diff --git a/class-two-factor-core.php b/class-two-factor-core.php
index 56d6e4bc..4b7c3bcb 100644
--- a/class-two-factor-core.php
+++ b/class-two-factor-core.php
@@ -1349,7 +1349,7 @@ public static function rest_api_can_edit_user_and_update_two_factor_options( $us
 			return new WP_Error( 'revalidation_required', __( 'Two Factor Revalidation required.', 'two-factor' ) );
 		}
 
-		return true;
+		return apply_filters( 'two_factor_rest_api_can_edit_user', true, $user_id );
 	}
 
 	/**
diff --git a/readme.txt b/readme.txt
index 8143c1c4..c61fce32 100644
--- a/readme.txt
+++ b/readme.txt
@@ -30,7 +30,8 @@ Here is a list of action and filter hooks provided by the plugin:
 - `two_factor_user_authenticated` action which receives the logged in `WP_User` object as the first argument for determining the logged in user right after the authentication workflow.
 - `two_factor_email_token_ttl` filter overrides the time interval in seconds that an email token is considered after generation. Accepts the time in seconds as the first argument and the ID of the `WP_User` object being authenticated.
 - `two_factor_email_token_length` filter overrides the default 8 character count for email tokens.
-- `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Providers the `WP_User` of the associated user as the second argument.
+- `two_factor_backup_code_length` filter overrides the default 8 character count for backup codes. Provides the `WP_User` of the associated user as the second argument.
+- `two_factor_rest_api_can_edit_user` filter overrides whether a user’s Two-Factor settings can be edited via the REST API. First argument is the current `$can_edit` boolean, the second argument is the user ID.
 
 == Frequently Asked Questions ==