TOTP is mandatory. Sessions are httpOnly + CSRF-protected.