diff --git a/app/controllers/my_controller.rb b/app/controllers/my_controller.rb
index 9083b1317..e74274a77 100644
--- a/app/controllers/my_controller.rb
+++ b/app/controllers/my_controller.rb
@@ -21,7 +21,7 @@ class MyController < ApplicationController
   self.main_menu = false
   before_action :require_login
   # let user change user's password when user has to
-  skip_before_action :check_password_change, :only => :password
+  skip_before_action :check_password_change, :check_twofa_activation, :only => :password
 
   accept_api_auth :account
 
diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb
index e086d683e..4e26907c4 100644
--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@@ -30,6 +30,17 @@ class TwofaTest < Redmine::IntegrationTest
     end
   end
 
+  test 'should require to change password first when must_change_passwd is true' do
+    User.find_by(login: 'jsmith').update_attribute(:must_change_passwd, true)
+    with_settings twofa: '2' do
+      log_user('jsmith', 'jsmith')
+      follow_redirect!
+      assert_redirected_to '/my/password'
+      follow_redirect!
+      assert_response :success
+    end
+  end
+
   test "should generate and accept backup codes" do
     log_user('jsmith', 'jsmith')
     get "/my/account"