diff --git a/spec/requests/auth/passwords_controller_spec.rb b/spec/requests/auth/passwords_controller_spec.rb
index c84cc850e..4dd4dccdd 100644
--- a/spec/requests/auth/passwords_controller_spec.rb
+++ b/spec/requests/auth/passwords_controller_spec.rb
@@ -130,9 +130,11 @@ RSpec.describe Auth::PasswordsController, type: :request do
           }.to change(admin_user, :encrypted_password)
         end
 
-        it "sends you to the 2FA page" do
+        it "sends you to the 2FA page and does not allow bypassing 2FA code" do
           put "/admin/password", headers: headers, params: params
           expect(response).to redirect_to("/admin/two-factor-authentication")
+          get "/admin/case_logs", headers: headers
+          expect(response).to redirect_to("/admin/two-factor-authentication")
         end
 
         it "triggers an SMS" do