diff --git a/package-lock.json b/package-lock.json
index 7b9ac61..816bc3e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "nodewarden",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "nodewarden",
-      "version": "1.0.0",
+      "version": "1.1.0",
       "license": "LGPL-3.0",
       "devDependencies": {
         "@cloudflare/workers-types": "^4.20260131.0",
diff --git a/package.json b/package.json
index 79f96b5..213095a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "nodewarden",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Minimal Bitwarden-compatible server running on Cloudflare Workers",
   "author": "shuaiplus",
   "license": "LGPL-3.0",
diff --git a/src/handlers/identity.ts b/src/handlers/identity.ts
index 6603c09..a2fa7e3 100644
--- a/src/handlers/identity.ts
+++ b/src/handlers/identity.ts
@@ -113,7 +113,8 @@ export async function handleToken(request: Request, env: Env): Promise<Response>
     // Optional 2FA: enabled only when TOTP_SECRET is configured in Workers env.
     let trustedTwoFactorTokenToReturn: string | undefined;
     if (isTotpEnabled(env.TOTP_SECRET)) {
-      if (twoFactorProvider !== undefined && String(twoFactorProvider) !== '0') {
+      const normalizedTwoFactorProvider = String(twoFactorProvider ?? '').trim();
+      if (normalizedTwoFactorProvider !== '' && normalizedTwoFactorProvider !== '0') {
         return identityErrorResponse('Unsupported two-factor provider', 'invalid_grant', 400);
       }
 
diff --git a/src/services/storage.ts b/src/services/storage.ts
index 8d6e080..828c2ec 100644
--- a/src/services/storage.ts
+++ b/src/services/storage.ts
@@ -122,7 +122,7 @@ export class StorageService {
   // --- Database initialization ---
   // Strategy:
   // - Run only once per isolate.
-  // - Execute idempotent schema SQL on first DB use in each isolate.
+  // - Execute idempotent schema SQL on first request in each isolate.
   // - Keep statements idempotent so updates are safe.
   async initializeDatabase(): Promise<void> {
     if (StorageService.schemaVerified) return;