diff --git a/backend/app/schemas/auth.py b/backend/app/schemas/auth.py
index a45dba3..41de744 100644
--- a/backend/app/schemas/auth.py
+++ b/backend/app/schemas/auth.py
@@ -32,6 +32,8 @@ def _validate_username(v: str) -> str:
 
 
 class SetupRequest(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
     username: str
     password: str
 
@@ -69,6 +71,8 @@ class RegisterRequest(BaseModel):
 
 
 class LoginRequest(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
     username: str
     password: str
 
diff --git a/frontend/src/components/admin/ConfigPage.tsx b/frontend/src/components/admin/ConfigPage.tsx
index 0c1460b..afd00be 100644
--- a/frontend/src/components/admin/ConfigPage.tsx
+++ b/frontend/src/components/admin/ConfigPage.tsx
@@ -16,21 +16,20 @@ import { cn } from '@/lib/utils';
 import { actionColor } from './shared';
 
 const ACTION_TYPES = [
-  'user.create',
-  'user.login',
-  'user.logout',
-  'user.login_failed',
-  'user.locked',
-  'user.unlocked',
-  'user.role_changed',
-  'user.disabled',
-  'user.enabled',
-  'user.password_reset',
-  'user.totp_disabled',
-  'user.mfa_enforced',
-  'user.mfa_enforcement_removed',
-  'user.sessions_revoked',
-  'config.updated',
+  'admin.user_created',
+  'admin.role_changed',
+  'admin.password_reset',
+  'admin.mfa_disabled',
+  'admin.mfa_enforce_toggled',
+  'admin.user_deactivated',
+  'admin.user_activated',
+  'admin.sessions_revoked',
+  'admin.config_updated',
+  'auth.login_success',
+  'auth.login_failed',
+  'auth.setup_complete',
+  'auth.registration',
+  'auth.mfa_enforce_prompted',
 ];
 
 function actionLabel(action: string): string {
diff --git a/frontend/src/components/auth/LockScreen.tsx b/frontend/src/components/auth/LockScreen.tsx
index 1885512..12aaa46 100644
--- a/frontend/src/components/auth/LockScreen.tsx
+++ b/frontend/src/components/auth/LockScreen.tsx
@@ -145,7 +145,7 @@ export default function LockScreen() {
   const handleTotpSubmit = async (e: FormEvent) => {
     e.preventDefault();
     try {
-      await verifyTotp(totpCode);
+      await verifyTotp({ code: totpCode, isBackup: useBackupCode });
     } catch (error) {
       toast.error(getErrorMessage(error, 'Invalid verification code'));
       setTotpCode('');
@@ -257,7 +257,7 @@ export default function LockScreen() {
               onChange={(e) =>
                 setTotpCode(
                   useBackupCode
-                    ? e.target.value.replace(/[^0-9-]/g, '')
+                    ? e.target.value.replace(/[^A-Za-z0-9-]/g, '').toUpperCase()
                     : e.target.value.replace(/\D/g, '')
                 )
               }
diff --git a/frontend/src/hooks/useAuth.ts b/frontend/src/hooks/useAuth.ts
index 239fe2f..098d268 100644
--- a/frontend/src/hooks/useAuth.ts
+++ b/frontend/src/hooks/useAuth.ts
@@ -57,11 +57,14 @@ export function useAuth() {
   });
 
   const totpVerifyMutation = useMutation({
-    mutationFn: async (code: string) => {
-      const { data } = await api.post('/auth/totp-verify', {
-        mfa_token: mfaToken,
-        code,
-      });
+    mutationFn: async ({ code, isBackup }: { code: string; isBackup: boolean }) => {
+      const payload: Record<string, string> = { mfa_token: mfaToken! };
+      if (isBackup) {
+        payload.backup_code = code;
+      } else {
+        payload.code = code;
+      }
+      const { data } = await api.post('/auth/totp-verify', payload);
       return data;
     },
     onSuccess: () => {