2 files changed, 10 insertions, 5 deletions

diff --git a/perllib/Catalyst/Authentication/Credential/2FA.pm b/perllib/Catalyst/Authentication/Credential/2FA.pm
index 3f59ada06..f77f56bea 100644
--- a/perllib/Catalyst/Authentication/Credential/2FA.pm
+++ b/perllib/Catalyst/Authentication/Credential/2FA.pm
@@ -23,7 +23,9 @@ sub authenticate {
     if (ref($user_obj)) {
 
         # We don't care unless user has a 2FA secret, or the cobrand mandates it
-        return $user_obj unless $user_obj->has_2fa || $c->cobrand->call_hook('must_have_2fa', $user_obj);
+        # We also don't care if the cobrand says we don't
+        my $must_have_2fa = $c->cobrand->call_hook('must_have_2fa', $user_obj) || '';
+        return $user_obj if $must_have_2fa eq 'skip' || !($user_obj->has_2fa || $must_have_2fa);
 
         $c->stash->{token} = $c->get_param('token');
 
diff --git a/perllib/FixMyStreet/App/Controller/Auth.pm b/perllib/FixMyStreet/App/Controller/Auth.pm
index 6badbf518..cecfa318c 100644
--- a/perllib/FixMyStreet/App/Controller/Auth.pm
+++ b/perllib/FixMyStreet/App/Controller/Auth.pm
@@ -277,10 +277,13 @@ sub process_login : Private {
         if FixMyStreet->config('SIGNUPS_DISABLED') && !$user->in_storage && !$data->{old_user_id};
 
     # People using 2FA need to supply a code
-    if ($user->has_2fa) {
-        $c->forward( 'token_2fa', [ $user, $url_token ] );
-    } elsif ($c->cobrand->call_hook('must_have_2fa', $user)) {
-        $c->forward( 'signup_2fa', [ $user ] );
+    my $must_have_2fa = $c->cobrand->call_hook('must_have_2fa', $user) || '';
+    if ($must_have_2fa ne 'skip') {
+        if ($user->has_2fa) {
+            $c->forward( 'token_2fa', [ $user, $url_token ] );
+        } elsif ($c->cobrand->call_hook('must_have_2fa', $user)) {
+            $c->forward( 'signup_2fa', [ $user ] );
+        }
     }
 
     if ($data->{old_user_id}) {