diff --git a/apps/theming/lib/Controller/ThemingController.php b/apps/theming/lib/Controller/ThemingController.php
index af4898c03db3f..ed3dd07a794f8 100644
--- a/apps/theming/lib/Controller/ThemingController.php
+++ b/apps/theming/lib/Controller/ThemingController.php
@@ -16,6 +16,7 @@
 use OCP\AppFramework\Http\Attribute\AuthorizedAdminSetting;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
@@ -366,7 +367,6 @@ public function getImage(string $key, bool $useSvg = true) {
 
 	/**
 	 * @NoSameSiteCookieRequired
-	 * @NoTwoFactorRequired
 	 *
 	 * Get the CSS stylesheet for a theme
 	 *
@@ -380,6 +380,7 @@ public function getImage(string $key, bool $useSvg = true) {
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
+	#[NoTwoFactorRequired]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 	public function getThemeStylesheet(string $themeId, bool $plain = false, bool $withCustomCss = false) {
 		$themes = $this->themesService->getThemes();
diff --git a/core/Controller/CSRFTokenController.php b/core/Controller/CSRFTokenController.php
index 4fdd669e144d9..3f7281a7b32c3 100644
--- a/core/Controller/CSRFTokenController.php
+++ b/core/Controller/CSRFTokenController.php
@@ -13,6 +13,7 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
@@ -37,6 +38,7 @@ public function __construct(
 	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
+	#[NoTwoFactorRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/csrftoken')]
 	#[OpenAPI(scope: OpenAPI::SCOPE_DEFAULT)]
 	public function index(): JSONResponse {
diff --git a/core/Controller/OCJSController.php b/core/Controller/OCJSController.php
index 176558b013d71..6f9d16118081d 100644
--- a/core/Controller/OCJSController.php
+++ b/core/Controller/OCJSController.php
@@ -15,6 +15,7 @@
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\FrontpageRoute;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\DataDisplayResponse;
@@ -71,11 +72,9 @@ public function __construct(
 		);
 	}
 
-	/**
-	 * @NoTwoFactorRequired
-	 */
 	#[PublicPage]
 	#[NoCSRFRequired]
+	#[NoTwoFactorRequired]
 	#[FrontpageRoute(verb: 'GET', url: '/core/js/oc.js')]
 	public function getConfig(): DataDisplayResponse {
 		$data = $this->helper->getConfig();
diff --git a/core/Middleware/TwoFactorMiddleware.php b/core/Middleware/TwoFactorMiddleware.php
index 0dea402f127ab..e1c5267cc888c 100644
--- a/core/Middleware/TwoFactorMiddleware.php
+++ b/core/Middleware/TwoFactorMiddleware.php
@@ -18,6 +18,7 @@
 use OC\User\Session;
 use OCA\TwoFactorNextcloudNotification\Controller\APIController;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoTwoFactorRequired;
 use OCP\AppFramework\Http\RedirectResponse;
 use OCP\AppFramework\Middleware;
 use OCP\AppFramework\Utility\IControllerMethodReflector;
@@ -26,6 +27,7 @@
 use OCP\ISession;
 use OCP\IURLGenerator;
 use OCP\IUser;
+use ReflectionMethod;
 
 class TwoFactorMiddleware extends Middleware {
 	public function __construct(
@@ -43,7 +45,9 @@ public function __construct(
 	 * @param string $methodName
 	 */
 	public function beforeController($controller, $methodName) {
-		if ($this->reflector->hasAnnotation('NoTwoFactorRequired')) {
+		$reflectionMethod = new ReflectionMethod($controller, $methodName);
+		if ($this->reflector->hasAnnotation('NoTwoFactorRequired')
+			|| !empty($reflectionMethod->getAttributes(NoTwoFactorRequired::class))) {
 			// Route handler explicitly marked to work without finished 2FA are
 			// not blocked
 			return;
diff --git a/lib/public/AppFramework/Http/Attribute/NoTwoFactorRequired.php b/lib/public/AppFramework/Http/Attribute/NoTwoFactorRequired.php
new file mode 100644
index 0000000000000..65247b5daaa4d
--- /dev/null
+++ b/lib/public/AppFramework/Http/Attribute/NoTwoFactorRequired.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\AppFramework\Http\Attribute;
+
+use Attribute;
+
+/**
+ * Attribute for controller methods which should be reachable during an ongoing two-factor challenge.
+ *
+ * This attribute should be used carefully and usually only makes sense together with both the
+ * {@see PublicPage} and {@see NoCSRFRequired} annotations.
+ *
+ * @since 32.0.0
+ */
+#[Attribute]
+class NoTwoFactorRequired {
+}