diff --git a/developer_manual/basics/controllers.rst b/developer_manual/basics/controllers.rst
index 59cdce03a7e..bac004fca3d 100644
--- a/developer_manual/basics/controllers.rst
+++ b/developer_manual/basics/controllers.rst
@@ -770,6 +770,7 @@ By default every controller method enforces the maximum security, which is:
 
 * Ensure that the user is admin
 * Ensure that the user is logged in
+* Ensure that the user has passed the two-factor challenge, if applicable
 * Check the CSRF token
 
 Most of the time though it makes sense to also allow normal users to access the page and the PageController->index() method should not check the CSRF token because it has not yet been sent to the client and because of that can't work.
@@ -777,8 +778,9 @@ Most of the time though it makes sense to also allow normal users to access the
 To turn off checks the following *Annotations* can be added before the controller:
 
 * **@NoAdminRequired**: Also users that are not admins can access the page
-* **@NoCSRFRequired**: Don't check the CSRF token (use this wisely since you might create a security hole; to understand what it does see `CSRF in the security section <../prologue/security.html#cross-site-request-forgery>`__)
 * **@PublicPage**: Everyone can access the page without having to log in
+* **@NoTwoFactorRequired**: A user can access the page before the two-factor challenge has been passed (use this wisely and only in two-factor auth apps, e.g. to allow setup during login)
+* **@NoCSRFRequired**: Don't check the CSRF token (use this wisely since you might create a security hole; to understand what it does see `CSRF in the security section <../prologue/security.html#cross-site-request-forgery>`__)
 
 A controller method that turns off all checks would look like this: