option>
+                        <option value="">Aucun (déconseillé)</option>
+                    </select>
+                </div>
+
+                <div class="grid grid-cols-2 gap-4">
+                    <div>
+                        <label class="block text-sm font-medium text-gray-700 mb-1">Identifiant</label>
+                        <input type="text" name="smtp_username" x-model="username"
+                               autocomplete="off"
+                               class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500">
+                    </div>
+                    <div>
+                        <label class="block text-sm font-medium text-gray-700 mb-1">Mot de passe</label>
+                        <input type="password" name="smtp_password" x-model="password"
+                               autocomplete="new-password"
+                               class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500"
+                               placeholder="{{ \App\Services\SiteSettingsService::smtpConfigured() ? '(inchangé si vide)' : '' }}">
+                    </div>
+                </div>
+
+                <div class="grid grid-cols-2 gap-4 pt-2 border-t border-gray-100">
+                    <div>
+                        <label class="block text-sm font-medium text-gray-700 mb-1">Adresse d'expéditeur</label>
+                        <input type="email" name="smtp_from_address" x-model="fromAddress"
+                               placeholder="noreply@exemple.fr"
+                               class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500">
+                        @error('smtp_from_address') <p class="mt-1 text-xs text-red-600">{{ $message }}</p> @enderror
+                    </div>
+                    <div>
+                        <label class="block text-sm font-medium text-gray-700 mb-1">Nom d'expéditeur</label>
+                        <input type="text" name="smtp_from_name" x-model="fromName"
+                               class="w-full rounded-md border-gray-300 shadow-sm text-sm focus:border-indigo-500 focus:ring-indigo-500">
+                        @error('smtp_from_name') <p class="mt-1 text-xs text-red-600">{{ $message }}</p> @enderror
+                    </div>
+                </div>
+
+                {{-- Résultat test --}}
+                <div x-show="tested" x-cloak class="p-3 rounded-lg text-sm flex items-start gap-2"
+                     :class="testOk ? 'bg-green-50 border border-green-200 text-green-800' : 'bg-red-50 border border-red-200 text-red-800'">
+                    <span x-text="testOk ? '✓' : '✗'" class="font-bold shrink-0"></span>
+                    <span x-text="testMsg" class="break-all"></span>
+                </div>
+
+                <div class="flex items-center gap-3 flex-wrap">
+                    <button type="button" @click="testSmtp()" :disabled="testing"
+                            class="flex items-center gap-1.5 px-4 py-2 border border-slate-300 bg-slate-50 text-slate-700
+                                text-sm font-medium rounded-md hover:bg-slate-100 transition disabled:opacity-50">
+                        <svg class="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                            <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                                  d="M3 8l7.89 5.26a2 2 0 002.22 0L21 8M5 19h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z"/>
+                        </svg>
+                        <span x-text="testing ? 'Envoi en cours…' : 'Envoyer un e-mail de test'"></span>
+                    </button>
+
+                    <button type="submit"
+                            class="px-5 py-2 bg-indigo-600 text-white text-sm font-medium rounded-md hover:bg-indigo-700">
+                        Enregistrer
+                    </button>
+
+                    @if(\App\Services\SiteSettingsService::smtpConfigured())
+                        <form method="POST" action="{{ route('admin.parametres.smtp.delete') }}" class="ml-auto"
+                              x-data @submit.prevent="if(confirm('Supprimer la configuration SMTP et désactiver le 2FA ?')) $el.submit()">
+                            @csrf @method('DELETE')
+                            <button type="submit" class="text-sm text-red-500 hover:text-red-700">
+                                Supprimer la configuration
+                            </button>
+                        </form>
+                    @endif
+                </div>
+            </form>
+        </div>
+
         {{-- Version --}}
         <div class="bg-white shadow rounded-lg p-6 space-y-4">
             <h3 class="text-sm font-semibold text-gray-700 uppercase tracking-wide">Version du logiciel</h3>
diff --git a/resources/views/auth/two-factor.blade.php b/resources/views/auth/two-factor.blade.php
new file mode 100644
index 0000000..41fa0fc
--- /dev/null
+++ b/resources/views/auth/two-factor.blade.php
@@ -0,0 +1,52 @@
+<x-guest-layout>
+    <div class="mb-6 text-center">
+        <div class="inline-flex items-center justify-center w-14 h-14 rounded-full bg-indigo-100 mb-3">
+            <svg class="w-7 h-7 text-indigo-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
+                      d="M3 8l7.89 5.26a2 2 0 002.22 0L21 8M5 19h14a2 2 0 002-2V7a2 2 0 00-2-2H5a2 2 0 00-2 2v10a2 2 0 002 2z"/>
+            </svg>
+        </div>
+        <h2 class="text-lg font-semibold text-gray-900">Vérification en deux étapes</h2>
+        <p class="text-sm text-gray-500 mt-1">
+            Un code à 6 chiffres a été envoyé à<br>
+            <span class="font-medium text-gray-700">{{ $maskedEmail }}</span>
+        </p>
+    </div>
+
+    @if(session('resent'))
+        <div class="mb-4 p-3 bg-green-50 border border-green-200 text-green-800 text-sm rounded-md text-center">
+            Un nouveau code a été envoyé.
+        </div>
+    @endif
+
+    <form method="POST" action="{{ route('2fa.verify') }}">
+        @csrf
+
+        <div class="mb-5">
+            <x-input-label for="pin" value="Code PIN"/>
+            <input type="text" id="pin" name="pin"
+                   inputmode="numeric" pattern="[0-9]{6}" maxlength="6" autocomplete="one-time-code"
+                   autofocus required
+                   class="mt-1 block w-full text-center text-3xl tracking-[.5em] font-mono
+                       border-gray-300 focus:border-indigo-500 focus:ring-indigo-500 rounded-md shadow-sm"
+                   placeholder="——————">
+            <x-input-error :messages="$errors->get('pin')" class="mt-2"/>
+        </div>
+
+        <x-primary-button class="w-full justify-center py-3">
+            Valider le code
+        </x-primary-button>
+    </form>
+
+    <div class="mt-5 flex flex-col items-center gap-2">
+        <form method="POST" action="{{ route('2fa.resend') }}">
+            @csrf
+            <button type="submit" class="text-sm text-indigo-600 hover:underline">
+                Renvoyer le code
+            </button>
+        </form>
+        <a href="{{ route('login') }}" class="text-sm text-gray-400 hover:text-gray-600">
+            ← Retour à la connexion
+        </a>
+    </div>
+</x-guest-layout>
diff --git a/resources/views/emails/two-factor-pin.blade.php b/resources/views/emails/two-factor-pin.blade.php
new file mode 100644
index 0000000..cb6f873
--- /dev/null
+++ b/resources/views/emails/two-factor-pin.blade.php
@@ -0,0 +1,46 @@
+<!DOCTYPE html>
+<html lang="fr">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Code de connexion</title>
+    <style>
+        body { font-family: Arial, sans-serif; background: #f4f4f4; margin: 0; padding: 0; }
+        .wrapper { max-width: 480px; margin: 40px auto; background: #fff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,.08); }
+        .header { background: #4f46e5; padding: 28px 32px; text-align: center; }
+        .header h1 { color: #fff; margin: 0; font-size: 20px; font-weight: 600; }
+        .body { padding: 32px; }
+        .body p { color: #374151; font-size: 15px; line-height: 1.6; margin: 0 0 16px; }
+        .pin-box { text-align: center; margin: 28px 0; }
+        .pin { display: inline-block; font-size: 40px; font-weight: 700; letter-spacing: 10px; color: #4f46e5;
+               background: #eef2ff; border: 2px dashed #a5b4fc; border-radius: 8px;
+               padding: 16px 32px; font-family: monospace; }
+        .expiry { font-size: 13px; color: #9ca3af; text-align: center; margin-top: 8px; }
+        .footer { background: #f9fafb; padding: 20px 32px; border-top: 1px solid #e5e7eb;
+                  font-size: 12px; color: #9ca3af; text-align: center; }
+        .footer a { color: #6366f1; text-decoration: none; }
+    </style>
+</head>
+<body>
+    <div class="wrapper">
+        <div class="header">
+            <h1>{{ config('app.name') }}</h1>
+        </div>
+        <div class="body">
+            <p>Bonjour {{ $userName }},</p>
+            <p>Voici votre code de connexion à usage unique :</p>
+
+            <div class="pin-box">
+                <div class="pin">{{ $pin }}</div>
+                <p class="expiry">Ce code expire dans 10 minutes.</p>
+            </div>
+
+            <p>Si vous n'avez pas essayé de vous connecter, ignorez cet e-mail et votre compte restera sécurisé.</p>
+        </div>
+        <div class="footer">
+            Cet e-mail a été envoyé automatiquement par <a href="{{ config('app.url') }}">{{ config('app.name') }}</a>.<br>
+            Ne transmettez jamais ce code à quelqu'un d'autre.
+        </div>
+    </div>
+</body>
+</html>
diff --git a/routes/admin.php b/routes/admin.php
index 2e31ca1..fef9ca2 100644
--- a/routes/admin.php
+++ b/routes/admin.php
@@ -12,11 +12,14 @@ use Illuminate\Support\Facades\Route;
 Route::middleware(['auth', 'role:admin'])->prefix('admin')->name('admin.')->group(function () {
     Route::get('dashboard', [DashboardController::class, 'index'])->name('dashboard');
 
-    // Paramètres du site (logo, inscriptions)
-    Route::get('parametres', [SettingController::class, 'index'])->name('parametres');
-    Route::post('parametres/logo', [SettingController::class, 'updateLogo'])->name('parametres.logo.update');
-    Route::delete('parametres/logo', [SettingController::class, 'deleteLogo'])->name('parametres.logo.delete');
-    Route::post('parametres/settings', [SettingController::class, 'updateSettings'])->name('parametres.update');
+    // Paramètres du site (logo, inscriptions, SMTP)
+    Route::get('parametres',                [SettingController::class, 'index'])->name('parametres');
+    Route::post('parametres/logo',          [SettingController::class, 'updateLogo'])->name('parametres.logo.update');
+    Route::delete('parametres/logo',        [SettingController::class, 'deleteLogo'])->name('parametres.logo.delete');
+    Route::post('parametres/settings',      [SettingController::class, 'updateSettings'])->name('parametres.update');
+    Route::post('parametres/smtp',          [SettingController::class, 'updateSmtp'])->name('parametres.smtp.update');
+    Route::delete('parametres/smtp',        [SettingController::class, 'deleteSmtp'])->name('parametres.smtp.delete');
+    Route::post('parametres/smtp/test',     [SettingController::class, 'testSmtp'])->name('parametres.smtp.test');
 
     // Routes spécifiques avant la resource pour éviter les conflits de paramètre
     Route::get('utilisateurs/export',          [UserController::class, 'export'])->name('utilisateurs.export');
diff --git a/routes/web.php b/routes/web.php
index 54f9c14..834baaa 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -7,6 +7,7 @@ use App\Http\Controllers\NotificationController;
 use App\Http\Controllers\ProfileController;
 use App\Http\Controllers\RechercheController;
 use App\Http\Controllers\ReleveController;
+use App\Http\Controllers\Auth\TwoFactorController;
 use App\Http\Controllers\SetupController;
 use App\Http\Controllers\SourceController;
 use Illuminate\Support\Facades\Route;
@@ -23,6 +24,13 @@ Route::prefix('setup')->name('setup.')->group(function () {
     Route::post('/install',    [SetupController::class, 'install'])->name('install');
 });
 
+// ── Authentification 2FA par code PIN ───────────────────────────────────────
+Route::middleware('guest')->group(function () {
+    Route::get('2fa',           [TwoFactorController::class, 'challenge'])->name('2fa.challenge');
+    Route::post('2fa',          [TwoFactorController::class, 'verify'])->name('2fa.verify');
+    Route::post('2fa/resend',   [TwoFactorController::class, 'resend'])->name('2fa.resend');
+});
+
 Route::get('/', function () {
     return view('welcome');
 });