diff --git a/CHANGES b/CHANGES
index 756ee5cf9..fec1eee8f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1634,4 +1634,5 @@
 [4.1.5]
 * Make the terminal addon button inject variables based on manifest version
 * Preserve addon passwords correctly when using v2 manifest
+* Show error message instead of logging out user when invalid 2FA token is provided
 
diff --git a/src/routes/profile.js b/src/routes/profile.js
index d3619e5cd..cd4eb273b 100644
--- a/src/routes/profile.js
+++ b/src/routes/profile.js
@@ -85,7 +85,7 @@ function enableTwoFactorAuthentication(req, res, next) {
 
     users.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) {
         if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'User not found'));
-        if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token'));
+        if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(412, 'Invalid token'));
         if (error && error.reason === UsersError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled'));
         if (error) return next(new HttpError(500, error));