diff --git a/internal/nodes/session_manager.go b/internal/nodes/session_manager.go
index 44cd05d9..fe5f7df7 100644
--- a/internal/nodes/session_manager.go
+++ b/internal/nodes/session_manager.go
@@ -8,6 +8,7 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/logs"
+	"strings"
 )
 
 type SessionManager struct {
@@ -30,6 +31,11 @@ func (this *SessionManager) Init(config *actions.SessionConfig) {
 }
 
 func (this *SessionManager) Read(sid string) map[string]string {
+	// 忽略OTP
+	if strings.HasSuffix(sid, "_otp") {
+		return map[string]string{}
+	}
+
 	var result = map[string]string{}
 
 	resp, err := this.rpcClient.LoginSessionRPC().FindLoginSession(this.rpcClient.Context(0), &pb.FindLoginSessionRequest{Sid: sid})
@@ -52,6 +58,11 @@ func (this *SessionManager) Read(sid string) map[string]string {
 }
 
 func (this *SessionManager) WriteItem(sid string, key string, value string) bool {
+	// 忽略OTP
+	if strings.HasSuffix(sid, "_otp") {
+		return false
+	}
+
 	_, err := this.rpcClient.LoginSessionRPC().WriteLoginSessionValue(this.rpcClient.Context(0), &pb.WriteLoginSessionValueRequest{
 		Sid:   sid,
 		Key:   key,
@@ -65,6 +76,11 @@ func (this *SessionManager) WriteItem(sid string, key string, value string) bool
 }
 
 func (this *SessionManager) Delete(sid string) bool {
+	// 忽略OTP
+	if strings.HasSuffix(sid, "_otp") {
+		return false
+	}
+
 	_, err := this.rpcClient.LoginSessionRPC().DeleteLoginSession(this.rpcClient.Context(0), &pb.DeleteLoginSessionRequest{Sid: sid})
 	if err != nil {
 		logs.Println("SESSION", "delete '"+sid+"' failed: "+err.Error())
diff --git a/internal/web/actions/default/index/checkOTP.go b/internal/web/actions/default/index/checkOTP.go
deleted file mode 100644
index 75afe643..00000000
--- a/internal/web/actions/default/index/checkOTP.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package index
-
-import (
-	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
-	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
-	"github.com/iwind/TeaGo/actions"
-)
-
-// 检查是否需要OTP
-type CheckOTPAction struct {
-	actionutils.ParentAction
-}
-
-func (this *CheckOTPAction) Init() {
-	this.Nav("", "", "")
-}
-
-func (this *CheckOTPAction) RunPost(params struct {
-	Username string
-
-	Must *actions.Must
-}) {
-	checkResp, err := this.RPC().AdminRPC().CheckAdminOTPWithUsername(this.AdminContext(), &pb.CheckAdminOTPWithUsernameRequest{Username: params.Username})
-	if err != nil {
-		this.ErrorPage(err)
-		return
-	}
-	this.Data["requireOTP"] = checkResp.RequireOTP
-	this.Success()
-}
diff --git a/internal/web/actions/default/index/index.go b/internal/web/actions/default/index/index.go
index 15a0891f..1beaf192 100644
--- a/internal/web/actions/default/index/index.go
+++ b/internal/web/actions/default/index/index.go
@@ -1,7 +1,6 @@
 package index
 
 import (
-	"encoding/json"
 	"fmt"
 	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
 	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
@@ -14,10 +13,8 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/actions"
-	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/types"
 	stringutil "github.com/iwind/TeaGo/utils/string"
-	"github.com/xlzd/gotp"
 	"time"
 )
 
@@ -27,7 +24,8 @@ type IndexAction struct {
 
 // 首页（登录页）
 
-var TokenSalt = stringutil.Rand(32)
+// TokenKey 加密用的密钥
+var TokenKey = stringutil.Rand(32)
 
 func (this *IndexAction) RunGet(params struct {
 	From string
@@ -59,7 +57,7 @@ func (this *IndexAction) RunGet(params struct {
 	this.Data["menu"] = "signIn"
 
 	var timestamp = fmt.Sprintf("%d", time.Now().Unix())
-	this.Data["token"] = stringutil.Md5(TokenSalt+timestamp) + timestamp
+	this.Data["token"] = stringutil.Md5(TokenKey+timestamp) + timestamp
 	this.Data["from"] = params.From
 
 	uiConfig, err := configloaders.LoadAdminUIConfig()
@@ -93,9 +91,10 @@ func (this *IndexAction) RunPost(params struct {
 	Password string
 	OtpCode  string
 	Remember bool
-	Must     *actions.Must
-	Auth     *helpers.UserShouldAuth
-	CSRF     *actionutils.CSRF
+
+	Must *actions.Must
+	Auth *helpers.UserShouldAuth
+	CSRF *actionutils.CSRF
 }) {
 	params.Must.
 		Field("username", params.Username).
@@ -112,7 +111,7 @@ func (this *IndexAction) RunPost(params struct {
 		this.Fail("请通过登录页面登录")
 	}
 	var timestampString = params.Token[32:]
-	if stringutil.Md5(TokenSalt+timestampString) != params.Token[:32] {
+	if stringutil.Md5(TokenKey+timestampString) != params.Token[:32] {
 		this.FailField("refresh", "登录页面已过期，请刷新后重试")
 	}
 	var timestamp = types.Int64(timestampString)
@@ -123,6 +122,7 @@ func (this *IndexAction) RunPost(params struct {
 	rpcClient, err := rpc.SharedRPC()
 	if err != nil {
 		this.Fail("服务器出了点小问题：" + err.Error())
+		return
 	}
 	resp, err := rpcClient.AdminRPC().LoginAdmin(rpcClient.Context(0), &pb.LoginAdminRequest{
 		Username: params.Username,
@@ -136,6 +136,7 @@ func (this *IndexAction) RunPost(params struct {
 		}
 
 		actionutils.Fail(this, err)
+		return
 	}
 
 	if !resp.IsOk {
@@ -145,31 +146,37 @@ func (this *IndexAction) RunPost(params struct {
 		}
 
 		this.Fail("请输入正确的用户名密码")
+		return
 	}
+	var adminId = resp.AdminId
 
-	// 检查OTP
-	otpLoginResp, err := this.RPC().LoginRPC().FindEnabledLogin(this.AdminContext(), &pb.FindEnabledLoginRequest{
-		AdminId: resp.AdminId,
-		Type:    "otp",
-	})
+	// 检查是否支持OTP
+	checkOTPResp, err := this.RPC().AdminRPC().CheckAdminOTPWithUsername(this.AdminContext(), &pb.CheckAdminOTPWithUsernameRequest{Username: params.Username})
 	if err != nil {
 		this.ErrorPage(err)
 		return
 	}
-	if otpLoginResp.Login != nil && otpLoginResp.Login.IsOn {
-		var loginParams = maps.Map{}
-		err = json.Unmarshal(otpLoginResp.Login.ParamsJSON, &loginParams)
+	var requireOTP = checkOTPResp.RequireOTP
+	this.Data["requireOTP"] = requireOTP
+	if requireOTP {
+		this.Data["remember"] = params.Remember
+
+		var sid = this.Session().Sid
+		this.Data["sid"] = sid
+		_, err = this.RPC().LoginSessionRPC().WriteLoginSessionValue(this.AdminContext(), &pb.WriteLoginSessionValueRequest{
+			Sid:   sid + "_otp",
+			Key:   "adminId",
+			Value: types.String(adminId),
+		})
 		if err != nil {
 			this.ErrorPage(err)
 			return
 		}
-		secret := loginParams.GetString("secret")
-		if gotp.NewDefaultTOTP(secret).Now() != params.OtpCode {
-			this.Fail("请输入正确的OTP动态密码")
-		}
+		this.Success()
+		return
 	}
 
-	var adminId = resp.AdminId
+	// 写入SESSION
 	params.Auth.StoreAdmin(adminId, params.Remember)
 
 	// 记录日志
diff --git a/internal/web/actions/default/index/init.go b/internal/web/actions/default/index/init.go
index 0348a503..ed9b8d45 100644
--- a/internal/web/actions/default/index/init.go
+++ b/internal/web/actions/default/index/init.go
@@ -7,9 +7,9 @@ import (
 func init() {
 	TeaGo.BeforeStart(func(server *TeaGo.Server) {
 		server.
-			Post("/checkOTP", new(CheckOTPAction)).
-			Prefix("/").
-			GetPost("", new(IndexAction)).
+			Prefix("").
+			GetPost("/", new(IndexAction)).
+			GetPost("/index/otp", new(OtpAction)).
 			EndAll()
 	})
 }
diff --git a/internal/web/actions/default/index/otp.go b/internal/web/actions/default/index/otp.go
new file mode 100644
index 00000000..d0360bf2
--- /dev/null
+++ b/internal/web/actions/default/index/otp.go
@@ -0,0 +1,154 @@
+// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package index
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
+	teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
+	"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
+	"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
+	"github.com/TeaOSLab/EdgeAdmin/internal/setup"
+	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
+	stringutil "github.com/iwind/TeaGo/utils/string"
+	"github.com/xlzd/gotp"
+	"time"
+)
+
+type OtpAction struct {
+	actionutils.ParentAction
+}
+
+func (this *OtpAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *OtpAction) RunGet(params struct {
+	From     string
+	Sid      string
+	Remember bool
+}) {
+	// 检查系统是否已经配置过
+	if !setup.IsConfigured() {
+		this.RedirectURL("/setup")
+		return
+	}
+
+	//// 是否新安装
+	if setup.IsNewInstalled() {
+		this.RedirectURL("/setup/confirm")
+		return
+	}
+
+	this.Data["isUser"] = false
+	this.Data["menu"] = "signIn"
+
+	var timestamp = fmt.Sprintf("%d", time.Now().Unix())
+	this.Data["token"] = stringutil.Md5(TokenKey+timestamp) + timestamp
+	this.Data["from"] = params.From
+	this.Data["sid"] = params.Sid
+
+	uiConfig, err := configloaders.LoadAdminUIConfig()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["systemName"] = uiConfig.AdminSystemName
+	this.Data["showVersion"] = uiConfig.ShowVersion
+	if len(uiConfig.Version) > 0 {
+		this.Data["version"] = uiConfig.Version
+	} else {
+		this.Data["version"] = teaconst.Version
+	}
+	this.Data["faviconFileId"] = uiConfig.FaviconFileId
+	this.Data["remember"] = params.Remember
+
+	this.Show()
+}
+
+func (this *OtpAction) RunPost(params struct {
+	Sid      string
+	OtpCode  string
+	Remember bool
+
+	Must *actions.Must
+	Auth *helpers.UserShouldAuth
+}) {
+	if len(params.OtpCode) == 0 {
+		this.FailField("otpCode", "请输入正确的OTP动态密码")
+		return
+	}
+
+	var sid = params.Sid
+	if len(sid) == 0 || len(sid) > 64 {
+		this.Fail("参数错误，请重新登录（001）")
+		return
+	}
+	sid += "_otp"
+
+	// 获取SESSION
+	sessionResp, err := this.RPC().LoginSessionRPC().FindLoginSession(this.AdminContext(), &pb.FindLoginSessionRequest{Sid: sid})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	var session = sessionResp.LoginSession
+	if session == nil || session.AdminId <= 0 {
+		this.Fail("参数错误，请重新登录（002）")
+		return
+	}
+	var adminId = session.AdminId
+
+	// 检查OTP
+	otpLoginResp, err := this.RPC().LoginRPC().FindEnabledLogin(this.AdminContext(), &pb.FindEnabledLoginRequest{
+		AdminId: adminId,
+		Type:    "otp",
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	if otpLoginResp.Login != nil && otpLoginResp.Login.IsOn {
+		var loginParams = maps.Map{}
+		err = json.Unmarshal(otpLoginResp.Login.ParamsJSON, &loginParams)
+		if err != nil {
+			this.ErrorPage(err)
+			return
+		}
+		var secret = loginParams.GetString("secret")
+		if gotp.NewDefaultTOTP(secret).Now() != params.OtpCode {
+			this.FailField("otpCode", "请输入正确的OTP动态密码")
+			return
+		}
+	}
+
+	// 写入SESSION
+	params.Auth.StoreAdmin(adminId, params.Remember)
+
+	// 删除OTP SESSION
+	_, err = this.RPC().LoginSessionRPC().DeleteLoginSession(this.AdminContext(), &pb.DeleteLoginSessionRequest{Sid: sid})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	// 记录日志
+	rpcClient, err := rpc.SharedRPC()
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, "成功通过OTP验证登录系统", this.RequestRemoteIP())
+	if err != nil {
+		utils.PrintError(err)
+	}
+
+	this.Success()
+}
diff --git a/web/views/@default/index/index.html b/web/views/@default/index/index.html
index ec360cd2..a6168039 100644
--- a/web/views/@default/index/index.html
+++ b/web/views/@default/index/index.html
@@ -41,12 +41,6 @@
 						<input type="password" v-model="password" placeholder="请输入密码" maxlength="200" @input="changePassword()" ref="passwordRef"/>
 					</div>
 				</div>
-                <div class="ui field" v-show="showOTP">
-                    <div class="ui left icon input">
-                        <i class="ui barcode icon"></i>
-                        <input type="text" name="otpCode" placeholder="请输入OTP动态密码" maxlength="6"/>
-                    </div>
-                </div>
 				<div class="ui field" v-if="rememberLogin">
 					<a href="" @click.prevent="showMoreOptions()">更多选项 <i class="icon angle" :class="{down:!moreOptionsVisible, up:moreOptionsVisible}"></i> </a>
 				</div>
diff --git a/web/views/@default/index/index.js b/web/views/@default/index/index.js
index 89e9d2bf..e4bfafa5 100644
--- a/web/views/@default/index/index.js
+++ b/web/views/@default/index/index.js
@@ -9,8 +9,6 @@ Tea.context(function () {
 		this.password = "123456"
 	}
 
-	this.showOTP = false
-
 	this.isSubmitting = false
 
 	this.$delay(function () {
@@ -19,13 +17,7 @@ Tea.context(function () {
 	});
 
 	this.changeUsername = function () {
-		this.$post("/checkOTP")
-			.params({
-				username: this.username
-			})
-			.success(function (resp) {
-				this.showOTP = resp.data.requireOTP
-			})
+
 	}
 
 	this.changePassword = function () {
@@ -46,7 +38,11 @@ Tea.context(function () {
 		this.isSubmitting = false;
 	};
 
-	this.submitSuccess = function () {
+	this.submitSuccess = function (resp) {
+		if (resp.data.requireOTP) {
+			window.location = "/index/otp?sid=" + resp.data.sid + "&remember=" + (resp.data.remember ? 1 : 0) + "&from=" + window.encodeURIComponent(this.from)
+			return
+		}
 		if (this.from.length == 0) {
 			window.location = "/dashboard";
 		} else {
diff --git a/web/views/@default/index/otp.css b/web/views/@default/index/otp.css
new file mode 100644
index 00000000..ff56d3ad
--- /dev/null
+++ b/web/views/@default/index/otp.css
@@ -0,0 +1,42 @@
+.form-box {
+  position: fixed;
+  top: 2em;
+  bottom: 0;
+  left: 0;
+  right: 0;
+}
+form {
+  position: fixed;
+  width: 21em;
+  top: 50%;
+  left: 50%;
+  margin-left: -10em;
+  margin-top: -16em;
+}
+form .header {
+  text-align: center;
+  font-size: 1em !important;
+}
+form p {
+  font-size: 0.8em;
+  margin-top: 0.3em;
+  margin-bottom: 0;
+  font-weight: normal;
+  padding: 0;
+}
+form .comment {
+  margin-top: 0.5em;
+  padding: 0.5em;
+  color: gray;
+}
+form .cancel-login {
+  text-align: center;
+  padding-top: 1em;
+}
+@media screen and (max-width: 512px) {
+  form {
+    width: 80%;
+    margin-left: -40%;
+  }
+}
+/*# sourceMappingURL=otp.css.map */
\ No newline at end of file
diff --git a/web/views/@default/index/otp.css.map b/web/views/@default/index/otp.css.map
new file mode 100644
index 00000000..2ff4752c
--- /dev/null
+++ b/web/views/@default/index/otp.css.map
@@ -0,0 +1 @@
+{"version":3,"sources":["otp.less"],"names":[],"mappings":"AAAA;EACI,eAAA;EACA,QAAA;EACA,SAAA;EACA,OAAA;EACA,QAAA;;AAGJ;EACI,eAAA;EACA,WAAA;EACA,QAAA;EACA,SAAA;EACA,kBAAA;EACA,iBAAA;;AANJ,IAQC;EACC,kBAAA;EACA,yBAAA;;AAVF,IAaC;EACC,gBAAA;EACA,iBAAA;EACA,gBAAA;EACA,mBAAA;EACA,UAAA;;AAlBF,IAqBC;EACC,iBAAA;EACA,cAAA;EACA,WAAA;;AAxBF,IA2BC;EACC,kBAAA;EACA,gBAAA;;AAIF,mBAAqC;EACjC;IACI,UAAA;IACA,iBAAA","file":"otp.css"}
\ No newline at end of file
diff --git a/web/views/@default/index/otp.html b/web/views/@default/index/otp.html
new file mode 100644
index 00000000..667c288e
--- /dev/null
+++ b/web/views/@default/index/otp.html
@@ -0,0 +1,55 @@
+<!doctype html>
+<html lang="zh">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+    {$if eq .faviconFileId 0}
+    <link rel="shortcut icon" href="/images/favicon.png"/>
+    {$else}
+    <link rel="shortcut icon" href="/ui/image/{$ .faviconFileId}"/>
+    {$end}
+    <title>登录{$.systemName} - 二次验证</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0">
+    {$TEA.VUE}
+    {$TEA.SEMANTIC}
+    <script type="text/javascript" src="/js/md5.min.js"></script>
+    <script type="text/javascript" src="/js/utils.js"></script>
+    <script type="text/javascript" src="/js/sweetalert2/dist/sweetalert2.all.min.js"></script>
+    <script type="text/javascript" src="/js/components.js"></script>
+</head>
+<body>
+<div>
+    {$template "/menu"}
+
+    <div class="form-box">
+        <form method="post" class="ui form" data-tea-action="$" data-tea-before="submitBefore"
+              data-tea-done="submitDone" data-tea-success="submitSuccess" autocomplete="off">
+            <input type="hidden" name="sid" :value="sid"/>
+            <input type="hidden" name="remember" :value="remember ? 1 : 0"/>
+            <div class="ui segment stacked">
+                <div class="ui header">
+                    登录{$.systemName}
+                </div>
+                <div class="ui field">
+                    为了保护你的账户安全，需要进行OTP二次身份验证。
+                </div>
+                <div class="ui field">
+                    <div class="ui left icon input">
+                        <i class="ui barcode icon"></i>
+                        <input type="text" name="otpCode" placeholder="请输入OTP动态密码" maxlength="6"/>
+                    </div>
+                </div>
+
+                <button class="ui button primary fluid" type="submit" v-if="!isSubmitting">验证</button>
+                <button class="ui button primary fluid disabled" type="submit" v-if="isSubmitting">验证中...</button>
+
+                <div class="ui field cancel-login">
+                    <a :href="'/?from=' + encodedFrom">&laquo; 取消登录</a>
+                </div>
+            </div>
+        </form>
+    </div>
+
+</div>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/web/views/@default/index/otp.js b/web/views/@default/index/otp.js
new file mode 100644
index 00000000..a975511f
--- /dev/null
+++ b/web/views/@default/index/otp.js
@@ -0,0 +1,31 @@
+Tea.context(function () {
+	this.isSubmitting = false
+
+	this.encodedFrom = window.encodeURIComponent(this.from)
+
+	this.$delay(function () {
+		this.$find("form input[name='otpCode']").focus()
+	});
+
+	// 更多选项
+	this.moreOptionsVisible = false;
+	this.showMoreOptions = function () {
+		this.moreOptionsVisible = !this.moreOptionsVisible;
+	};
+
+	this.submitBefore = function () {
+		this.isSubmitting = true;
+	};
+
+	this.submitDone = function () {
+		this.isSubmitting = false;
+	};
+
+	this.submitSuccess = function (resp) {
+		if (this.from.length == 0) {
+			window.location = "/dashboard";
+		} else {
+			window.location = this.from;
+		}
+	};
+});
\ No newline at end of file
diff --git a/web/views/@default/index/otp.less b/web/views/@default/index/otp.less
new file mode 100644
index 00000000..e09bbfbf
--- /dev/null
+++ b/web/views/@default/index/otp.less
@@ -0,0 +1,47 @@
+.form-box {
+    position: fixed;
+    top: 2em;
+    bottom: 0;
+    left: 0;
+    right: 0;
+}
+
+form {
+    position: fixed;
+    width: 21em;
+    top: 50%;
+    left: 50%;
+    margin-left: -10em;
+    margin-top: -16em;
+
+	.header {
+		text-align: center;
+		font-size: 1em !important;
+	}
+
+	p {
+		font-size: 0.8em;
+		margin-top: 0.3em;
+		margin-bottom: 0;
+		font-weight: normal;
+		padding: 0;
+	}
+
+	.comment {
+		margin-top: 0.5em;
+		padding: 0.5em;
+		color: gray;
+	}
+
+	.cancel-login {
+		text-align: center;
+		padding-top: 1em;
+	}
+}
+
+@media screen and (max-width: 512px) {
+    form {
+        width: 80%;
+        margin-left: -40%;
+    }
+}
\ No newline at end of file