1. First create a secret and associate it with a user
2. Next create a QR code and let the user scan it:
   
   ...or display the secret to the user for manual entry: JDWX P7JI 4DCV 5RP6 VNW4 C3ES G3YN 7F3H
3. Next, have the user verify the code; at this time the code displayed by a 2FA-app would be: 031799 (but that changes periodically)
4. When the code checks out, 2FA can be / is enabled; store (encrypted?) secret with user and have the user verify a code each time a new session is started.
5. When aforementioned code (031799) was entered, the result would be: OK

Note: Make sure your server-time is NTP-synced! Depending on the $discrepancy allowed your time cannot drift too much from the users' time!