diff --git a/api/user/otp.go b/api/user/otp.go
index d6afedd4..e5eb000d 100644
--- a/api/user/otp.go
+++ b/api/user/otp.go
@@ -20,14 +20,14 @@ import (
 )
 
 func GenerateTOTP(c *gin.Context) {
-	user := api.CurrentUser(c)
+	u := api.CurrentUser(c)
 
 	issuer := fmt.Sprintf("Nginx UI %s", settings.ServerSettings.Name)
 	issuer = strings.TrimSpace(issuer)
 
 	otpOpts := totp.GenerateOpts{
 		Issuer:      issuer,
-		AccountName: user.Name,
+		AccountName: u.Name,
 		Period:      30, // seconds
 		Digits:      otp.DigitsSix,
 		Algorithm:   otp.AlgorithmSHA1,
@@ -76,6 +76,13 @@ func EnrollTOTP(c *gin.Context) {
 		return
 	}
 
+	if settings.ServerSettings.Demo {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"message": "This feature is disabled in demo mode",
+		})
+		return
+	}
+
 	var json struct {
 		Secret   string `json:"secret" binding:"required"`
 		Passcode string `json:"passcode" binding:"required"`