diff --git a/api/src/services/authentication.ts b/api/src/services/authentication.ts
index 000a31b908aac..70385fdb67d6d 100644
--- a/api/src/services/authentication.ts
+++ b/api/src/services/authentication.ts
@@ -72,7 +72,7 @@ export class AuthenticationService {
 		}
 
 		const user = await this.knex
-			.select<User & { tfa_secret: string | null }>(
+			.select<User & { tfa_secret: string | null; enforce_tfa: boolean | null }>(
 				'u.id',
 				'u.first_name',
 				'u.last_name',
@@ -82,6 +82,7 @@ export class AuthenticationService {
 				'u.role',
 				'r.admin_access',
 				'r.app_access',
+				'r.enforce_tfa',
 				'u.tfa_secret',
 				'u.provider',
 				'u.external_identifier',
@@ -177,7 +178,10 @@ export class AuthenticationService {
 			throw e;
 		}
 
-		if (user.tfa_secret && !options?.otp) {
+		const requiresTfa = user.enforce_tfa || user.tfa_secret;
+		const hasTfa = user.tfa_secret && options?.otp;
+
+		if (requiresTfa && !hasTfa) {
 			emitStatus('fail');
 			await stall(STALL_TIME, timeStart);
 			throw new InvalidOtpError();