diff --git a/src/invidious.cr b/src/invidious.cr
index 259392f6..dbbf67a0 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -858,6 +858,11 @@ get "/change_password" do |env|
 
   user = user.as(User)
   sid = sid.as(String)
+  if user.totp_secret && env.response.cookies["2faVerified"]?.try &.value != "1" || nil
+    csrf_token = generate_response(sid, {":validate_2fa"}, HMAC_KEY, PG_DB)
+    next templated "account/validate_2fa?referer=#{env.get?("current_page")}"
+  end
+
   csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB)
 
   templated "account/change_password"
diff --git a/src/invidious/routes/accounts.cr b/src/invidious/routes/accounts.cr
index a78c9e84..479d1c46 100644
--- a/src/invidious/routes/accounts.cr
+++ b/src/invidious/routes/accounts.cr
@@ -27,7 +27,7 @@ class Invidious::Routes::Accounts < Invidious::Routes::BaseRoute
 
     user = env.get? "user"
     sid = env.get? "sid"
-    referer = get_referer(env)
+    referer = get_referer(env, unroll: false)
 
     if !user
       return env.redirect referer