diff --git a/src/djangooidc/oidc.py b/src/djangooidc/oidc.py
index 1133a8b39..404bc96c2 100644
--- a/src/djangooidc/oidc.py
+++ b/src/djangooidc/oidc.py
@@ -104,8 +104,9 @@ class Client(oic.Client):
                 "redirect_uri": self.registration_response["redirect_uris"][0],
             }
             if add_acr:
-                request_args["acr_values"] = session.get("acr_value") or self.behaviour.get("acr_value")
-            request_args["vtr"] = json.dumps(self.behaviour.get("vtr"))
+                request_args["acr_values"] = self.behaviour.get("acr_value")
+            else:
+                request_args["vtr"] = json.dumps(self.behaviour.get("vtr"))
 
             if extra_args is not None:
                 request_args.update(extra_args)
@@ -228,9 +229,15 @@ class Client(oic.Client):
         if isinstance(info_response, ErrorResponse):
             logger.error("Unable to get user info (%s) for %s" % (info_response.get("error", ""), state))
             raise o_e.AuthenticationFailed(locator=state)
+        info_response_dict = info_response.to_dict()
 
-        logger.debug("user info: %s" % info_response)
-        return info_response.to_dict()
+        if "needs_biometric_validation" in session and session["needs_biometric_validation"]:
+            if "vtm" in session:
+                info_response_dict["vtm"] = session.get("vtm")
+            if "vtr" in session:
+                info_response_dict["vtr"] = session.get("vtr")
+        logger.debug("user info: %s" % info_response_dict)
+        return info_response_dict
 
     def _request_token(self, state, code, session):
         """Request a token from OP to allow us to then request user info."""
diff --git a/src/djangooidc/views.py b/src/djangooidc/views.py
index 05984e938..f817cc4d0 100644
--- a/src/djangooidc/views.py
+++ b/src/djangooidc/views.py
@@ -93,14 +93,15 @@ def login_callback(request):
         userinfo = CLIENT.callback(query, request.session)
         # test for need for identity verification and if it is satisfied
         # if not satisfied, redirect user to login with stepped up acr_value
+        request.session["needs_biometric_validation"] = False
         if _requires_step_up_auth(userinfo):
             # add acr_value to request.session
-
             if "acr_value" in request.session:
                 request.session.pop("acr_value")
             extra_args = {
                 "vtm": CLIENT.get_vtm_value(),
             }
+            request.session["needs_biometric_validation"] = True
             print(f"session is: {request.session}")
             return CLIENT.create_authn_request(request.session, add_acr=False, extra_args=extra_args)
         user = authenticate(request=request, **userinfo)
@@ -151,7 +152,7 @@ def _requires_step_up_auth(userinfo):
     acr_value = userinfo.get("ial", "")
     uuid = userinfo.get("sub", "")
     email = userinfo.get("email", "")
-    if acr_value != step_up_acr_value:
+    if acr_value != step_up_acr_value and (not userinfo.get("vtm") and not userinfo.get("vtr")):
         # The acr of this attempt is not at the highest level
         # so check if the user needs the higher level
         return User.needs_identity_verification(email, uuid)