diff --git a/files/routes/settings.py b/files/routes/settings.py
index 0a2a052193..34f9477cd6 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -513,7 +513,7 @@ def settings_security_post(v):
 
 		token = request.values.get("2fa_remove")
 
-		if not v.validate_2fa(token):
+		if not token or not v.validate_2fa(token):
 			return render_template("settings/security.html", v=v, error="Invalid token.")
 
 		v.mfa_secret = None