diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 0e2e06f39..8ebfaf590 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -30,6 +30,11 @@ class User(AbstractUser):
         (ROLE_USER, _('User')),
         (ROLE_APP, _('Application'))
     )
+    OTP_LEVEL_CHOICES = (
+        (0, _('Disable')),
+        (1, _('Enable')),
+        (2, _("Force enable")),
+    )
     id = models.UUIDField(default=uuid.uuid4, primary_key=True)
     username = models.CharField(max_length=128, unique=True, verbose_name=_('Username'))
     name = models.CharField(max_length=128, verbose_name=_('Name'))
@@ -39,8 +44,8 @@ class User(AbstractUser):
     avatar = models.ImageField(upload_to="avatar", null=True, verbose_name=_('Avatar'))
     wechat = models.CharField(max_length=128, blank=True, verbose_name=_('Wechat'))
     phone = models.CharField(max_length=20, blank=True, null=True, verbose_name=_('Phone'))
-    enable_otp = models.BooleanField(default=False, verbose_name=_('Enable OTP'))
-    secret_key_otp = models.CharField(max_length=16, blank=True)
+    otp_level = models.SmallIntegerField(default=0, choices=OTP_LEVEL_CHOICES, verbose_name=_('Enable OTP'))
+    otp_secret_key = models.CharField(max_length=16, blank=True)
     # Todo: Auto generate key, let user download
     _private_key = models.CharField(max_length=5000, blank=True, verbose_name=_('Private key'))
     _public_key = models.CharField(max_length=5000, blank=True, verbose_name=_('Public key'))
@@ -202,6 +207,14 @@ class User(AbstractUser):
     def generate_reset_token(self):
         return signer.sign_t({'reset': str(self.id), 'email': self.email}, expires_in=3600)
 
+    @property
+    def otp_enabled(self):
+        return self.otp_level > 0
+
+    @property
+    def otp_force_enabled(self):
+        return self.otp_level == 2
+
     def to_json(self):
         return OrderedDict({
             'id': self.id,