diff --git a/apps/users/exceptions.py b/apps/users/exceptions.py
new file mode 100644
index 000000000..ff873d3dc
--- /dev/null
+++ b/apps/users/exceptions.py
@@ -0,0 +1,10 @@
+from django.utils.translation import gettext_lazy as _
+from rest_framework import status
+
+from common.exceptions import JMSException
+
+
+class MFANotEnabled(JMSException):
+    status_code = status.HTTP_403_FORBIDDEN
+    default_code = 'mfa_not_enabled'
+    default_detail = _('MFA not enabled')
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 1d8590ed0..9cdd49ee7 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -22,6 +22,7 @@ from common.utils import date_expired_default, get_logger, lazyproperty
 from common import fields
 from common.const import choices
 from common.db.models import ChoiceSet
+from users.exceptions import MFANotEnabled
 from ..signals import post_user_change_password
 
 
@@ -489,6 +490,9 @@ class MFAMixin:
         return check_otp_code(self.otp_secret_key, code)
 
     def check_mfa(self, code):
+        if not self.mfa_enabled:
+            raise MFANotEnabled
+
         if settings.OTP_IN_RADIUS:
             return self.check_radius(code)
         else: