diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index c24f1320..cacf9f9f 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -677,8 +677,9 @@ public static function destroy_current_session_for_user( $user ) {
 	}
 
 	/**
-	 * Prevent login through XML-RPC and REST API for users with at least one
-	 * two-factor method enabled.
+	 * Trigget the two-factor workflow only for valid login attempts
+	 * with username present. Prevent authentication during API requests
+	 * unless explicitly enabled for the user (disabled by default).
 	 *
 	 * @param WP_User|WP_Error $user Valid WP_User only if the previous filters
 	 *                                have verified and confirmed the
@@ -689,17 +690,16 @@ public static function destroy_current_session_for_user( $user ) {
 	 * @return WP_User|WP_Error
 	 */
 	public static function filter_authenticate( $user, $username ) {
-		// Trigger the two-factor workflow only for login attempts and non-existent user sessions.
-		if ( strlen( $username ) && $user instanceof WP_User ) {
+		if ( strlen( $username ) && $user instanceof WP_User && self::is_user_using_two_factor( $user->ID ) ) {
 			// Disable authentication requests for API requests for users with two-factor enabled.
-			if ( self::is_api_request() && self::is_user_using_two_factor( $user->ID ) && ! self::is_user_api_login_enabled( $user->ID ) ) {
+			if ( self::is_api_request() && ! self::is_user_api_login_enabled( $user->ID ) ) {
 				return new WP_Error(
 					'invalid_application_credentials',
 					__( 'Error: API login for user disabled.', 'two-factor' )
 				);
 			}
 
-			// Trigger the second-factor flow only for login attempts.
+			// Trigger the two-factor flow only for login attempts.
 			add_action( 'wp_login', array( __CLASS__, 'wp_login' ), PHP_INT_MAX, 2 );
 		}