diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index 03845f1e1eccd5017d0fd47beac968d75150a48d..f9af0871cf1846601a62056bc69d0b96c7159f51 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -29,13 +29,7 @@ class Profiles::TwoFactorAuthsController < Profiles::ApplicationController
   end
 
   def destroy
-    current_user.update_attributes({
-      two_factor_enabled:        false,
-      encrypted_otp_secret:      nil,
-      encrypted_otp_secret_iv:   nil,
-      encrypted_otp_secret_salt: nil,
-      otp_backup_codes:          nil
-    })
+    current_user.disable_two_factor!
 
     redirect_to profile_account_path
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index dc84f5141d87896517cb3c4054f0e2651bc3b191..317257a25001057daeca76850df0ec01fcd18ed3 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -322,6 +322,16 @@ class User < ActiveRecord::Base
     @reset_token
   end
 
+  def disable_two_factor!
+    update_attributes(
+      two_factor_enabled:        false,
+      encrypted_otp_secret:      nil,
+      encrypted_otp_secret_iv:   nil,
+      encrypted_otp_secret_salt: nil,
+      otp_backup_codes:          nil
+    )
+  end
+
   def namespace_uniq
     namespace_name = self.username
     existing_namespace = Namespace.by_path(namespace_name)
diff --git a/spec/controllers/profiles/two_factor_auths_controller_spec.rb b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
index aa09f1a758d4d148681dd4063ff1f76a8bfbfd31..f54706e3aa32056c4ebecf66b45408925b6bc03b 100644
--- a/spec/controllers/profiles/two_factor_auths_controller_spec.rb
+++ b/spec/controllers/profiles/two_factor_auths_controller_spec.rb
@@ -105,19 +105,12 @@ describe Profiles::TwoFactorAuthsController do
   end
 
   describe 'DELETE destroy' do
-    let(:user)   { create(:user, :two_factor) }
-    let!(:codes) { user.generate_otp_backup_codes! }
+    let(:user) { create(:user, :two_factor) }
 
-    it 'clears all 2FA-related fields' do
-      expect(user).to be_two_factor_enabled
-      expect(user.otp_backup_codes).not_to be_nil
-      expect(user.encrypted_otp_secret).not_to be_nil
+    it 'disables two factor' do
+      expect(user).to receive(:disable_two_factor!)
 
       delete :destroy
-
-      expect(user).not_to be_two_factor_enabled
-      expect(user.otp_backup_codes).to be_nil
-      expect(user.encrypted_otp_secret).to be_nil
     end
 
     it 'redirects to profile_account_path' do
diff --git a/spec/factories.rb b/spec/factories.rb
index 578a2e4dc6961b5fec91019ee0b6c271530b8fce..05e3211d551ca49f0c2c991ac420448566955d29 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -32,6 +32,7 @@ FactoryGirl.define do
       before(:create) do |user|
         user.two_factor_enabled = true
         user.otp_secret = User.generate_otp_secret(32)
+        user.generate_otp_backup_codes!
       end
     end
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 6d2423ae27af87223900b2360971d4ee21afb01e..16902317f10e89852c7b180a8914ed077ddebc11 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -217,6 +217,24 @@ describe User do
     end
   end
 
+  describe '#disable_two_factor!' do
+    it 'clears all 2FA-related fields' do
+      user = create(:user, :two_factor)
+
+      expect(user).to be_two_factor_enabled
+      expect(user.encrypted_otp_secret).not_to be_nil
+      expect(user.otp_backup_codes).not_to be_nil
+
+      user.disable_two_factor!
+
+      expect(user).not_to be_two_factor_enabled
+      expect(user.encrypted_otp_secret).to be_nil
+      expect(user.encrypted_otp_secret_iv).to be_nil
+      expect(user.encrypted_otp_secret_salt).to be_nil
+      expect(user.otp_backup_codes).to be_nil
+    end
+  end
+
   describe 'projects' do
     before do
       @user = create :user