diff --git a/Application/Controller/Admin/d3user_totp.php b/Application/Controller/Admin/d3user_totp.php
index cfe2230..92f6e86 100644
--- a/Application/Controller/Admin/d3user_totp.php
+++ b/Application/Controller/Admin/d3user_totp.php
@@ -99,6 +99,7 @@ class d3user_totp extends AdminDetailsController
                 $aParams['d3totp__usetotp'] = 1;
                 /** @var d3totp $init */
                 $init = Registry::getSession()->getVariable(d3totp_conf::OTP_SESSION_VARNAME);
+                Assert::that($init)->isInstanceOf(d3totp::class, 'D3_TOTP_INITOBJECT_MISSING');
                 $seed = $init->getSecret();
                 $otp = Registry::getRequest()->getRequestEscapedParameter("otp");