diff --git a/AUTHORS b/AUTHORS
index fa5776e3ef5..648c3aa5221 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -630,6 +630,7 @@
  - zorn-v <zorn7@yandex.ru>
  - zulan <git@zulan.net>
  - Łukasz Buśko <busko.lukasz@pm.me>
+ - Michał Roszak <m.roszakos@gmail.com>
  - Nextcloud GmbH
  - ownCloud GmbH
  - ownCloud, Inc.
diff --git a/lib/composer/composer/autoload_classmap.php b/lib/composer/composer/autoload_classmap.php
index 81096960a06..19db29afd8b 100644
--- a/lib/composer/composer/autoload_classmap.php
+++ b/lib/composer/composer/autoload_classmap.php
@@ -187,6 +187,7 @@ return array(
     'OCP\\Authentication\\TwoFactorAuth\\IProvidesIcons' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IProvidesIcons.php',
     'OCP\\Authentication\\TwoFactorAuth\\IProvidesPersonalSettings' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IProvidesPersonalSettings.php',
     'OCP\\Authentication\\TwoFactorAuth\\IRegistry' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IRegistry.php',
+    'OCP\\Authentication\\TwoFactorAuth\\IStatelessProvider' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/IStatelessProvider.php',
     'OCP\\Authentication\\TwoFactorAuth\\RegistryEvent' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/RegistryEvent.php',
     'OCP\\Authentication\\TwoFactorAuth\\TwoFactorException' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php',
     'OCP\\Authentication\\TwoFactorAuth\\TwoFactorProviderChallengeFailed' => $baseDir . '/lib/public/Authentication/TwoFactorAuth/TwoFactorProviderChallengeFailed.php',
diff --git a/lib/composer/composer/autoload_static.php b/lib/composer/composer/autoload_static.php
index ea3f055999c..cd24a639fe2 100644
--- a/lib/composer/composer/autoload_static.php
+++ b/lib/composer/composer/autoload_static.php
@@ -228,6 +228,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\Authentication\\TwoFactorAuth\\IProvidesIcons' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IProvidesIcons.php',
         'OCP\\Authentication\\TwoFactorAuth\\IProvidesPersonalSettings' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IProvidesPersonalSettings.php',
         'OCP\\Authentication\\TwoFactorAuth\\IRegistry' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IRegistry.php',
+        'OCP\\Authentication\\TwoFactorAuth\\IStatelessProvider' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/IStatelessProvider.php',
         'OCP\\Authentication\\TwoFactorAuth\\RegistryEvent' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/RegistryEvent.php',
         'OCP\\Authentication\\TwoFactorAuth\\TwoFactorException' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/TwoFactorException.php',
         'OCP\\Authentication\\TwoFactorAuth\\TwoFactorProviderChallengeFailed' => __DIR__ . '/../../..' . '/lib/public/Authentication/TwoFactorAuth/TwoFactorProviderChallengeFailed.php',
diff --git a/lib/private/Authentication/TwoFactorAuth/ProviderManager.php b/lib/private/Authentication/TwoFactorAuth/ProviderManager.php
index c69380d4685..085cb2fa762 100644
--- a/lib/private/Authentication/TwoFactorAuth/ProviderManager.php
+++ b/lib/private/Authentication/TwoFactorAuth/ProviderManager.php
@@ -14,6 +14,7 @@ use OCP\Authentication\TwoFactorAuth\IActivatableByAdmin;
 use OCP\Authentication\TwoFactorAuth\IDeactivatableByAdmin;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\Authentication\TwoFactorAuth\IStatelessProvider;
 use OCP\IUser;
 
 class ProviderManager {
@@ -43,7 +44,9 @@ class ProviderManager {
 	public function tryEnableProviderFor(string $providerId, IUser $user): bool {
 		$provider = $this->getProvider($providerId, $user);
 
-		if ($provider instanceof IActivatableByAdmin) {
+		if ($provider instanceof IActivatableByAdmin
+			&& !($provider instanceof IStatelessProvider)
+		) {
 			$provider->enableFor($user);
 			$this->providerRegistry->enableProviderFor($provider, $user);
 			return true;
@@ -62,7 +65,9 @@ class ProviderManager {
 	public function tryDisableProviderFor(string $providerId, IUser $user): bool {
 		$provider = $this->getProvider($providerId, $user);
 
-		if ($provider instanceof IDeactivatableByAdmin) {
+		if ($provider instanceof IDeactivatableByAdmin
+			&& !($provider instanceof IStatelessProvider)
+		) {
 			$provider->disableFor($user);
 			$this->providerRegistry->disableProviderFor($provider, $user);
 			return true;
diff --git a/lib/private/Authentication/TwoFactorAuth/Registry.php b/lib/private/Authentication/TwoFactorAuth/Registry.php
index 6001ce70b33..93d82e3cecc 100644
--- a/lib/private/Authentication/TwoFactorAuth/Registry.php
+++ b/lib/private/Authentication/TwoFactorAuth/Registry.php
@@ -12,6 +12,7 @@ namespace OC\Authentication\TwoFactorAuth;
 use OC\Authentication\TwoFactorAuth\Db\ProviderUserAssignmentDao;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\Authentication\TwoFactorAuth\IStatelessProvider;
 use OCP\Authentication\TwoFactorAuth\RegistryEvent;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderDisabled;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderForUserRegistered;
@@ -34,6 +35,10 @@ class Registry implements IRegistry {
 
 	#[\Override]
 	public function enableProviderFor(IProvider $provider, IUser $user) {
+		if ($provider instanceof IStatelessProvider) {
+			return;
+		}
+
 		$this->assignmentDao->persist($provider->getId(), $user->getUID(), 1);
 
 		$event = new RegistryEvent($provider, $user);
@@ -43,6 +48,10 @@ class Registry implements IRegistry {
 
 	#[\Override]
 	public function disableProviderFor(IProvider $provider, IUser $user) {
+		if ($provider instanceof IStatelessProvider) {
+			return;
+		}
+
 		$this->assignmentDao->persist($provider->getId(), $user->getUID(), 0);
 
 		$event = new RegistryEvent($provider, $user);
diff --git a/lib/public/Authentication/TwoFactorAuth/IStatelessProvider.php b/lib/public/Authentication/TwoFactorAuth/IStatelessProvider.php
new file mode 100644
index 00000000000..0af28021331
--- /dev/null
+++ b/lib/public/Authentication/TwoFactorAuth/IStatelessProvider.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Authentication\TwoFactorAuth;
+
+use OCP\AppFramework\Attribute\Implementable;
+
+/**
+ * Marks the 2FA provider stateless. That means the state of 2FA activation
+ * for user will be checked dynamically and not stored in the database.
+ *
+ * @since 35.0.0
+ */
+#[Implementable(since: '35.0.0')]
+interface IStatelessProvider extends IProvider {
+}
diff --git a/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php b/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php
index 31b07d1bde2..816b730df10 100644
--- a/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php
+++ b/tests/lib/Authentication/TwoFactorAuth/RegistryTest.php
@@ -13,6 +13,7 @@ use OC\Authentication\TwoFactorAuth\Db\ProviderUserAssignmentDao;
 use OC\Authentication\TwoFactorAuth\Registry;
 use OCP\Authentication\TwoFactorAuth\IProvider;
 use OCP\Authentication\TwoFactorAuth\IRegistry;
+use OCP\Authentication\TwoFactorAuth\IStatelessProvider;
 use OCP\Authentication\TwoFactorAuth\RegistryEvent;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderDisabled;
 use OCP\Authentication\TwoFactorAuth\TwoFactorProviderForUserRegistered;
@@ -77,6 +78,18 @@ class RegistryTest extends TestCase {
 		$this->registry->enableProviderFor($provider, $user);
 	}
 
+	public function testEnableStatelessProvider(): void {
+		$user = $this->createMock(IUser::class);
+		$provider = $this->createMock(IStatelessProvider::class);
+
+		$this->dao->expects($this->never())->method('persist');
+
+		$this->dispatcher->expects($this->never())->method('dispatch');
+		$this->dispatcher->expects($this->never())->method('dispatchTyped');
+
+		$this->registry->enableProviderFor($provider, $user);
+	}
+
 	public function testDisableProvider(): void {
 		$user = $this->createMock(IUser::class);
 		$provider = $this->createMock(IProvider::class);
@@ -103,6 +116,18 @@ class RegistryTest extends TestCase {
 		$this->registry->disableProviderFor($provider, $user);
 	}
 
+	public function testDisableStatelessProvider(): void {
+		$user = $this->createMock(IUser::class);
+		$provider = $this->createMock(IStatelessProvider::class);
+
+		$this->dao->expects($this->never())->method('persist');
+
+		$this->dispatcher->expects($this->never())->method('dispatch');
+		$this->dispatcher->expects($this->never())->method('dispatchTyped');
+
+		$this->registry->disableProviderFor($provider, $user);
+	}
+
 	public function testDeleteUserData(): void {
 		$user = $this->createMock(IUser::class);
 		$user->expects($this->once())->method('getUID')->willReturn('user123');