Allow plain login from LAN?

Is it possible to configure TOTP to bypass the second login step for specific subnets?

I would like to let my users login without TOTP from their LAN workstations, or from their official laptops with VPN connections – but have them forced to use TOTP from anywhere else.


Afaik, this is not possible and frankly, it’s not a good idea either. If you want/need totp, then you do so, because you have a reason to, otherwise you wouldn’t bother with it anyway.

There is no logical reason to allow anyone to login from a specific device, bypassing totp, if your data needs such protection.

There is already a longer discussion on github: