diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index f35d631df0cea82e76bf7f824ab52be3c028d79e..619a76ebfd92326658789f6bc579e8427e5cbf38 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -107,6 +107,7 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
     # Only allow properly saved users to login.
     if @user.persisted? && @user.valid?
       log_audit_event(@user, with: oauth['provider'])
+      prompt_for_two_factor(@user) and return if @user.two_factor_enabled?
       sign_in_and_redirect(@user)
     else
       error_message = @user.errors.full_messages.to_sentence