diff --git a/src/views/profile.js b/src/views/profile.js
index 4ca79ac6c..06bca2c05 100644
--- a/src/views/profile.js
+++ b/src/views/profile.js
@@ -622,5 +622,11 @@ angular.module('Application').controller('ProfileController', ['$scope', '$locat
     if ($location.search().setup2fa) {
         // the form elements of the FormController won't appear in scope yet
         $timeout(function () { $scope.twoFactorAuthentication.showMandatory2FA(); }, 1000);
+    } else {
+        // don't let the user bypass 2FA by removing the 'setup2FA' in the url
+        if (Client.getConfig().mandatory2FA && !Client.getUserInfo().twoFactorAuthenticationEnabled) {
+            $location.path('/profile').search({ setup2fa: true });
+            return;
+        }
     }
 }]);