diff --git a/acl/edit_user.cgi b/acl/edit_user.cgi
index 5aa2fc8c3..2dec8a106 100755
--- a/acl/edit_user.cgi
+++ b/acl/edit_user.cgi
@@ -301,7 +301,8 @@ if ($user{'twofactor_provider'}) {
 		       &webmin::list_twofactor_providers();
 	print &ui_table_row($text{'edit_twofactor'},
 		&text('edit_twofactorprov', "<i>$prov->[1]</i>",
-		      "<tt>$user{'twofactor_id'}</tt>"));
+		      "<tt>$user{'twofactor_id'}</tt>")."<br>\n".
+		&ui_checkbox('cancel', 1, $text{'edit_twofactorcancel'}, 0));
 	}
 
 print &ui_hidden_table_end("security");
diff --git a/acl/index.cgi b/acl/index.cgi
index 0eaf847fe..232aa198e 100755
--- a/acl/index.cgi
+++ b/acl/index.cgi
@@ -289,6 +289,7 @@ return ($config{'select'} ? "" : &ui_checkbox("d", $_[0]->{'name'}, "", 0)).
        ($ro ? "<b>" : "").
        "<a href='$_[1]?$_[2]=".&urlize($_[0]->{'name'})."'>".
 	$_[0]->{'name'}."</a>".
+       ($_[0]->{'twofactor_id'} ? "*" : "").
        ($ro ? "</b>" : "").
        ($lck ? "</i>" : "");
 }
diff --git a/acl/lang/en b/acl/lang/en
index a983c7e24..e09b50b17 100644
--- a/acl/lang/en
+++ b/acl/lang/en
@@ -51,6 +51,7 @@ edit_modules=Modules
 edit_clone=Clone
 edit_twofactor=Two-factor authentication type
 edit_twofactorprov=Using provider $1 with ID $2
+edit_twofactorcancel=Remove two-factor authentication requirement
 edit_lang=Language
 edit_notabs=Categorise modules?
 edit_logout=Inactivity logout time
diff --git a/acl/save_user.cgi b/acl/save_user.cgi
index 7b06e14af..6184e99b8 100755
--- a/acl/save_user.cgi
+++ b/acl/save_user.cgi
@@ -324,6 +324,12 @@ elsif ($in{'lock'} && $user{'pass'} !~ /^\!/ && $in{'pass_def'} <= 1) {
 # Check for force change
 $user{'temppass'} = $in{'temp'};
 
+# Cancel two-factor if requested
+if ($in{'cancel'}) {
+	$user->{'twofactor_provider'} = undef;
+	$user->{'twofactor_id'} = undef;
+	}
+
 if ($in{'old'}) {
 	# update user and all ACLs
 	&modify_user($in{'old'}, \%user);
diff --git a/miniserv.pl b/miniserv.pl
index 51b182b52..b21d3852d 100755
--- a/miniserv.pl
+++ b/miniserv.pl
@@ -5921,6 +5921,9 @@ return $tmp;
 sub validate_twofactor
 {
 my ($user, $token) = @_;
+$token =~ s/^\s+//;
+$token =~ s/\s+$//;
+$token || return "No two-factor token entered";
 my $tf = $twofactor{$user};
 $tf || return undef;
 pipe(TOKENr, TOKENw);
diff --git a/session_login.cgi b/session_login.cgi
index 0b8a23c5c..e1ccec7d5 100755
--- a/session_login.cgi
+++ b/session_login.cgi
@@ -90,7 +90,8 @@ print &ui_table_row($text{'session_pass'},
 # Two-factor token, for users that have it
 if ($miniserv{'twofactor_provider'}) {
 	print &ui_table_row($text{'session_twofactor'},
-		&ui_textbox("twofactor", undef, 20, 0, undef, $tags));
+		&ui_textbox("twofactor", undef, 20, 0, undef,
+			    "autocomplete=off"));
 	}
 
 # Remember session cookie?