diff --git a/docs/content/advanced/config/external-authentication.md b/docs/content/advanced/config/external-authentication.md
index 997637a7..2e2f0d07 100644
--- a/docs/content/advanced/config/external-authentication.md
+++ b/docs/content/advanced/config/external-authentication.md
@@ -33,11 +33,17 @@ If your provider does not support multiple redirect URIs (e.g. GitHub) but allow
 
 ### Auto Register
 
-To automatically register users that log in with an OAuth provider, set the env var `OAUTH_AUTO_REGISTER` to `true`.
+To automatically register users that log in with an OAuth provider, set the following environment variable to `true`:
 
-If a user logs in with an email address that is not yet registered, a new account will be created for them.
+| Env                   | Required | Default | Description              |
+| --------------------- | -------- | ------- | ------------------------ |
+| `OAUTH_AUTO_REGISTER` | ✖️       | `false` | Enable auto-registration |
 
-If a user logs in with an email address that is already registered, their account will be linked to the OAuth provider (if not already linked), regardless of the value of `OAUTH_AUTO_REGISTER`.
+When enabled:
+
+- If a user logs in with an email address that is not yet registered, a new account will be created for them.
+
+- If a user logs in with an email address that is already registered, their account will be linked to the OAuth provider (if not already linked), regardless of the value of `OAUTH_AUTO_REGISTER`.
 
 /// warning | Security
 
@@ -49,7 +55,11 @@ Use [Allowed Domains](#allowed-domains) to restrict which users can log in.
 
 ### Allowed Domains
 
-To only allow users with an email address from a specific domain to log in, set the env var `OAUTH_ALLOWED_DOMAINS` to the allowed domain.
+To only allow users with an email address from a specific domain to log in, set the following environment variable to the allowed domain.
+
+| Env                     | Required | Default | Description           |
+| ----------------------- | -------- | ------- | --------------------- |
+| `OAUTH_ALLOWED_DOMAINS` | ✖️       | -       | Allowed email domains |
 
 You can allow multiple domains by separating them with a comma:
 
@@ -134,3 +144,23 @@ docker run --rm authelia/authelia:latest authelia crypto hash generate pbkdf2 --
 ### Generic OAuth
 
 Not currently supported
+
+### Disable Password Authentication
+
+To disable password-based authentication and only allow login via OAuth providers, set the following environment variable to `true`:
+
+| Env                     | Required | Default | Description                     |
+| ----------------------- | -------- | ------- | ------------------------------- |
+| `DISABLE_PASSWORD_AUTH` | ✖️       | `false` | Disable password authentication |
+
+When enabled:
+
+- Users will not be able to log in with a password
+
+/// warning | Access Recovery
+
+Before disabling password authentication, ensure that at least one OAuth provider is configured and that you have successfully linked an administrator account.
+
+If no login method is available, you will not be able to log in to the application and will need to reset the configuration to regain access.
+
+///
diff --git a/src/app/pages/login.vue b/src/app/pages/login.vue
index d4fda6e3..a938e416 100644
--- a/src/app/pages/login.vue
+++ b/src/app/pages/login.vue
@@ -24,7 +24,10 @@
         />
 
         <!-- Divider -->
-        <div v-if="authMethods.oauthEnabled" class="flex items-center gap-2">
+        <div
+          v-if="authMethods.oauthEnabled && !authMethods.passwordDisabled"
+          class="flex items-center gap-2"
+        >
           <div class="h-px flex-1 bg-gray-300 dark:bg-neutral-600"></div>
           <span class="text-xs text-gray-500 dark:text-neutral-400">
             {{ $t('login.or') }}
@@ -34,7 +37,11 @@
       </div>
 
       <!-- Classic Login Form -->
-      <form class="flex flex-col gap-5" @submit.prevent="submit">
+      <form
+        v-if="!authMethods?.passwordDisabled"
+        class="flex flex-col gap-5"
+        @submit.prevent="submit"
+      >
         <BaseInput
           v-model="username"
           type="text"
@@ -73,13 +80,8 @@
         </label>
 
         <button
-          class="rounded py-2 text-sm text-white shadow transition dark:text-white"
-          :class="{
-            'cursor-pointer bg-red-800 hover:bg-red-700 dark:bg-red-800 dark:hover:bg-red-700':
-              password && username,
-            'cursor-not-allowed bg-gray-200 dark:bg-neutral-800':
-              !password || !username,
-          }"
+          class="rounded bg-red-800 py-2 text-sm text-white shadow transition hover:bg-red-700 disabled:cursor-not-allowed disabled:bg-gray-200 dark:bg-red-800 dark:text-white dark:hover:bg-red-700 disabled:dark:bg-neutral-800"
+          :disabled="!password || !username"
         >
           <IconsLoading
             v-if="authenticating"
diff --git a/src/server/api/auth/methods.get.ts b/src/server/api/auth/methods.get.ts
index 2081aa3a..173aa192 100644
--- a/src/server/api/auth/methods.get.ts
+++ b/src/server/api/auth/methods.get.ts
@@ -12,5 +12,6 @@ export default defineEventHandler(() => {
     ),
     oauthEnabled:
       WG_ENV.OAUTH_PROVIDERS !== undefined && WG_ENV.OAUTH_PROVIDERS.length > 0,
+    passwordDisabled: WG_ENV.DISABLE_PASSWORD_AUTH,
   };
 });
diff --git a/src/server/api/auth/password.post.ts b/src/server/api/auth/password.post.ts
index 07a46021..2e2aabbf 100644
--- a/src/server/api/auth/password.post.ts
+++ b/src/server/api/auth/password.post.ts
@@ -1,6 +1,13 @@
 import { UserLoginSchema } from '#db/repositories/user/types';
 
 export default defineEventHandler(async (event) => {
+  if (WG_ENV.DISABLE_PASSWORD_AUTH) {
+    throw createError({
+      statusCode: 403,
+      statusMessage: 'Password authentication is disabled',
+    });
+  }
+
   const { username, password, remember, totpCode } = await readValidatedBody(
     event,
     validateZod(UserLoginSchema, event)
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 71392de8..a18b4278 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -50,13 +50,17 @@ export const WG_ENV = {
   ),
   /** Automatically register users that log in with an OAuth provider */
   OAUTH_AUTO_REGISTER: process.env.OAUTH_AUTO_REGISTER === 'true',
+  /** Disable password authentication */
+  DISABLE_PASSWORD_AUTH: process.env.DISABLE_PASSWORD_AUTH === 'true',
 };
 
-if (WG_ENV.OAUTH_PROVIDERS && WG_ENV.OAUTH_PROVIDERS.length > 1) {
+if (WG_ENV.OAUTH_PROVIDERS && WG_ENV.OAUTH_PROVIDERS.length > 0) {
   SERVER_DEBUG(`
 Enabled OAuth providers: ${WG_ENV.OAUTH_PROVIDERS.join(', ')}
 Allowed OAuth domains: ${WG_ENV.OAUTH_ALLOWED_DOMAINS?.join(', ') ?? 'All'}
-OAuth auto register: ${WG_ENV.OAUTH_AUTO_REGISTER ? 'Enabled' : 'Disabled'}`);
+OAuth auto register: ${WG_ENV.OAUTH_AUTO_REGISTER ? 'Enabled' : 'Disabled'}
+Password authentication: ${WG_ENV.DISABLE_PASSWORD_AUTH ? 'Disabled' : 'Enabled'}
+`);
 }
 
 export const WG_INITIAL_ENV = {
diff --git a/src/server/utils/oauth.ts b/src/server/utils/oauth.ts
index dddbef26..d334fe00 100644
--- a/src/server/utils/oauth.ts
+++ b/src/server/utils/oauth.ts
@@ -90,7 +90,7 @@ export async function buildOauthConfig(event: H3Event) {
 
   if (!isEnabledProvider(provider)) {
     throw createError({
-      statusCode: 400,
+      statusCode: 403,
       statusMessage: 'Provider is not enabled',
     });
   }