diff --git a/internal/api/token.go b/internal/api/token.go
index cc945f2e13..56a177fe68 100644
--- a/internal/api/token.go
+++ b/internal/api/token.go
@@ -333,13 +333,15 @@ func (a *API) generateAccessToken(r *http.Request, tx *storage.Connection, user
 			ExpiresAt: jwt.NewNumericDate(expiresAt),
 			Issuer:    config.JWT.Issuer,
 		},
-		Email:                         user.GetEmail(),
-		Phone:                         user.GetPhone(),
-		AppMetaData:                   user.AppMetaData,
-		UserMetaData:                  user.UserMetaData,
-		Role:                          user.Role,
-		SessionId:                     sid,
-		AuthenticatorAssuranceLevel:   aal.String(),
+		Email:                       user.GetEmail(),
+		Phone:                       user.GetPhone(),
+		AppMetaData:                 user.AppMetaData,
+		UserMetaData:                user.UserMetaData,
+		Role:                        user.Role,
+		SessionId:                   sid,
+		AuthenticatorAssuranceLevel: aal.String(),
+		// MFA is enabled if a developer has one at least one verified factor
+		HasVerifiedFactor:             user.HasMFAEnabled(),
 		AuthenticationMethodReference: amr,
 		IsAnonymous:                   user.IsAnonymous,
 	}
diff --git a/internal/hooks/auth_hooks.go b/internal/hooks/auth_hooks.go
index 1b881d36f2..c514692d29 100644
--- a/internal/hooks/auth_hooks.go
+++ b/internal/hooks/auth_hooks.go
@@ -108,6 +108,7 @@ type AccessTokenClaims struct {
 	AuthenticatorAssuranceLevel   string                 `json:"aal,omitempty"`
 	AuthenticationMethodReference []models.AMREntry      `json:"amr,omitempty"`
 	SessionId                     string                 `json:"session_id,omitempty"`
+	HasVerifiedFactor             bool                   `json:"has_verified_factor"`
 	IsAnonymous                   bool                   `json:"is_anonymous"`
 }