diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php
index 752f8453c..a8b88b803 100644
--- a/application/controllers/AuthenticationController.php
+++ b/application/controllers/AuthenticationController.php
@@ -91,8 +91,13 @@ class AuthenticationController extends Controller
                     ->sendResponse();
                 exit;
             }
+            // FORM DOES NOT REDIRECT, IF USER HAS 2FA ENABLED and token hasn't been challenged
             $form->handleRequest();
         }
+//        if ($user->has2FA() && irgendwas_mit_session()) {
+//            // 2 FA form erstellen und zeigen und handeln
+        // in der session speichern ob der token gepasst hat
+//        }
         $this->view->form = $form;
         $this->view->defaultTitle = $this->translate('Icinga Web 2 Login');
         $this->view->requiresSetup = $requiresSetup;
diff --git a/application/forms/Authentication/LoginForm.php b/application/forms/Authentication/LoginForm.php
index 87b32ab3c..b27c5c799 100644
--- a/application/forms/Authentication/LoginForm.php
+++ b/application/forms/Authentication/LoginForm.php
@@ -161,6 +161,18 @@ class LoginForm extends Form
 
             // Call provided AuthenticationHook(s) after successful login
             AuthenticationHook::triggerLogin($user);
+
+            // If user has 2FA enabled and the token hasn't been validated, redirect to login again, so that
+            // the token is challenged.
+            $redirect = $this->getElement('redirect');
+            $old = $redirect->getValue();
+            $new = [];
+            if ($old) {
+                $new['redirect'] = $old;
+            }
+            $redirect->setValue(Url::fromPath('authentication/login', $new)->getRelativeUrl());
+            return true;
+
             $this->getResponse()->setRerenderLayout(true);
             return true;
         }
diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index f358eac37..5b30a03e8 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -87,6 +87,9 @@ class Auth
      */
     public function isAuthenticated()
     {
+        // return false just for testing. isAuthenticated must return false if the user is authentiacted but has 2FA enabled and the token hasn't been challenged yet.
+        return false;
+
         if ($this->user !== null) {
             return true;
         }
@@ -94,6 +97,9 @@ class Auth
         if ($this->user === null && ! $this->authExternal()) {
             return false;
         }
+
+        // real 2fa check from above must happen here
+
         return true;
     }
 
@@ -129,6 +135,7 @@ class Auth
             $this->persistCurrentUser();
         }
 
+        // don't log if 2fa hasn't been challenged yet
         AuditHook::logActivity('login', 'User logged in');
     }
 
@@ -449,5 +456,7 @@ class Auth
         // Load the user's roles
         $admissionLoader = new AdmissionLoader();
         $admissionLoader->applyRoles($user);
+
+        // Set 2FA status from the user preferences in the user obect
     }
 }
diff --git a/library/Icinga/User/Preferences/PreferencesStore.php b/library/Icinga/User/Preferences/PreferencesStore.php
index 8ecc677c9..eea137704 100644
--- a/library/Icinga/User/Preferences/PreferencesStore.php
+++ b/library/Icinga/User/Preferences/PreferencesStore.php
@@ -282,8 +282,9 @@ class PreferencesStore
             }
         } catch (Exception $e) {
             throw new NotWritableError(
-                'Cannot update preferences for user %s in database',
+                'Cannot update preferences for user %s in database: %s',
                 $this->getUser()->getUsername(),
+                $e->getMessage(),
                 $e
             );
         }