diff --git a/CHANGES b/CHANGES
index 838b47d97..00874a4c7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2021,4 +2021,5 @@
 * Bump max_connection for postgres addon to 200
 * mail: Add pagination to mailing list API
 * Allow admin to lock email and display name of users
+* Allow admin to ensure all users have 2FA setup
 
diff --git a/src/cloudron.js b/src/cloudron.js
index d3046474c..79222198d 100644
--- a/src/cloudron.js
+++ b/src/cloudron.js
@@ -142,7 +142,8 @@ function getConfig(callback) {
             cloudronName: allSettings[settings.CLOUDRON_NAME_KEY],
             footer: allSettings[settings.FOOTER_KEY] || constants.FOOTER,
             features: appstore.getFeatures(),
-            profileLocked: allSettings[settings.DIRECTORY_CONFIG_KEY].lockUserProfiles
+            profileLocked: allSettings[settings.DIRECTORY_CONFIG_KEY].lockUserProfiles,
+            mandatory2FA: allSettings[settings.DIRECTORY_CONFIG_KEY].mandatory2FA
         });
     });
 }
diff --git a/src/routes/settings.js b/src/routes/settings.js
index c72608313..658bfec36 100644
--- a/src/routes/settings.js
+++ b/src/routes/settings.js
@@ -246,6 +246,7 @@ function setDirectoryConfig(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
     if (typeof req.body.lockUserProfiles !== 'boolean') return next(new HttpError(400, 'lockUserProfiles is required'));
+    if (typeof req.body.mandatory2FA !== 'boolean') return next(new HttpError(400, 'mandatory2FA is required'));
 
     settings.setDirectoryConfig(req.body, function (error) {
         if (error) return next(BoxError.toHttpError(error));
diff --git a/src/settings.js b/src/settings.js
index 3500c5b95..d1382d0e4 100644
--- a/src/settings.js
+++ b/src/settings.js
@@ -162,7 +162,8 @@ let gDefaults = (function () {
         provider: 'generic'
     };
     result[exports.DIRECTORY_CONFIG_KEY] = {
-        lockUserProfiles: false
+        lockUserProfiles: false,
+        mandatory2FA: false
     };
 
     result[exports.ADMIN_DOMAIN_KEY] = '';