<![CDATA[The security of user data in web-based information systems is frequently compromised by the weaknesses of conventional authentication mechanisms that rely solely on static passwords. Attacks such as credential theft and brute force on the internal information system of PT. Indonesia Gadai Oke necessitate an additional layer of security to protect sensitive customer data and financial transactions. This research aims to design and implement a Two-Factor Authentication (2FA) security system using the HMAC-SHA256 (Hash-based Message Authentication Code with Secure Hash Algorithm 256-bit) algorithm, integrated with Trusted Device features and Web Push notifications. The applied method is Time-based One-Time Password (TOTP) with a 30-second time interval. A unique code is generated on the server side through a 32-bit dynamic truncation process of the SHA-256 encryption result, which combines a secret key with a timestamp. Web Push Notification was chosen as the distribution medium to eliminate SMS operational costs and minimize delivery latency. System testing was conducted using Black Box Testing and Security Testing methods with a scenario of 10 experimental repetitions. The results indicate that the system achieved a 100% functional success rate in validating authorized users. In terms of security, the system proved effective in mitigating threats with a 100% success rate in rejecting SQL Injection, Cross-Site Scripting (XSS), and Replay Attacks through a single-use token validation mechanism. This implementation successfully reduced the risk of account hijacking and improved the efficiency of the authentication process at PT. Indonesia Gadai Oke.]]>
