diff --git a/djaoapp/settings.py b/djaoapp/settings.py
index 66281ba0..a90330af 100644
--- a/djaoapp/settings.py
+++ b/djaoapp/settings.py
@@ -35,6 +35,7 @@
 DISABLED_USER_UPDATE = False
 
 MULTITIER_SITE_MODEL = None
+AUTHENTICATION_OVERRIDE = None
 RULES_ENC_KEY_OVERRIDE = None
 RULES_ENTRY_POINT_OVERRIDE = None
 REQUESTS_TIMEOUT = 120
diff --git a/djaoapp/thread_locals.py b/djaoapp/thread_locals.py
index 572aa2a7..e24792ce 100644
--- a/djaoapp/thread_locals.py
+++ b/djaoapp/thread_locals.py
@@ -19,9 +19,13 @@
 
 from .compat import reverse
 
-
 LOGGER = logging.getLogger(__name__)
 
+AUTH_ENABLED = 0
+AUTH_LOGIN_ONLY = 1
+AUTH_DISABLED = 2
+
+
 def is_platformed_site():
     #pylint:disable=protected-access
     return not (get_current_broker()._state.db == DEFAULT_DB_ALIAS)
@@ -166,12 +170,17 @@ def get_active_theme():
 
 
 def get_disabled_authentication(request, user):
+    if settings.AUTHENTICATION_OVERRIDE is not None:
+        return (settings.AUTHENTICATION_OVERRIDE == AUTH_DISABLED
+            and not _valid_manager(request, [get_current_broker()]))
     app = get_current_app(request)
     return (app.authentication == app.AUTH_DISABLED
         and not _valid_manager(request, [get_current_broker()]))
 
 
 def get_disabled_registration(request):#pylint:disable=unused-argument
+    if settings.AUTHENTICATION_OVERRIDE is not None:
+        return settings.AUTHENTICATION_OVERRIDE != AUTH_ENABLED
     app = get_current_app(request)
     return app.authentication != app.AUTH_ENABLED
 
diff --git a/etc/site.conf b/etc/site.conf
index 9389d769..fcbd4c4f 100644
--- a/etc/site.conf
+++ b/etc/site.conf
@@ -21,6 +21,7 @@ DB_NAME        = "%(DB_FILENAME)s"
 
 # Overrides the entry_point and encoding key to forward HTTP requests to
 # (initially implemented for livedemo)
+AUTHENTICATION_OVERRIDE = None
 RULES_ENC_KEY_OVERRIDE = ""
 RULES_ENTRY_POINT_OVERRIDE = ""
 REQUESTS_TIMEOUT = 120