diff --git a/web/1.0/index.php b/web/1.0/index.php
index e109e35..ee7ed36 100644
--- a/web/1.0/index.php
+++ b/web/1.0/index.php
@@ -277,6 +277,10 @@ function getKnownDevice($user, &$context) {
 					$errorExtraData = '2FA key required.';
 					$resp->setHeader('login_error', '2fa_required');
 				}
+			} else if (empty($keys) && isset($_SERVER['HTTP_X_2FA_KEY'])) {
+				$errorExtraData = '2FA key provided but not required.';
+				$resp->setHeader('login_error', '2fa_notrequired');
+				$valid = false;
 			}
 
 			if ($valid) {