diff --git a/README.md b/README.md
index 86ada057..5951d0f1 100644
--- a/README.md
+++ b/README.md
@@ -2023,6 +2023,10 @@ Allow users with existing accounts to login and auto link their account via the
 
 Comma separated list if oauth providers to disallow access to `internal` projects. Users creating accounts via these providers will have access internal projects. Accepted values are `cas3`, `github`, `bitbucket`, `gitlab`, `google_oauth2`, `facebook`, `twitter`, `saml`, `crowd`, `auth0` and `azure_oauth2`. No default.
 
+##### `OAUTH_ALLOW_BYPASS_TWO_FACTOR`
+
+Specify oauth providers where users can sign in without using two-factor authentication (2FA). You can define this using an array of providers like `["twitter", "google_oauth2"]`. Setting this to `true` or `false` applies to all - allow all or none. Defaults to `false`.
+
 ##### `OAUTH_CAS3_LABEL`
 
 The "Sign in with" button label. Defaults to "cas3".
diff --git a/assets/runtime/config/gitlabhq/gitlab.yml b/assets/runtime/config/gitlabhq/gitlab.yml
index 35d4e4db..226ced2e 100644
--- a/assets/runtime/config/gitlabhq/gitlab.yml
+++ b/assets/runtime/config/gitlabhq/gitlab.yml
@@ -918,7 +918,7 @@ production: &base
     # This option should only be configured for providers which already have two factor.
     # This configration dose not apply to SAML.
     # (default: false)
-    allow_bypass_two_factor: null
+    allow_bypass_two_factor: {{OAUTH_ALLOW_BYPASS_TWO_FACTOR}}
 
     ## Auth providers
     # Uncomment the following lines and fill in the data of the auth provider you want to use
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
index fe49d61f..4c0a529f 100644
--- a/assets/runtime/env-defaults
+++ b/assets/runtime/env-defaults
@@ -426,6 +426,7 @@ OAUTH_BLOCK_AUTO_CREATED_USERS=${OAUTH_BLOCK_AUTO_CREATED_USERS:-true}
 OAUTH_AUTO_LINK_LDAP_USER=${OAUTH_AUTO_LINK_LDAP_USER:-false}
 OAUTH_AUTO_LINK_SAML_USER=${OAUTH_AUTO_LINK_SAML_USER:-false}
 OAUTH_EXTERNAL_PROVIDERS=${OAUTH_EXTERNAL_PROVIDERS:-}
+OAUTH_ALLOW_BYPASS_TWO_FACTOR=${OAUTH_ALLOW_BYPASS_TWO_FACTOR:-false}
 
 ### GOOGLE
 OAUTH_GOOGLE_API_KEY=${OAUTH_GOOGLE_API_KEY:-}
diff --git a/assets/runtime/functions b/assets/runtime/functions
index 9deaa2fc..8efd0a23 100644
--- a/assets/runtime/functions
+++ b/assets/runtime/functions
@@ -819,7 +819,8 @@ gitlab_configure_oauth() {
     OAUTH_AUTO_LINK_LDAP_USER \
     OAUTH_AUTO_LINK_SAML_USER \
     OAUTH_AUTO_LINK_USER \
-    OAUTH_EXTERNAL_PROVIDERS
+    OAUTH_EXTERNAL_PROVIDERS \
+    OAUTH_ALLOW_BYPASS_TWO_FACTOR
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
     cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME)
diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
index 708e1862..3ae23ee6 100644
--- a/contrib/docker-swarm/docker-compose.yml
+++ b/contrib/docker-swarm/docker-compose.yml
@@ -99,6 +99,7 @@ services:
     - OAUTH_AUTO_LINK_LDAP_USER=false
     - OAUTH_AUTO_LINK_SAML_USER=false
     - OAUTH_EXTERNAL_PROVIDERS=
+    - OAUTH_ALLOW_BYPASS_TWO_FACTOR=false
 
     - OAUTH_CAS3_LABEL=cas3
     - OAUTH_CAS3_SERVER=