diff --git a/app/controllers/twofa_backup_codes_controller.rb b/app/controllers/twofa_backup_codes_controller.rb
index e330fad1b..923b9671b 100644
--- a/app/controllers/twofa_backup_codes_controller.rb
+++ b/app/controllers/twofa_backup_codes_controller.rb
@@ -26,7 +26,7 @@ class TwofaBackupCodesController < ApplicationController
 
   before_action :twofa_setup
 
-  require_sudo_mode :init
+  require_sudo_mode :init, :confirm, :create, :show
 
   def init
     if @twofa.send_code(controller: 'twofa_backup_codes', action: 'create')
diff --git a/app/controllers/twofa_controller.rb b/app/controllers/twofa_controller.rb
index 7049110e7..3023caa9b 100644
--- a/app/controllers/twofa_controller.rb
+++ b/app/controllers/twofa_controller.rb
@@ -27,7 +27,9 @@ class TwofaController < ApplicationController
 
   before_action :require_active_twofa
 
-  require_sudo_mode :activate_init, :deactivate_init
+  require_sudo_mode :select_scheme,
+                    :activate_init, :activate_confirm, :activate,
+                    :deactivate_init, :deactivate_confirm, :deactivate
 
   skip_before_action :check_twofa_activation, only: [:select_scheme, :activate_init, :activate_confirm, :activate]