diff --git a/backend/PHASE-2.4-TODO.md b/backend/PHASE-2.4-TODO.md
new file mode 100644
index 0000000..7b30276
--- /dev/null
+++ b/backend/PHASE-2.4-TODO.md
@@ -0,0 +1,165 @@
+# Phase 2.4 TODO List
+
+**Started**: 2026-02-15 16:33:00 UTC
+
+---
+
+## Priority 1: Core Features (Must Have)
+
+### Password Recovery
+- [ ] Add `recovery_phrase_hash` field to User model
+- [ ] Add `recovery_phrase_enabled` field to User model
+- [ ] Create handler: `POST /api/auth/recovery/setup`
+- [ ] Create handler: `POST /api/auth/recovery/verify`
+- [ ] Create handler: `POST /api/auth/recovery/reset-password`
+- [ ] Add rate limiting (5 attempts per hour)
+- [ ] Write unit tests
+- [ ] Write integration tests
+
+### Email Verification
+- [ ] Add `email_verified` field to User model
+- [ ] Add `verification_token` field to User model
+- [ ] Add `verification_expires` field to User model
+- [ ] Create handler: `POST /api/auth/verify/send`
+- [ ] Create handler: `GET /api/auth/verify/confirm`
+- [ ] Create handler: `POST /api/auth/verify/resend`
+- [ ] Add email service placeholder
+- [ ] Write unit tests
+- [ ] Write integration tests
+
+### Enhanced Profile Management
+- [ ] Update handler: `PUT /api/users/me`
+- [ ] Add username validation
+- [ ] Add full name field support
+- [ ] Add profile picture URL support
+- [ ] Create handler: `DELETE /api/users/me`
+- [ ] Add password confirmation for deletion
+- [ ] Write unit tests
+- [ ] Write integration tests
+
+---
+
+## Priority 2: Account Settings (Should Have)
+
+### Settings Management
+- [ ] Create UserSettings model
+- [ ] Add settings field to User model
+- [ ] Create handler: `GET /api/users/me/settings`
+- [ ] Create handler: `PUT /api/users/me/settings`
+- [ ] Add email notifications toggle
+- [ ] Add theme selection
+- [ ] Add language selection
+- [ ] Add timezone selection
+- [ ] Write unit tests
+- [ ] Write integration tests
+
+### Password Change
+- [ ] Create handler: `POST /api/users/me/change-password`
+- [ ] Add current password verification
+- [ ] Add new password validation
+- [ ] Add rate limiting (3 attempts per hour)
+- [ ] Log password changes
+- [ ] Write unit tests
+- [ ] Write integration tests
+
+---
+
+## Priority 3: Security & Performance (Nice to Have)
+
+### Rate Limiting
+- [ ] Install tower-governor dependency
+- [ ] Create rate limiting middleware
+- [ ] Apply to password recovery endpoint
+- [ ] Apply to email verification endpoint
+- [ ] Apply to password change endpoint
+- [ ] Apply to login endpoint
+- [ ] Configure Redis for rate limiting (optional)
+- [ ] Write tests
+
+### Security Enhancements
+- [ ] Add audit logging for sensitive operations
+- [ ] Add IP-based rate limiting
+- [ ] Add account lockout after failed attempts
+- [ ] Add email verification requirement check
+- [ ] Add two-factor authentication prep work
+- [ ] Write security tests
+
+---
+
+## Priority 4: Testing & Documentation
+
+### Testing
+- [ ] Write integration tests for password recovery flow
+- [ ] Write integration tests for email verification flow
+- [ ] Write integration tests for profile management
+- [ ] Write integration tests for settings management
+- [ ] Write rate limiting tests
+- [ ] Add test coverage reporting
+- [ ] Aim for 80%+ code coverage
+
+### Documentation
+- [ ] Update API documentation with new endpoints
+- [ ] Add email verification flow diagram
+- [ ] Add password recovery flow diagram
+- [ ] Update quick start guide
+- [ ] Add developer setup instructions
+- [ ] Add deployment guide
+
+---
+
+## Implementation Order
+
+### Week 1: Password Recovery
+1. Monday: Update User model, create basic handlers
+2. Tuesday: Implement rate limiting
+3. Wednesday: Write unit tests
+4. Thursday: Write integration tests
+5. Friday: Code review and refinement
+
+### Week 2: Email Verification
+1. Monday: Update User model, create email service placeholder
+2. Tuesday: Implement verification handlers
+3. Wednesday: Implement token cleanup
+4. Thursday: Write tests
+5. Friday: Code review and refinement
+
+### Week 3: Profile & Settings
+1. Monday: Enhanced profile management
+2. Tuesday: Account settings handlers
+3. Wednesday: Password change handler
+4. Thursday: Write tests
+5. Friday: Code review and refinement
+
+### Week 4: Polish & Deploy
+1. Monday: Security enhancements
+2. Tuesday: Performance optimization
+3. Wednesday: Documentation updates
+4. Thursday: Integration tests
+5. Friday: Deploy to staging
+
+---
+
+## Dependencies
+
+- ✅ Phase 2.3 (JWT Auth) must be complete
+- ✅ MongoDB connection working
+- ✅ Docker environment operational
+- ⏳ Email service (can use placeholder for now)
+- ⏳ Redis for rate limiting (optional, can use in-memory)
+
+---
+
+## Notes
+
+- All new handlers must follow existing patterns
+- Use existing PasswordService for hashing
+- Use existing JwtService for tokens
+- Follow Rust best practices and idioms
+- Add error handling for all edge cases
+- Add comprehensive logging
+- Keep handlers simple and focused
+- Use middleware for cross-cutting concerns
+
+---
+
+**Last Updated**: 2026-02-15 16:33:00 UTC