Steps to reproduce:

1. Enable user JIT provisioning via LDAP and enforce TOTP 2FA in Zabbix.
2. Set dark theme as the default UI theme.
3. Log in as a domain user who is automatically provisioned via LDAP.
4. On first login, the user is immediately taken to the TOTP enrollment screen.
5. Attempt to scan the displayed QR code using a mobile authenticator app.

Result:

• The QR code is rendered without the required quiet zone (white margin), which violates QR code standards and prevents many scanners from recognizing it.
• The dark UI theme causes the code to blend into the background, especially the alignment markers, since they are rendered in black on near-black.
• The newly provisioned user cannot access UI preferences to change the theme before enrolling in TOTP.
• Most authenticator apps (e.g., Aegis, Google Authenticator, DUO) fail to scan the QR code directly.

Expected:

• The QR code should include a white quiet zone to distinguish the code from the background.
• It should be rendered with high contrast (dark modules on white background), independently of the current UI theme.
• Since newly provisioned LDAP users are forced into 2FA enrollment on first login and cannot change UI settings, the QR code must be scannable without any manual intervention or image editing.