diff --git a/_toc.yml b/_toc.yml
index 44296a05..3b2671e0 100644
--- a/_toc.yml
+++ b/_toc.yml
@@ -67,6 +67,7 @@ chapters:
               - file: admin-guide/configuration/access/eaccounts
               - file: admin-guide/configuration/access/sshd_configuration
               - file: admin-guide/configuration/access/ssh_host_hopping
+              - file: admin-guide/configuration/access/mfa
           - file: admin-guide/configuration/software
             sections:
               - file: admin-guide/configuration/software/packages
diff --git a/admin-guide/configuration/access/mfa.md b/admin-guide/configuration/access/mfa.md
new file mode 100644
index 00000000..46ad67d5
--- /dev/null
+++ b/admin-guide/configuration/access/mfa.md
@@ -0,0 +1,13 @@
+# MFA - Multi Factor Authentication
+
+MFA can be enabled on any standard system with following configuration:
+
+```yaml
+aaa::radius_auth: true
+aaa::radius_shared_secret: ENC[PKCS7,MIIBuQYJK...9Z82qA==]
+aaa::radius_servers: [ 'nps01.psi.ch', 'nps02.psi.ch' ]
+aaa::radius_timeout: 60
+```
+
+Prerequisite for this is, that your server can reach the RADIUS servers (in the example nps01.psi.ch and nps02.psi.ch) and that you received a shared secret from the RADIUS admin.
+(at the time of writing the RADIUS server are supported by group 9521)