diff --git a/packages/backend/src/api/APIError.js b/packages/backend/src/api/APIError.js
index 0ec6ba96..70936559 100644
--- a/packages/backend/src/api/APIError.js
+++ b/packages/backend/src/api/APIError.js
@@ -339,6 +339,10 @@ module.exports = class APIError {
             status: 409,
             message: '2FA is already enabled.',
         },
+        '2fa_not_configured': {
+            status: 409,
+            message: '2FA is not configured.',
+        },
 
         // protected endpoints
         'too_many_requests': {
diff --git a/packages/backend/src/routers/auth/configure-2fa.js b/packages/backend/src/routers/auth/configure-2fa.js
index eda6bb75..995e0e7a 100644
--- a/packages/backend/src/routers/auth/configure-2fa.js
+++ b/packages/backend/src/routers/auth/configure-2fa.js
@@ -88,10 +88,16 @@ module.exports = eggspress('/auth/configure-2fa/:action', {
 
         const user = await get_user({ id: req.user.id, force: true });
 
+        // Verify that 2FA isn't already enabled
         if ( user.otp_enabled ) {
             throw APIError.create('2fa_already_enabled');
         }
 
+        // Verify that TOTP secret was set (configuration step not skipped)
+        if ( ! user.otp_secret ) {
+            throw APIError.create('2fa_not_configured');
+        }
+
         await db.write(
             `UPDATE user SET otp_enabled = 1 WHERE uuid = ?`,
             [user.uuid]