Skip to content

Allow disabling app access when using TOTP #8209

New issue
New issue
Open
Bug
Open
Allow disabling app access when using TOTP#8209
Bug
Labels
BEIssues related to server-side/back-endDifficulty: HardState: TriageIssues that need to be verified
@lzinga

Description

@lzinga
lzinga
opened on Dec 29, 2025

Description

As it stands, enabling TOTP works well for securing browser logins by adding an extra layer of authentication.

However, there should be an option to restrict access from applications that don’t yet support the TOTP process. Adding this control would give instance owners more flexibility and improve security until those apps implement TOTP support. Currently, a malicious user could bypass TOTP protection simply by connecting through a desktop app instead of the browser.

While some rate limiting appears to be in place for apps, the lack of TOTP enforcement still leaves the system vulnerable. If TOTP is enabled on an account, I would expect it apply to every login attempt, unless for specific exceptions where things like an ETAPI token is being used or backup codes.

I created this as a bug as I don't believe it is a major security issue and not a feature as I believe the expected result is if you apply a TOTP to an account it prevents any access unless the key is given (apart from things like API calls or using the backup codes)

Possible Solutions

A potential solution would be to introduce a “Require TOTP for Login” setting on the server. When enabled, this setting would enforce TOTP verification for all login attempts, blocking access from any application that doesn’t support TOTP. The configuration page should also make it clear that if this setting is disabled, users can still log in through non‑TOTP‑enabled apps without providing a code.

Alternatively, there could be an option to allow temporary logins without TOTP, controlled by a timer that automatically re‑enables full TOTP protection after the user signs in. This would let someone briefly disable TOTP to log in on a desktop app, after which the account would automatically return to its secure state.

Ultimate Goal

When using a remote server and an app to sync require any access to use the TOTP.

TriliumNext Version

0.101.1

What operating system are you using?

Windows

What is your setup?

Local + server sync

Operating System Version

Windows 11

Error logs

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BEIssues related to server-side/back-endDifficulty: HardState: TriageIssues that need to be verified

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions