diff --git a/app/controllers/profiles/two_factor_auths_controller.rb b/app/controllers/profiles/two_factor_auths_controller.rb
index 92ba842fac44261b2f6cfd71d14eb8f2cc038648..ac14d5ca75beb55c36715a0caace5889e77f0e8d 100644
--- a/app/controllers/profiles/two_factor_auths_controller.rb
+++ b/app/controllers/profiles/two_factor_auths_controller.rb
@@ -1,16 +1,25 @@
 class Profiles::TwoFactorAuthsController < ApplicationController
   def new
-    issuer = "GitLab | #{current_user.email}"
-    uri = current_user.otp_provisioning_uri(current_user.email, issuer: issuer)
-    @qr_code = RQRCode::render_qrcode(uri, :svg, level: :l, unit: 2)
+    unless current_user.otp_secret
+      current_user.otp_secret = User.generate_otp_secret
+      current_user.save!
+    end
+
+    @qr_code = build_qr_code
   end
 
   def create
-    current_user.otp_required_for_login = true
-    current_user.otp_secret = User.generate_otp_secret
-    current_user.save!
+    if current_user.valid_otp?(params[:pin_code])
+      current_user.otp_required_for_login = true
+      #current_user.otp_secret = User.generate_otp_secret
+      current_user.save!
 
-    redirect_to profile_account_path
+      redirect_to profile_account_path
+    else
+      @error = 'Invalid pin code'
+      @qr_code = build_qr_code
+      render 'new'
+    end
   end
 
   def destroy
@@ -19,4 +28,12 @@ class Profiles::TwoFactorAuthsController < ApplicationController
 
     redirect_to profile_account_path
   end
+
+  private
+
+  def build_qr_code
+    issuer = "GitLab | #{current_user.email}"
+    uri = current_user.otp_provisioning_uri(current_user.email, issuer: issuer)
+    RQRCode::render_qrcode(uri, :svg, level: :m, unit: 3)
+  end
 end
diff --git a/app/views/profiles/accounts/show.html.haml b/app/views/profiles/accounts/show.html.haml
index bbcd3baf61b1c9c43faffbc3f847ba4ba6afe7de..19b0c5bcb41d56c4a4da5ff8cf1ac129b4497f43 100644
--- a/app/views/profiles/accounts/show.html.haml
+++ b/app/views/profiles/accounts/show.html.haml
@@ -30,9 +30,17 @@
     %legend Two-Factor Authentication
     %p
       Keep your account secure by enabling two-factor authentication.
+      %br
       Each time you log in, you鈥檒l be required to provide your password plus a randomly generated access code.
     %div
-      = link_to "Enable 2-Factor Authentication", new_profile_two_factor_auth_path, class: 'btn btn-success'
+      - if current_user.otp_required_for_login
+        %strong.text-success
+          %i.fa.fa-check
+          2-Factor Authentication enabled
+        .pull-right
+          = link_to "Disable 2-Factor Authentication", profile_two_factor_auth_path, method: :delete, class: 'btn btn-close btn-sm'
+      - else
+        = link_to "Enable 2-Factor Authentication", new_profile_two_factor_auth_path, class: 'btn btn-success'
 
   - if show_profile_social_tab?
     %fieldset
diff --git a/app/views/profiles/two_factor_auths/new.html.haml b/app/views/profiles/two_factor_auths/new.html.haml
index 77329de2e01fa6c56e355a8d2a761075d962e24f..8332fc6b8b862995d273deff2fe182d952983a4e 100644
--- a/app/views/profiles/two_factor_auths/new.html.haml
+++ b/app/views/profiles/two_factor_auths/new.html.haml
@@ -5,7 +5,10 @@
 
 %hr
 
-= form_tag new_profile_two_factor_auth_path, method: :post, class: 'form-horizontal' do |f|
+= form_tag profile_two_factor_auth_path, method: :post, class: 'form-horizontal' do |f|
+  - if @error
+    .alert.alert-danger
+      = @error
   .form-group
     .col-sm-2
     .col-sm-10