diff --git a/src/App/Pages/Accounts/TwoFactorPage.xaml.cs b/src/App/Pages/Accounts/TwoFactorPage.xaml.cs
index c999fe259..b2c4cdb15 100644
--- a/src/App/Pages/Accounts/TwoFactorPage.xaml.cs
+++ b/src/App/Pages/Accounts/TwoFactorPage.xaml.cs
@@ -18,7 +18,6 @@ namespace Bit.App.Pages
 
         private TwoFactorPageViewModel _vm;
         private bool _inited;
-        private bool _authingWithSso;
         private string _orgIdentifier;
 
         public TwoFactorPage(bool? authingWithSso = false, AppOptions appOptions = null, string orgIdentifier = null)
diff --git a/src/App/Pages/Accounts/TwoFactorPageViewModel.cs b/src/App/Pages/Accounts/TwoFactorPageViewModel.cs
index 0d84ec1f3..21d35dddc 100644
--- a/src/App/Pages/Accounts/TwoFactorPageViewModel.cs
+++ b/src/App/Pages/Accounts/TwoFactorPageViewModel.cs
@@ -39,7 +39,6 @@ namespace Bit.App.Pages
         private TwoFactorProviderType? _selectedProviderType;
         private string _totpInstruction;
         private string _webVaultUrl = "https://vault.bitwarden.com";
-        private bool _authingWithSso = false;
         private bool _enableContinue = false;
         private bool _showContinue = true;
 
@@ -144,8 +143,6 @@ namespace Bit.App.Pages
                 return;
             }
 
-            _authingWithSso = _authService.AuthingWithSso();
-
             if (!string.IsNullOrWhiteSpace(_environmentService.BaseUrl))
             {
                 _webVaultUrl = _environmentService.BaseUrl;
@@ -327,15 +324,7 @@ namespace Bit.App.Pages
                 _messagingService.Send("listenYubiKeyOTP", false);
                 _broadcasterService.Unsubscribe(nameof(TwoFactorPage));
 
-                if (_authingWithSso && result.ResetMasterPassword)
-                {
-                    StartSetPasswordAction?.Invoke();
-                }
-                else if (result.ForcePasswordReset)
-                {
-                    UpdateTempPasswordAction?.Invoke();
-                }
-                else if (decryptOptions?.TrustedDeviceOption != null)
+                if (decryptOptions?.TrustedDeviceOption != null)
                 {
                     // If user doesn't have a MP, but has reset password permission, they must set a MP
                     if (!decryptOptions.HasMasterPassword &&
@@ -356,6 +345,7 @@ namespace Bit.App.Pages
                         }
                         else
                         {
+                            _syncService.FullSyncAsync(true).FireAndForget();
                             await TwoFactorAuthSuccessAsync();
                         }
                     }
@@ -363,11 +353,26 @@ namespace Bit.App.Pages
                     {
                         StartDeviceApprovalOptionsAction?.Invoke();
                     }
+                    return;
                 }
-                else
+
+                // In the standard, non TDE case, a user must set password if they don't
+                // have one and they aren't using key connector.
+                // Note: TDE & Key connector are mutually exclusive org config options.
+                if (result.ResetMasterPassword || (decryptOptions?.RequireSetPassword ?? false))
                 {
-                    await TwoFactorAuthSuccessAsync();
+                    StartSetPasswordAction?.Invoke();
+                    return;
                 }
+
+                if (result.ForcePasswordReset)
+                {
+                    UpdateTempPasswordAction?.Invoke();
+                    return;
+                }
+
+                _syncService.FullSyncAsync(true).FireAndForget();
+                await TwoFactorAuthSuccessAsync();
             }
             catch (ApiException e)
             {