Today I had the issue that TOTP was not working fine at a customer site. The main issue was that a user could bypass the TOTP authentication, was routed to the MFA setup site, clicked “Finished” and was routed to the homepage.nsf.

After opening a case I received 2 informations very quick ( thanks to Neha Bansal !! )

Rerouting to “homepage.nsf”
It´s a known issue documented under SPR # SPPPCBVMA6. The issue is due to TOTP cache reset, the URL is defaulted to homepage instead of user mailfile. This SPR is going to be fixed in upcoming release of Domino.

Bypassing the TOTP authentication ( the more important issue )
If you have enabled Directory Assistance ( DA ) there’s an issue where TOTP is bypassed. This is documented under SPR # SPPPCDVFB2 and a hotfix is available to install on top of Domino server version 1201FP1. So if you enabled DA and want TOTP to be active feel free to open a case at HCL and receive the hotfix.