diff --git a/app/controllers/user/sessions_controller.rb b/app/controllers/user/sessions_controller.rb
index 76e1578f..bb72cb2c 100644
--- a/app/controllers/user/sessions_controller.rb
+++ b/app/controllers/user/sessions_controller.rb
@@ -7,7 +7,7 @@ class User::SessionsController < Devise::SessionsController
       self.resource = warden.authenticate!(auth_options)
     end
 
-    if resource.active_for_authentication? && !resource.otp_secret_key.nil?
+    if resource.active_for_authentication? && resource.otp_module_enabled?
       if params[:user][:otp_attempt].blank?
         session[:user_sign_in_uid] = resource.id
         sign_out(resource)
diff --git a/app/controllers/user_controller.rb b/app/controllers/user_controller.rb
index 13f306d2..7f9ce77a 100644
--- a/app/controllers/user_controller.rb
+++ b/app/controllers/user_controller.rb
@@ -185,8 +185,6 @@ class UserController < ApplicationController
 
   def update_2fa
     req_params = params.require(:user).permit(:otp_secret_key, :otp_validation)
-    
-    current_user.otp_secret_key = req_params[:otp_secret_key]
 
     if current_user.authenticate_otp(req_params[:otp_validation])
       flash[:success] = 'yay'
diff --git a/app/models/user.rb b/app/models/user.rb
index de4031bd..b1e636d7 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -13,6 +13,7 @@ class User < ApplicationRecord
          :validatable, :confirmable, :authentication_keys => [:login]
 
   has_one_time_password
+  enum otp_module: { disabled: 0, enabled: 1 }, _prefix: true
   attr_accessor :otp_attempt, :otp_validation
 
   rolify
diff --git a/db/migrate/20201001172537_add_otp_secret_key_to_users.rb b/db/migrate/20201001172537_add_otp_secret_key_to_users.rb
index 5fd89b8a..5b7ea48d 100644
--- a/db/migrate/20201001172537_add_otp_secret_key_to_users.rb
+++ b/db/migrate/20201001172537_add_otp_secret_key_to_users.rb
@@ -1,5 +1,10 @@
 class AddOtpSecretKeyToUsers < ActiveRecord::Migration[5.2]
   def change
     add_column :users, :otp_secret_key, :string
+    add_column :users, :otp_module, :integer
+
+    User.find_each do |user|
+      user.update_attribute(:otp_secret_key, User.otp_random_secret)
+    end
   end
 end
diff --git a/db/schema.rb b/db/schema.rb
index 71c4b9e0..4ad56134 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_10_01_172537) do
+ActiveRecord::Schema.define(version: 2020_10_18_090453) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -274,6 +274,7 @@ ActiveRecord::Schema.define(version: 2020_10_01_172537) do
     t.boolean "export_processing", default: false, null: false
     t.datetime "export_created_at"
     t.string "otp_secret_key"
+    t.integer "otp_module"
     t.index ["confirmation_token"], name: "index_users_on_confirmation_token", unique: true
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true