diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
index 89a6016dae6..33578cb0079 100644
--- a/app/controllers/users/sessions_controller.rb
+++ b/app/controllers/users/sessions_controller.rb
@@ -3,7 +3,9 @@ class SessionsController < Devise::SessionsController
     include ::ActionView::Helpers::DateHelper
 
     skip_before_action :session_expires_at, only: [:active]
+    skip_before_action :require_no_authentication, only: [:new]
     before_action :confirm_two_factor_authenticated, only: [:update]
+    before_action :check_user_needs_redirect, only: [:new]
 
     def new
       analytics.track_event(Analytics::SIGN_IN_PAGE_VISIT)
@@ -41,6 +43,14 @@ def timeout
 
     private
 
+    def check_user_needs_redirect
+      if user_fully_authenticated?
+        redirect_to after_sign_in_path_for(current_user)
+      elsif current_user
+        sign_out
+      end
+    end
+
     def now
       @_now ||= Time.zone.now
     end
diff --git a/spec/controllers/users/sessions_controller_spec.rb b/spec/controllers/users/sessions_controller_spec.rb
index 59fdca9ddbd..8832dfed000 100644
--- a/spec/controllers/users/sessions_controller_spec.rb
+++ b/spec/controllers/users/sessions_controller_spec.rb
@@ -271,12 +271,41 @@
   end
 
   describe '#new' do
-    it 'tracks page visit' do
-      stub_analytics
+    context 'with fully authenticated user' do
+      it 'redirects to the profile page' do
+        stub_sign_in
+        subject.session[:logged_in] = true
+        get :new
+
+        expect(response).to redirect_to profile_path
+        expect(subject.session[:logged_in]).to be true
+      end
+    end
 
-      expect(@analytics).to receive(:track_event).with(Analytics::SIGN_IN_PAGE_VISIT)
+    context 'with current user' do
+      it 'logs the user out' do
+        stub_sign_in_before_2fa
+        subject.session[:logged_in] = true
+        get :new
 
-      get :new
+        expect(request.path).to eq root_path
+        expect(subject.session[:logged_in]).to be_nil
+      end
+    end
+
+    context 'with a new user' do
+      it 'renders the new template' do
+        get :new
+        expect(response).to render_template(:new)
+      end
+
+      it 'tracks page visit' do
+        stub_analytics
+
+        expect(@analytics).to receive(:track_event).with(Analytics::SIGN_IN_PAGE_VISIT)
+
+        get :new
+      end
     end
   end
 end
diff --git a/spec/features/two_factor_authentication/sign_in_spec.rb b/spec/features/two_factor_authentication/sign_in_spec.rb
index 833e43ea489..c70cfc1594d 100644
--- a/spec/features/two_factor_authentication/sign_in_spec.rb
+++ b/spec/features/two_factor_authentication/sign_in_spec.rb
@@ -235,4 +235,13 @@
       expect(current_path).to eq profile_path
     end
   end
+
+  describe 'clicking the logo image during 2fa process' do
+    it 'returns them to the home page' do
+      user = build_stubbed(:user, :signed_up)
+      sign_in_user(user)
+      find("img[alt='login.gov']").click
+      expect(current_path).to eq root_path
+    end
+  end
 end
diff --git a/spec/support/controller_helper.rb b/spec/support/controller_helper.rb
index 94547eec9a0..098d33b2d4d 100644
--- a/spec/support/controller_helper.rb
+++ b/spec/support/controller_helper.rb
@@ -33,6 +33,7 @@ def stub_sign_in(user = build(:user, password: VALID_PASSWORD))
     allow(controller).to receive(:user_session).and_return(authn_at: Time.zone.now)
     allow(controller).to receive(:current_user).and_return(user)
     allow(controller).to receive(:confirm_two_factor_authenticated).and_return(true)
+    allow(controller).to receive(:user_fully_authenticated?).and_return(true)
     user
   end