Two Factor Authentication hook or override

Is there a way to override whether two factor authentication happens?
I need to disable 2 factor auth for certain ip address ranges.

This works by default, no override needed. In the User settings you can specify an ip range that works without 2fa.

I didn’t realize it worked that way.
So if I enable 2fa. Those users whose ip addresses match the ip addresses in their “restrict ip” setting will be allowed to login without 2fa.
If they try from another ip they will then be allowed to login if they pass the 2fa portion.

So this means enabling 2fa changes the meaning of “restrict ip”
I have found the setting that controls it in tabUser named bypass_restrict_ip_check_if_2fa_enabled