diff --git a/tests/tfa_basic.test b/tests/tfa_basic.test
index 7a751a1..e256678 100644
--- a/tests/tfa_basic.test
+++ b/tests/tfa_basic.test
@@ -178,6 +178,20 @@ class TfaBasicTestCase extends DrupalWebTestCase {
     $this->assertText('My account');
   }
 
+  public function testRequired() {
+    variable_set('tfa_enabled', TRUE);
+    variable_set('tfa_validate_plugin', 'tfa_basic_totp');
+    // New account with the require TFA permission.
+    $account = $this->drupalCreateUser(array('access content'));
+    $edit = array(
+      'name' => $account->name,
+      'pass' => $account->pass_raw,
+    );
+    $this->drupalPost('user/login', $edit, 'Log in');
+    $this->assertNoLink('Log out', 'Not authenticated');
+    $this->assertText($this->uiStrings('required'), 'Required text shows');
+  }
+
   /**
    * TFA module user interface strings.
    *
@@ -218,6 +232,8 @@ class TfaBasicTestCase extends DrupalWebTestCase {
         return 'Enter one of your recovery codes';
       case 'tfa-status-enabled':
         return 'TFA enabled';
+      case 'required':
+        return 'Login disallowed. You are required to set up two-factor authentication.';
     }
   }
 }
diff --git a/tfa_basic.module b/tfa_basic.module
index c3a7ffe..1526441 100644
--- a/tfa_basic.module
+++ b/tfa_basic.module
@@ -5,6 +5,10 @@
  */
 function tfa_basic_permission() {
   return array(
+    'bypass tfa setup' => array(
+      'title' => t('Bypass forced TFA setup'),
+      'description' => t('Enable this permission to allow a user who has not setup TFA to still log in.'),
+    ),
     'setup own tfa' => array(
       'title' => t('Set up TFA for account'),
       'description' => t('Allow users to set up TFA for their account. Users with "administer users" permission can edit other account\'s TFA.'),
@@ -228,6 +232,17 @@ function tfa_basic_tfa_context_alter(&$context) {
 }
 
 /**
+ * Implements hook_tfa_require().
+ */
+function tfa_basic_tfa_require($account) {
+  if (user_access('bypass tfa setup', $account)) {
+    return FALSE;
+  }
+  drupal_set_message(t('Login disallowed. You are required to set up two-factor authentication. Please contact a site administrator.'), 'error');
+  return TRUE;
+}
+
+/**
  * Get mobile number for an account.
  *
  * @param object $account