diff --git a/libs/service/auth/login.rs b/libs/service/auth/login.rs
index 81195fe..d3984ae 100644
--- a/libs/service/auth/login.rs
+++ b/libs/service/auth/login.rs
@@ -60,7 +60,7 @@ impl AppService {
                     return Err(AppError::InvalidTwoFactorCode);
                 }
             }
-        } else if !self.auth_2fa_status(&context).await?.is_enabled {
+        } else if !self.auth_2fa_status_by_uid(user.uid).await?.is_enabled {
             let user_uid = user.uid;
             let mut rng = rand::rng();
             let mut sha = sha1::Sha1::default();
diff --git a/libs/service/auth/totp.rs b/libs/service/auth/totp.rs
index 507a265..ec42d67 100644
--- a/libs/service/auth/totp.rs
+++ b/libs/service/auth/totp.rs
@@ -216,12 +216,11 @@ impl AppService {
         Ok(false)
     }
 
-    pub async fn auth_2fa_status(
+    /// Look up 2FA status by explicit user_uid. Used in login flow where session.user is not set yet.
+    pub async fn auth_2fa_status_by_uid(
         &self,
-        context: &Session,
+        user_uid: Uuid,
     ) -> Result<Get2FAStatusResponse, AppError> {
-        let user_uid = context.user().ok_or(AppError::Unauthorized)?;
-
         let two_fa = user_2fa::Entity::find_by_id(user_uid).one(&self.db).await?;
 
         match two_fa {
@@ -242,6 +241,15 @@ impl AppService {
         }
     }
 
+    /// Look up 2FA status from session context (requires authenticated user).
+    pub async fn auth_2fa_status(
+        &self,
+        context: &Session,
+    ) -> Result<Get2FAStatusResponse, AppError> {
+        let user_uid = context.user().ok_or(AppError::Unauthorized)?;
+        self.auth_2fa_status_by_uid(user_uid).await
+    }
+
     pub async fn auth_2fa_verify_login(
         &self,
         context: &Session,