Authelia settings still open after password-only sign-in

Authelia is being used to protect several sites, with passkeys and TOTP set up and required for those sites. The problem is that the Authelia settings page can still be opened with only a username and password.

The tries to protect the `/settings` path with a `two_factor` policy and also requires a second factor for elevated sessions, but that is not producing the expected result. New users will be added manually.

When adding TOTP or passkeys, the setup still asks for an email one-time password, and the goal is to use an existing passkey or TOTP instead. Authelia was chosen because RAM is limited, Traefik is the , and CrowdSec is already used to block brute-force attempts against Authelia.

Key points

  • Authelia is protecting sites with passkeys, TOTP, and .
  • The Authelia settings page still opens after password-only sign-in.
  • A rule for the `/settings` path uses a `two_factor` policy, but it is not working as expected.
  • Adding TOTP or passkeys still requires an email one-time password instead of an existing factor.
  • The setup uses Authelia because RAM is limited, with Traefik and CrowdSec also in place.
Read original