diff --git a/code_examples/totp/_misc/totp-append-ConfigProvider.php b/code_examples/totp/_misc/totp-append-ConfigProvider.php
new file mode 100644
index 0000000..44c4354
--- /dev/null
+++ b/code_examples/totp/_misc/totp-append-ConfigProvider.php
@@ -0,0 +1,11 @@
+GetEnableTotpFormHandler::class         => AttributedServiceFactory::class,
+PostEnableTotpHandler::class            => AttributedServiceFactory::class,
+GetDisableTotpFormHandler::class        => AttributedServiceFactory::class,
+PostDisableTotpHandler::class           => AttributedServiceFactory::class,
+PostValidateTotpHandler::class          => AttributedServiceFactory::class,
+GetTotpHandler::class                   => AttributedServiceFactory::class,
+GetRecoveryFormHandler::class           => AttributedServiceFactory::class,
+PostValidateRecoveryHandler::class      => AttributedServiceFactory::class,
+
+TotpForm::class                         => ElementFactory::class,
+RecoveryForm::class                     => ElementFactory::class,
diff --git a/code_examples/totp/_misc/totp-append-Pipeline.php b/code_examples/totp/_misc/totp-append-Pipeline.php
new file mode 100644
index 0000000..ce07b19
--- /dev/null
+++ b/code_examples/totp/_misc/totp-append-Pipeline.php
@@ -0,0 +1,2 @@
+$app->pipe(TotpMiddleware::class);
+$app->pipe(CancelUrlMiddleware::class);
diff --git a/code_examples/totp/_misc/totp-append-routes.php b/code_examples/totp/_misc/totp-append-routes.php
new file mode 100644
index 0000000..f3f0f4b
--- /dev/null
+++ b/code_examples/totp/_misc/totp-append-routes.php
@@ -0,0 +1,8 @@
+->get('/enable-totp-form', GetEnableTotpFormHandler::class, 'admin::enable-totp-form')
+->post('/enable-totp', PostEnableTotpHandler::class, 'admin::enable-totp')
+->get('/disable-totp-form', GetDisableTotpFormHandler::class, 'admin::disable-totp-form')
+->post('/disable-totp', PostDisableTotpHandler::class, 'admin::disable-totp')
+->get('/validate-totp-form', GetTotpHandler::class, 'admin::validate-totp-form')
+->post('/validate-totp', PostValidateTotpHandler::class, 'admin::validate-totp')
+->get('/recovery-form', GetRecoveryFormHandler::class, 'admin::recovery-form')
+->post('/validate-recovery', PostValidateRecoveryHandler::class, 'admin::validate-recovery')
diff --git a/code_examples/totp/_misc/totp-append-view-account.html.twig b/code_examples/totp/_misc/totp-append-view-account.html.twig
new file mode 100644
index 0000000..c25efd6
--- /dev/null
+++ b/code_examples/totp/_misc/totp-append-view-account.html.twig
@@ -0,0 +1,20 @@
+<div class="bgc-white p-20 bd">
+    <h6 class="c-grey-900">TOTP Setup</h6>
+    {% if isTotpEnabled %}
+        <h6 class="c-grey-900">TOTP is enabled</h6>
+        <div class="d-flex justify-content-end">
+            <a href="{{ path('admin::disable-totp-form') }}"
+               class="btn btn-primary btn-color btn-sm">
+                Disable TOTP
+            </a>
+        </div>
+    {% else %}
+        <h6 class="c-grey-900">TOTP is disabled</h6>
+        <div class="d-flex justify-content-end">
+            <a href="{{ path('admin::enable-totp-form') }}"
+               class="btn btn-primary btn-color btn-sm">
+                Enable TOTP
+            </a>
+        </div>
+    {% endif %}
+</div>
diff --git a/code_examples/totp/config/autoload/totp.global.php b/code_examples/totp/config/autoload/totp.global.php
new file mode 100644
index 0000000..3383c8a
--- /dev/null
+++ b/code_examples/totp/config/autoload/totp.global.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+use Core\Admin\Entity\Admin;
+use Core\Admin\Entity\AdminIdentity;
+
+return [
+    'dot_totp' => [
+        'identity_class_map'   => [
+            AdminIdentity::class => Admin::class,
+        ],
+        'totp_required_routes' => [
+            'page::components' => true,
+        ],
+        'options'              => [
+            // Time step in seconds
+            'period' => 30,
+            // Number of digits in the TOTP code
+            'digits' => 6,
+            // Hashing algorithm used to generate the code
+            'algorithm' => 'sha1',
+        ],
+        'provision_uri_config' => [
+            'issuer' => 'DK-Admin',
+        ],
+    ],
+];
diff --git a/code_examples/totp/src/Admin/src/Form/RecoveryForm.php b/code_examples/totp/src/Admin/src/Form/RecoveryForm.php
new file mode 100644
index 0000000..9bdac91
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Form/RecoveryForm.php
@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Form;
+
+use Admin\Admin\InputFilter\RecoveryInputFilter;
+use Admin\App\Form\AbstractForm;
+use Dot\DependencyInjection\Attribute\Inject;
+use Laminas\Form\Element\Csrf;
+use Laminas\Form\Element\Submit;
+use Laminas\Form\Element\Text;
+use Laminas\Form\Exception\ExceptionInterface;
+use Laminas\Session\Container;
+use Mezzio\Router\RouterInterface;
+
+/**
+ * @phpstan-import-type RecoveryDataType from RecoveryInputFilter
+ * @extends AbstractForm<RecoveryDataType>
+ */
+class RecoveryForm extends AbstractForm
+{
+    /**
+     * @param array<non-empty-string, mixed> $options
+     * @throws ExceptionInterface
+     */
+    #[Inject(
+        RouterInterface::class,
+    )]
+    public function __construct(?string $name = null, array $options = [])
+    {
+        parent::__construct($name, $options);
+
+        $this->init();
+
+        $this->setAttribute('id', 'recovery-form');
+        $this->setAttribute('method', 'post');
+
+        $this->inputFilter = new RecoveryInputFilter();
+        $this->inputFilter->init();
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function init(): void
+    {
+        $this->add(
+            (new Text('recoveryCode'))
+                ->setLabel('Recovery Code')
+                ->setAttribute('class', 'form-control')
+                ->setAttribute('minlength', 11)
+                ->setAttribute('maxlength', 11)
+                ->setAttribute('pattern', '[A-Za-z0-9]{5}-[A-Za-z0-9]{5}')
+                ->setAttribute('required', true)
+                ->setAttribute('autofocus', true)
+        );
+
+        $this->add(
+            (new Csrf('recoveryCsrf'))
+                ->setOptions([
+                    'csrf_options' => [
+                        'timeout' => 3600,
+                        'session' => new Container(),
+                    ],
+                ])
+                ->setAttribute('required', true)
+        );
+
+        $this->add(
+            (new Submit('submit'))
+                ->setAttribute('type', 'submit')
+                ->setAttribute('value', 'Verify Code')
+                ->setAttribute('class', 'btn btn-primary mt-2')
+        );
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Form/TotpForm.php b/code_examples/totp/src/Admin/src/Form/TotpForm.php
new file mode 100644
index 0000000..e381768
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Form/TotpForm.php
@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Form;
+
+use Admin\Admin\InputFilter\TotpInputFilter;
+use Admin\App\Form\AbstractForm;
+use Dot\DependencyInjection\Attribute\Inject;
+use Laminas\Form\Element\Csrf;
+use Laminas\Form\Element\Submit;
+use Laminas\Form\Element\Text;
+use Laminas\Form\Exception\ExceptionInterface;
+use Laminas\Session\Container;
+use Mezzio\Router\RouterInterface;
+
+/**
+ * @phpstan-import-type TotpDataType from TotpInputFilter
+ * @extends AbstractForm<TotpDataType>
+ */
+class TotpForm extends AbstractForm
+{
+    /**
+     * @param array<non-empty-string, mixed> $options
+     * @throws ExceptionInterface
+     */
+    #[Inject(
+        RouterInterface::class,
+    )]
+    public function __construct(?string $name = null, array $options = [])
+    {
+        parent::__construct($name, $options);
+
+        $this->init();
+
+        $this->setAttribute('id', 'enable-totp-form');
+        $this->setAttribute('method', 'post');
+        $this->setAttribute('title', 'TOTP Authentication Setup');
+
+        $this->inputFilter = new TotpInputFilter();
+        $this->inputFilter->init();
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function init(): void
+    {
+        $this->add(
+            (new Text('code'))
+                ->setLabel('Authentication Code')
+                ->setAttribute('class', 'form-control')
+                ->setAttribute('maxlength', 6)
+                ->setAttribute('pattern', '\d{6}')
+                ->setAttribute('required', true)
+                ->setAttribute('autofocus', true)
+        );
+
+        $this->add(
+            (new Csrf('totpCsrf'))
+                ->setOptions([
+                    'csrf_options' => [
+                        'timeout' => 3600,
+                        'session' => new Container(),
+                    ],
+                ])
+                ->setAttribute('required', true)
+        );
+
+        $this->add(
+            (new Submit('submit'))
+                ->setAttribute('type', 'submit')
+                ->setAttribute('value', 'Verify Code')
+                ->setAttribute('class', 'btn btn-primary mt-2')
+        );
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/GetDisableTotpFormHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/GetDisableTotpFormHandler.php
new file mode 100644
index 0000000..dd0d846
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/GetDisableTotpFormHandler.php
@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Form\TotpForm;
+use Dot\DependencyInjection\Attribute\Inject;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\HtmlResponse;
+use Mezzio\Router\RouterInterface;
+use Mezzio\Template\TemplateRendererInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class GetDisableTotpFormHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        TemplateRendererInterface::class,
+        TotpForm::class,
+        RouterInterface::class,
+        AuthenticationService::class,
+    )]
+    public function __construct(
+        protected TemplateRendererInterface $template,
+        protected TotpForm $totpForm,
+        protected RouterInterface $router,
+        protected AuthenticationService $authenticationService,
+    ) {
+    }
+
+    public function handle(ServerRequestInterface $request): ResponseInterface|EmptyResponse|HtmlResponse
+    {
+        $this->totpForm
+            ->setAttribute('action', $this->router->generateUri('admin::disable-totp'));
+
+        return new HtmlResponse(
+            $this->template->render('admin::validate-totp-form', [
+                'totpForm'  => $this->totpForm->prepare(),
+                'cancelUrl' => $this->router->generateUri('admin::edit-account'),
+                'error'     => null,
+            ])
+        );
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/GetEnableTotpFormHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/GetEnableTotpFormHandler.php
new file mode 100644
index 0000000..61c1259
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/GetEnableTotpFormHandler.php
@@ -0,0 +1,93 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Form\TotpForm;
+use Dot\DependencyInjection\Attribute\Inject;
+use Dot\FlashMessenger\FlashMessengerInterface;
+use Dot\Totp\Totp;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\HtmlResponse;
+use Mezzio\Router\RouterInterface;
+use Mezzio\Template\TemplateRendererInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Random\RandomException;
+
+use function time;
+
+class GetEnableTotpFormHandler implements RequestHandlerInterface
+{
+    private const int SECRET_MAX_AGE = 600;
+
+    /**
+     * @param array{label: string, issuer: string} $provisioningUri
+     */
+    #[Inject(
+        Totp::class,
+        AuthenticationService::class,
+        FlashMessengerInterface::class,
+        TemplateRendererInterface::class,
+        TotpForm::class,
+        RouterInterface::class,
+        'config.dot_totp.provision_uri_config'
+    )]
+    public function __construct(
+        protected Totp $totpService,
+        protected AuthenticationService $authenticationService,
+        protected FlashMessengerInterface $messenger,
+        protected TemplateRendererInterface $template,
+        protected TotpForm $totpForm,
+        protected RouterInterface $router,
+        protected array $provisioningUri
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     * @throws RandomException
+     */
+    public function handle(ServerRequestInterface $request): ResponseInterface|EmptyResponse|HtmlResponse
+    {
+        $storage = $this->authenticationService->getStorage()->read();
+
+        if (
+            empty($storage->pendingSecret) ||
+            empty($storage->secretTimestamp) ||
+            (time() - $storage->secretTimestamp) > self::SECRET_MAX_AGE
+        ) {
+            $storage->pendingSecret   = $this->totpService->generateSecretBase32();
+            $storage->secretTimestamp = time();
+            $this->authenticationService->getStorage()->write($storage);
+        }
+
+        $uri = $this->totpService->getProvisioningUri(
+            $storage->getIdentity(),
+            $this->provisioningUri['issuer'],
+            $storage->pendingSecret
+        );
+
+        $qrSvg                  = $this->totpService->generateInlineSvgQr($uri);
+        $storage->totp_verified = false;
+
+        if (isset($storage->recovery_auth) && $storage->recovery_auth) {
+            $this->totpForm->setAttribute('title', 'Reconfigure Two-Factor Authentication');
+        }
+
+        $this->totpForm->setAttribute('action', $this->router->generateUri('admin::enable-totp'));
+
+        return new HtmlResponse(
+            $this->template->render('admin::validate-totp-form', [
+                'qrSvg'     => $qrSvg,
+                'cancelUrl' => $request->getAttribute('cancelUrl'),
+                'totpForm'  => $this->totpForm->prepare(),
+                'error'     => null,
+            ])
+        );
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/GetRecoveryFormHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/GetRecoveryFormHandler.php
new file mode 100644
index 0000000..c95cf68
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/GetRecoveryFormHandler.php
@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Form\RecoveryForm;
+use Dot\DependencyInjection\Attribute\Inject;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\HtmlResponse;
+use Mezzio\Router\RouterInterface;
+use Mezzio\Template\TemplateRendererInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class GetRecoveryFormHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        TemplateRendererInterface::class,
+        RecoveryForm::class,
+        RouterInterface::class
+    )]
+    public function __construct(
+        protected TemplateRendererInterface $template,
+        protected RecoveryForm $recoveryForm,
+        protected RouterInterface $router
+    ) {
+    }
+
+    public function handle(ServerRequestInterface $request): ResponseInterface|EmptyResponse|HtmlResponse
+    {
+        $this->recoveryForm
+            ->setAttribute('action', $this->router->generateUri('admin::validate-recovery'));
+
+        return new HtmlResponse(
+            $this->template->render('admin::recovery-form', [
+                'recoveryForm' => $this->recoveryForm,
+                'cancelUrl'    => $request->getAttribute('cancelUrl'),
+            ])
+        );
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/GetTotpHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/GetTotpHandler.php
new file mode 100644
index 0000000..6a89c3c
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/GetTotpHandler.php
@@ -0,0 +1,44 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Form\TotpForm;
+use Dot\DependencyInjection\Attribute\Inject;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\HtmlResponse;
+use Mezzio\Router\RouterInterface;
+use Mezzio\Template\TemplateRendererInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+class GetTotpHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        TemplateRendererInterface::class,
+        TotpForm::class,
+        RouterInterface::class,
+    )]
+    public function __construct(
+        protected TemplateRendererInterface $template,
+        protected TotpForm $totpForm,
+        protected RouterInterface $router,
+    ) {
+    }
+
+    public function handle(ServerRequestInterface $request): ResponseInterface|EmptyResponse|HtmlResponse
+    {
+        $this->totpForm
+            ->setAttribute('action', $this->router->generateUri('admin::validate-totp'));
+
+        return new HtmlResponse(
+            $this->template->render('admin::validate-totp-form', [
+                'totpForm'  => $this->totpForm->prepare(),
+                'cancelUrl' => $request->getAttribute('cancelUrl'),
+                'error'     => null,
+            ])
+        );
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/PostDisableTotpHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/PostDisableTotpHandler.php
new file mode 100644
index 0000000..ddfa1b0
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/PostDisableTotpHandler.php
@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Service\AdminServiceInterface;
+use Admin\App\Exception\NotFoundException;
+use Core\App\Message;
+use Dot\DependencyInjection\Attribute\Inject;
+use Dot\FlashMessenger\FlashMessengerInterface;
+use Dot\Totp\Totp;
+use Fig\Http\Message\StatusCodeInterface;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\RedirectResponse;
+use Mezzio\Router\RouterInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+use function is_array;
+
+class PostDisableTotpHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        RouterInterface::class,
+        AdminServiceInterface::class,
+        AuthenticationService::class,
+        Totp::class,
+        FlashMessengerInterface::class
+    )]
+    public function __construct(
+        protected RouterInterface $router,
+        protected AdminServiceInterface $adminService,
+        protected AuthenticationService $authenticationService,
+        protected Totp $totpService,
+        protected FlashMessengerInterface $messenger
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function handle(ServerRequestInterface $request): EmptyResponse|RedirectResponse
+    {
+        try {
+            $admin = $this->adminService->findAdmin($this->authenticationService->getIdentity()->getId());
+        } catch (NotFoundException $exception) {
+            $this->messenger->addError($exception->getMessage());
+
+            return new EmptyResponse(StatusCodeInterface::STATUS_NOT_FOUND);
+        }
+
+        $parsedBody = $request->getParsedBody();
+        $storage    = $this->authenticationService->getStorage()->read();
+
+        if (! is_array($parsedBody) || ! isset($parsedBody['code'])) {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+            return new RedirectResponse(
+                $this->router->generateUri('admin::validate-totp-form')
+            );
+        }
+
+        $code = (string) $parsedBody['code'];
+
+        if ($this->totpService->verifyCode((string) $admin->getTotpSecret(), $code)) {
+            $admin->disableTotp();
+            $this->adminService->getAdminRepository()->saveResource($admin);
+            $storage->totp_verified = false;
+            return new RedirectResponse($this->router->generateUri('admin::edit-account'));
+        } else {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+        }
+
+        return new RedirectResponse($this->router->generateUri('admin::disable-totp-form'));
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/PostEnableTotpHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/PostEnableTotpHandler.php
new file mode 100644
index 0000000..dd9652b
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/PostEnableTotpHandler.php
@@ -0,0 +1,105 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Form\TotpForm;
+use Admin\Admin\Service\AdminServiceInterface;
+use Admin\App\Exception\NotFoundException;
+use Core\App\Message;
+use Dot\DependencyInjection\Attribute\Inject;
+use Dot\FlashMessenger\FlashMessengerInterface;
+use Dot\Totp\Totp;
+use Fig\Http\Message\StatusCodeInterface;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\HtmlResponse;
+use Laminas\Diactoros\Response\RedirectResponse;
+use Mezzio\Router\RouterInterface;
+use Mezzio\Template\TemplateRendererInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Random\RandomException;
+
+use function is_array;
+
+class PostEnableTotpHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        RouterInterface::class,
+        TemplateRendererInterface::class,
+        AdminServiceInterface::class,
+        AuthenticationService::class,
+        Totp::class,
+        FlashMessengerInterface::class,
+        TotpForm::class
+    )]
+    public function __construct(
+        protected RouterInterface $router,
+        protected TemplateRendererInterface $template,
+        protected AdminServiceInterface $adminService,
+        protected AuthenticationService $authenticationService,
+        protected Totp $totpService,
+        protected FlashMessengerInterface $messenger,
+        protected TotpForm $form
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     * @throws RandomException
+     */
+    public function handle(ServerRequestInterface $request): EmptyResponse|RedirectResponse|HtmlResponse
+    {
+        try {
+            $admin = $this->adminService->findAdmin($this->authenticationService->getIdentity()->getId());
+        } catch (NotFoundException $exception) {
+            $this->messenger->addError($exception->getMessage());
+
+            return new EmptyResponse(StatusCodeInterface::STATUS_NOT_FOUND);
+        }
+
+        $parsedBody = $request->getParsedBody();
+        $storage    = $this->authenticationService->getStorage()->read();
+
+        if (! is_array($parsedBody) || ! isset($parsedBody['code'])) {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+            return new RedirectResponse(
+                $this->router->generateUri('admin::validate-totp-form')
+            );
+        }
+
+        $code = (string) $parsedBody['code'];
+
+        if ($admin->isTotpEnabled()) {
+            $pendingSecret = $admin->getTotpSecret();
+        } else {
+            $pendingSecret = $storage->pendingSecret;
+        }
+
+        if ($this->totpService->verifyCode($pendingSecret, $code)) {
+            $recoveryCodes = $this->totpService->generateRecoveryCodes();
+            $admin->enableTotp($pendingSecret);
+
+            $hashedRecoveryCodes = $this->totpService->hashRecoveryCodes($recoveryCodes);
+            $admin->setRecoveryCodes($hashedRecoveryCodes);
+
+            $this->adminService->getAdminRepository()->saveResource($admin);
+            $storage->totp_verified = true;
+            if (isset($storage->recovery_auth)) {
+                unset($storage->recovery_auth);
+            }
+
+            return new HtmlResponse($this->template->render('admin::list-recovery-codes', [
+                'totpForm'   => $this->form,
+                'plainCodes' => $recoveryCodes,
+            ]));
+        } else {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+        }
+
+        return new RedirectResponse($this->router->generateUri('admin::enable-totp-form'));
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/PostValidateRecoveryHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/PostValidateRecoveryHandler.php
new file mode 100644
index 0000000..f50075c
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/PostValidateRecoveryHandler.php
@@ -0,0 +1,82 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Service\AdminServiceInterface;
+use Admin\App\Exception\NotFoundException;
+use Core\App\Message;
+use Dot\DependencyInjection\Attribute\Inject;
+use Dot\FlashMessenger\FlashMessengerInterface;
+use Dot\Totp\Totp;
+use Fig\Http\Message\StatusCodeInterface;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\RedirectResponse;
+use Mezzio\Router\RouterInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+use function array_values;
+use function is_array;
+
+class PostValidateRecoveryHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        RouterInterface::class,
+        AdminServiceInterface::class,
+        AuthenticationService::class,
+        Totp::class,
+        FlashMessengerInterface::class,
+    )]
+    public function __construct(
+        protected RouterInterface $router,
+        protected AdminServiceInterface $adminService,
+        protected AuthenticationService $authenticationService,
+        protected Totp $totpService,
+        protected FlashMessengerInterface $messenger,
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function handle(ServerRequestInterface $request): EmptyResponse|RedirectResponse
+    {
+        try {
+            $admin = $this->adminService->findAdmin($this->authenticationService->getIdentity()->getId());
+        } catch (NotFoundException $exception) {
+            $this->messenger->addError($exception->getMessage());
+
+            return new EmptyResponse(StatusCodeInterface::STATUS_NOT_FOUND);
+        }
+
+        $parsedBody = $request->getParsedBody();
+        $storage    = $this->authenticationService->getStorage()->read();
+
+        if (! is_array($parsedBody) || ! isset($parsedBody['recoveryCode'])) {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+            return new RedirectResponse(
+                $this->router->generateUri('admin::recovery-form')
+            );
+        }
+
+        $recoveryCode = (string) $parsedBody['recoveryCode'];
+        $hashedCodes  = $admin->getRecoveryCodes() ?? [];
+
+        if ($this->totpService->validateRecoveryCode($recoveryCode, $hashedCodes)) {
+            $admin->setRecoveryCodes(array_values($hashedCodes));
+            $admin->disableTotp();
+            $storage->recovery_auth = true;
+
+            $this->adminService->getAdminRepository()->saveResource($admin);
+            return new RedirectResponse($this->router->generateUri('admin::enable-totp-form'));
+        } else {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+        }
+
+        return new RedirectResponse($this->router->generateUri('admin::validate-totp-form'));
+    }
+}
diff --git a/code_examples/totp/src/Admin/src/Handler/Account/PostValidateTotpHandler.php b/code_examples/totp/src/Admin/src/Handler/Account/PostValidateTotpHandler.php
new file mode 100644
index 0000000..6b03745
--- /dev/null
+++ b/code_examples/totp/src/Admin/src/Handler/Account/PostValidateTotpHandler.php
@@ -0,0 +1,78 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\Admin\Handler\Account;
+
+use Admin\Admin\Service\AdminServiceInterface;
+use Admin\App\Exception\NotFoundException;
+use Core\App\Message;
+use Dot\DependencyInjection\Attribute\Inject;
+use Dot\FlashMessenger\FlashMessengerInterface;
+use Dot\Totp\Totp;
+use Fig\Http\Message\StatusCodeInterface;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Laminas\Diactoros\Response\EmptyResponse;
+use Laminas\Diactoros\Response\RedirectResponse;
+use Mezzio\Router\RouterInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+use function is_array;
+
+class PostValidateTotpHandler implements RequestHandlerInterface
+{
+    #[Inject(
+        RouterInterface::class,
+        AdminServiceInterface::class,
+        AuthenticationService::class,
+        Totp::class,
+        FlashMessengerInterface::class,
+    )]
+    public function __construct(
+        protected RouterInterface $router,
+        protected AdminServiceInterface $adminService,
+        protected AuthenticationService $authenticationService,
+        protected Totp $totpService,
+        protected FlashMessengerInterface $messenger,
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function handle(ServerRequestInterface $request): EmptyResponse|RedirectResponse
+    {
+        try {
+            $admin = $this->adminService->findAdmin($this->authenticationService->getIdentity()->getId());
+        } catch (NotFoundException $exception) {
+            $this->messenger->addError($exception->getMessage());
+
+            return new EmptyResponse(StatusCodeInterface::STATUS_NOT_FOUND);
+        }
+
+        $parsedBody = $request->getParsedBody();
+        $storage    = $this->authenticationService->getStorage()->read();
+
+        if (! is_array($parsedBody) || ! isset($parsedBody['code'])) {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+            return new RedirectResponse(
+                $this->router->generateUri('admin::validate-totp-form')
+            );
+        }
+
+        $code = (string) $parsedBody['code'];
+
+        if ($this->totpService->verifyCode((string) $admin->getTotpSecret(), $code)) {
+            $this->adminService->getAdminRepository()->saveResource($admin);
+            $storage->totp_verified = true;
+
+            return new RedirectResponse($this->router->generateUri($storage->route ?? 'dashboard::view-dashboard'));
+        } else {
+            $this->messenger->addError(Message::VALIDATOR_INVALID_CODE);
+        }
+
+        return new RedirectResponse($this->router->generateUri('admin::validate-totp-form'));
+    }
+}
diff --git a/code_examples/totp/src/Admin/templates/admin/recovery-form.html.twig b/code_examples/totp/src/Admin/templates/admin/recovery-form.html.twig
new file mode 100644
index 0000000..7a7a293
--- /dev/null
+++ b/code_examples/totp/src/Admin/templates/admin/recovery-form.html.twig
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <link href="{{ asset('css/app.css') }}" rel="stylesheet">
+</head>
+<body class="app">
+{{ messagesPartial('partial::notifications', {dismissible: true}) }}
+<div class="d-flex justify-content-center align-items-center vh-100">
+    <div class="text-center">
+        <div class="mb-3">
+            <h2 class="mx-3">Recovery code</h2>
+
+            {{ form().openTag(recoveryForm)|raw }}
+
+            {{ formElement(recoveryForm.get('recoveryCode')) }}
+            {{ formElement(recoveryForm.get('recoveryCsrf')) }}
+
+            <div class="d-flex flex-column align-items-center mt-3">
+                {{ formElement(recoveryForm.get('submit')) }}
+                <a href="{{ path('admin::validate-totp-form') }}" class="btn btn-secondary mt-2">Cancel</a>
+            </div>
+
+            {{ form().closeTag()|raw }}
+        </div>
+    </div>
+</div>
+<script src="{{ asset('js/app.js') }}"></script>
+</body>
+</html>
diff --git a/code_examples/totp/src/Admin/templates/admin/validate-totp-form.html.twig b/code_examples/totp/src/Admin/templates/admin/validate-totp-form.html.twig
new file mode 100644
index 0000000..366e4dd
--- /dev/null
+++ b/code_examples/totp/src/Admin/templates/admin/validate-totp-form.html.twig
@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <link href="{{ asset('css/app.css') }}" rel="stylesheet">
+</head>
+<body class="app">
+{{ messagesPartial('partial::notifications', {dismissible: true}) }}
+<div class="d-flex justify-content-center align-items-center vh-100">
+    <div class="text-center">
+        <div class="mb-3">
+            <h2 class="mx-3">{{ totpForm.getAttribute('title') }}</h2>
+
+            {% if qrSvg is defined %}
+                <div id="qrCodeContainer" class="my-4">
+                    {{ qrSvg|raw }}
+                </div>
+
+                <p class="mb-3">
+                    Scan the QR code with your authenticator app and enter the 6-digit code below.
+                </p>
+            {% endif %}
+
+            {{ form().openTag(totpForm)|raw }}
+
+            {{ formElement(totpForm.get('code')) }}
+            {{ formElement(totpForm.get('totpCsrf')) }}
+
+            <div class="d-flex flex-column align-items-center mt-3">
+                {{ formElement(totpForm.get('submit')) }}
+
+                {% if qrSvg is not defined %}
+                    <a href="{{ path('admin::recovery-form') }}" class="btn btn-warning mt-2">Recovery</a>
+                {% endif %}
+
+                <a href="{{ cancelUrl }}" class="btn btn-secondary mt-2">Cancel</a>
+            </div>
+
+            {{ form().closeTag()|raw }}
+        </div>
+    </div>
+</div>
+<script src="{{ asset('js/app.js') }}"></script>
+</body>
+</html>
diff --git a/code_examples/totp/src/App/src/Middleware/CancelUrlMiddleware.php b/code_examples/totp/src/App/src/Middleware/CancelUrlMiddleware.php
new file mode 100644
index 0000000..8c0649c
--- /dev/null
+++ b/code_examples/totp/src/App/src/Middleware/CancelUrlMiddleware.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\App\Middleware;
+
+use Dot\DependencyInjection\Attribute\Inject;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Mezzio\Router\RouterInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+
+use function str_contains;
+
+class CancelUrlMiddleware implements MiddlewareInterface
+{
+    #[Inject(
+        RouterInterface::class,
+        AuthenticationService::class,
+    )]
+    public function __construct(
+        protected RouterInterface $router,
+        protected AuthenticationService $authService
+    ) {
+    }
+
+    /**
+     * @throws ExceptionInterface
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $cancelUrl = $this->router->generateUri('admin::login-admin-form');
+
+        $storage = $this->authService->getStorage()->read();
+
+        if (isset($storage->recovery_auth) || isset($storage->totp_verified)) {
+            $referer = $request->getHeaderLine('Referer');
+
+            if (str_contains($referer, $this->router->generateUri('admin::recovery-form'))) {
+                $cancelUrl = $this->router->generateUri('admin::edit-account-form');
+            } else {
+                $cancelUrl = $referer;
+            }
+        }
+
+        return $handler->handle(
+            $request->withAttribute('cancelUrl', $cancelUrl)
+        );
+    }
+}
diff --git a/code_examples/totp/src/App/src/Middleware/TotpMiddleware.php b/code_examples/totp/src/App/src/Middleware/TotpMiddleware.php
new file mode 100644
index 0000000..3ce1d34
--- /dev/null
+++ b/code_examples/totp/src/App/src/Middleware/TotpMiddleware.php
@@ -0,0 +1,110 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Admin\App\Middleware;
+
+use Core\Admin\Entity\Admin;
+use Core\Admin\Entity\AdminIdentity;
+use Doctrine\ORM\EntityManagerInterface;
+use Doctrine\ORM\Exception\ORMException;
+use Doctrine\ORM\OptimisticLockException;
+use Laminas\Authentication\AuthenticationService;
+use Laminas\Authentication\Exception\ExceptionInterface;
+use Laminas\Diactoros\Response\RedirectResponse;
+use Mezzio\Authentication\UserInterface;
+use Mezzio\Router\RouteResult;
+use Mezzio\Router\RouterInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use RuntimeException;
+
+use function in_array;
+
+class TotpMiddleware implements MiddlewareInterface
+{
+    /** @var array<string, bool> */
+    private array $routes;
+
+    /**
+     * @param array<non-empty-string, mixed> $config
+     */
+    public function __construct(
+        protected AuthenticationService $authService,
+        protected EntityManagerInterface $entityManager,
+        protected RouterInterface $router,
+        protected array $config
+    ) {
+        $this->routes = $config['dot_totp']['totp_required_routes'] ?? [];
+    }
+
+    /**
+     * @throws OptimisticLockException
+     * @throws ORMException
+     * @throws ExceptionInterface
+     */
+    public function process(
+        ServerRequestInterface $request,
+        RequestHandlerInterface $handler
+    ): responseInterface|RedirectResponse {
+        $storage = $this->authService->getStorage()->read();
+        /** @var AdminIdentity $identity */
+        $identity    = $this->authService->getIdentity();
+        $routeResult = $request->getAttribute(RouteResult::class);
+        $routeName   = $routeResult->getMatchedRouteName();
+
+        $excludedRoutes = [
+            'admin::validate-totp-form',
+            'admin::validate-totp',
+            'admin::enable-totp-form',
+            'admin::logout-admin',
+            'admin::recovery-form',
+            'admin::validate-recovery',
+            'admin::login-admin-form',
+        ];
+
+        if (
+            in_array($routeName, $excludedRoutes, true) ||
+            (isset($storage->totp_verified) && $storage->totp_verified)
+        ) {
+            return $handler->handle($request);
+        }
+
+        if ($identity instanceof UserInterface) {
+            $type = $identity::class;
+            $map  = $this->config['dot_totp']['identity_class_map'];
+
+            if (! isset($map[$type])) {
+                throw new RuntimeException("No identity_class configured for type $type");
+            }
+
+            /** @var class-string<object> $entityClass */
+            $entityClass = $map[$type];
+            /** @var Admin|null $entity */
+            $entity = $this->entityManager->find($entityClass, $identity->id);
+
+            if ($entity === null) {
+                throw new RuntimeException("Entity of type $entityClass with ID {$identity->id} not found");
+            }
+
+            if (! isset($storage->totp_verified) && $entity->isTotpEnabled()) {
+                return new RedirectResponse($this->router->generateUri('admin::validate-totp-form'));
+            }
+
+            if (! isset($this->routes[$routeName]) || ! $this->routes[$routeName]) {
+                return $handler->handle($request);
+            }
+
+            $storage->route = $routeName;
+            if ($entity->isTotpEnabled()) {
+                return new RedirectResponse($this->router->generateUri('admin::validate-totp-form'));
+            } else {
+                return new RedirectResponse($this->router->generateUri('admin::enable-totp-form'));
+            }
+        }
+
+        return $handler->handle($request);
+    }
+}
diff --git a/code_examples/totp/src/Core/src/App/src/Entity/TotpTrait.php b/code_examples/totp/src/Core/src/App/src/Entity/TotpTrait.php
new file mode 100644
index 0000000..989be2a
--- /dev/null
+++ b/code_examples/totp/src/Core/src/App/src/Entity/TotpTrait.php
@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Core\App\Entity;
+
+use Doctrine\DBAL\Types\Types;
+use Doctrine\ORM\Mapping as ORM;
+
+trait TotpTrait
+{
+    #[ORM\Column(name: 'totp_secret', type: 'string', length: 32, nullable: true)]
+    protected ?string $totpSecret = null;
+
+    #[ORM\Column(name: 'totp_enabled', type: 'boolean', options: ['default' => false])]
+    protected bool $totpEnabled = false;
+
+    /** @var string[]|null */
+    #[ORM\Column(name: 'recovery_codes', type: Types::JSON, nullable: true)]
+    protected ?array $recoveryCodes = null;
+
+    public function enableTotp(string $secret): self
+    {
+        $this->totpSecret  = $secret;
+        $this->totpEnabled = true;
+
+        return $this;
+    }
+
+    public function disableTotp(): self
+    {
+        $this->totpSecret    = null;
+        $this->totpEnabled   = false;
+        $this->recoveryCodes = null;
+
+        return $this;
+    }
+
+    public function isTotpEnabled(): bool
+    {
+        return $this->totpEnabled;
+    }
+
+    public function getTotpSecret(): ?string
+    {
+        return $this->totpSecret;
+    }
+
+    /**
+     * @param string[]|null $recoveryCodes
+     */
+    public function setRecoveryCodes(?array $recoveryCodes = null): void
+    {
+        $this->recoveryCodes = $recoveryCodes;
+    }
+
+    /**
+     * @return string[]|null
+     */
+    public function getRecoveryCodes(): ?array
+    {
+        return $this->recoveryCodes;
+    }
+}