diff --git a/app/Http/Controllers/TwoFactorController.php b/app/Http/Controllers/TwoFactorController.php
index 165a530fe636..8b91af098cd0 100644
--- a/app/Http/Controllers/TwoFactorController.php
+++ b/app/Http/Controllers/TwoFactorController.php
@@ -16,9 +16,13 @@ class TwoFactorController extends Controller
         }
 
         $google2fa = new Google2FA();
-        $secret = $google2fa->generateSecretKey();
 
-        session(['2fa:secret' => $secret]);
+        if ($secret = session('2fa:secret')) {
+            // do nothing
+        } else {
+            $secret = $google2fa->generateSecretKey();
+            session(['2fa:secret' => $secret]);
+        }
 
         $qrCode = $google2fa->getQRCodeGoogleUrl(
             APP_NAME,
@@ -37,15 +41,16 @@ class TwoFactorController extends Controller
     public function enableTwoFactor()
     {
         $user = auth()->user();
-        $secret = session()->pull('2fa:secret');
+        $secret = session('2fa:secret');
         $oneTimePassword = request('one_time_password');
 
         if (! $secret || ! \Google2FA::verifyKey($secret, $oneTimePassword)) {
-            return redirect('settings/enable_two_factor')->withMessage(trans('texts.invalid_one_time_password'));
+            return redirect('settings/enable_two_factor')->withError(trans('texts.invalid_one_time_password'));
         } elseif (! $user->google_2fa_secret && $user->phone && $user->confirmed) {
             $user->google_2fa_secret = Crypt::encrypt($secret);
             $user->save();
 
+            session()->forget('2fa:secret');
             session()->flash('message', trans('texts.enabled_two_factor'));
         }