diff --git a/FirebaseAuth/CHANGELOG.md b/FirebaseAuth/CHANGELOG.md
index ff5e4e717f7..e46496d4db0 100644
--- a/FirebaseAuth/CHANGELOG.md
+++ b/FirebaseAuth/CHANGELOG.md
@@ -7,6 +7,9 @@
 - [removed] **Breaking Change**: Remove deprecated Swift APIs using
   `String`-typed `productID`s that were  in favor of API that leverages the
   `AuthProviderID` enum. Note, this only affects Swift clients.
+- [changed] **Breaking Change**: `TOTPSecret.openInOTPApp(withQRCodeURL:)` is
+  now labeled with `@MainActor` and requires the `await` keyword when called
+  off of the main actor or main thread.
 
 # 11.15.0
 - [fixed] Fixed `Sendable` warnings introduced in the Xcode 26 beta. (#14996)
diff --git a/FirebaseAuth/Sources/Swift/MultiFactor/TOTP/TOTPSecret.swift b/FirebaseAuth/Sources/Swift/MultiFactor/TOTP/TOTPSecret.swift
index 4a05a42be96..9791b974e52 100644
--- a/FirebaseAuth/Sources/Swift/MultiFactor/TOTP/TOTPSecret.swift
+++ b/FirebaseAuth/Sources/Swift/MultiFactor/TOTP/TOTPSecret.swift
@@ -54,7 +54,7 @@ import Foundation
     ///
     /// See more details
     /// [here](https://developer.apple.com/documentation/authenticationservices/securing_logins_with_icloud_keychain_verification_codes)
-    @objc(openInOTPAppWithQRCodeURL:)
+    @MainActor @objc(openInOTPAppWithQRCodeURL:)
     open func openInOTPApp(withQRCodeURL qrCodeURL: String) {
       if GULAppEnvironmentUtil.isAppExtension() {
         // iOS App extensions should not call [UIApplication sharedApplication], even if
diff --git a/FirebaseAuth/Tests/Unit/SwiftAPI.swift b/FirebaseAuth/Tests/Unit/SwiftAPI.swift
index f39f188f9f1..db002ccd599 100644
--- a/FirebaseAuth/Tests/Unit/SwiftAPI.swift
+++ b/FirebaseAuth/Tests/Unit/SwiftAPI.swift
@@ -553,7 +553,7 @@ class AuthAPI_hOnlyTests: XCTestCase {
       let obj = try await TOTPMultiFactorGenerator.generateSecret(with: session)
       _ = obj.sharedSecretKey()
       _ = obj.generateQRCodeURL(withAccountName: "name", issuer: "issuer")
-      obj.openInOTPApp(withQRCodeURL: "url")
+      await obj.openInOTPApp(withQRCodeURL: "url")
     }
 
     func FIRTOTPMultiFactorGenerator_h(session: MultiFactorSession, secret: TOTPSecret) {