diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index d03f9692b..7b48556a7 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -320,5 +320,5 @@ Devise.setup do |config|
   config.remember_otp_session_for_seconds = 1.day # Time before browser has to perform 2fA again. Default is 0.
   config.otp_secret_encryption_key = ENV["OTP_SECRET_ENCRYPTION_KEY"]
   config.second_factor_resource_id = "id" # Field or method name used to set value for 2fA remember cookie
-  config.delete_cookie_on_logout = false # Delete cookie when user signs out, to force 2fA again on login
+  config.delete_cookie_on_logout = true # Delete cookie when user signs out, to force 2fA again on login
 end
diff --git a/spec/features/admin_panel_spec.rb b/spec/features/admin_panel_spec.rb
index d5732ca6f..70226286a 100644
--- a/spec/features/admin_panel_spec.rb
+++ b/spec/features/admin_panel_spec.rb
@@ -72,4 +72,24 @@ RSpec.describe "Admin Panel" do
       expect(page).to have_current_path("/admin/two-factor-authentication")
     end
   end
+
+  context "when logging out and in again" do
+    before do
+      allow(SecureRandom).to receive(:random_number).and_return(otp)
+    end
+
+    it "requires the 2FA code on each login" do
+      visit("/admin")
+      fill_in("admin_user[email]", with: admin.email)
+      fill_in("admin_user[password]", with: admin.password)
+      click_button("Login")
+      fill_in("code", with: otp)
+      click_button("Submit")
+      click_link("Logout")
+      fill_in("admin_user[email]", with: admin.email)
+      fill_in("admin_user[password]", with: admin.password)
+      click_button("Login")
+      expect(page).to have_content("Check your phone")
+    end
+  end
 end