diff --git a/src/routes/test/cloudron-test.js b/src/routes/test/cloudron-test.js
index f7e5a98ef..54a86b9b9 100644
--- a/src/routes/test/cloudron-test.js
+++ b/src/routes/test/cloudron-test.js
@@ -361,7 +361,7 @@ describe('Cloudron API', function () {
                     });
                 },
                 function (callback) {
-                    superagent.post(`${SERVER_URL}/api/v1/profile/twofactorauthentication`).query({ access_token: accessToken }).end(function (error, result) {
+                    superagent.post(`${SERVER_URL}/api/v1/profile/twofactorauthentication_secret`).query({ access_token: accessToken }).end(function (error, result) {
                         secret = result.body.secret;
                         callback(error);
                     });
@@ -372,7 +372,7 @@ describe('Cloudron API', function () {
                         encoding: 'base32'
                     });
 
-                    superagent.post(`${SERVER_URL}/api/v1/profile/twofactorauthentication/enable`).query({ access_token: accessToken }).send({ totpToken: totpToken }).end(function (error) {
+                    superagent.post(`${SERVER_URL}/api/v1/profile/twofactorauthentication_enable`).query({ access_token: accessToken }).send({ totpToken: totpToken }).end(function (error) {
                         callback(error);
                     });
                 }
@@ -382,7 +382,7 @@ describe('Cloudron API', function () {
         after(function (done) {
             async.series([
                 function (callback) {
-                    superagent.post(`${SERVER_URL}/api/v1/profile/twofactorauthentication/disable`).query({ access_token: accessToken }).send({ password: PASSWORD }).end(function (error) {
+                    superagent.post(`${SERVER_URL}/api/v1/profile/twofactorauthentication_disable`).query({ access_token: accessToken }).send({ password: PASSWORD }).end(function (error) {
                         callback(error);
                     });
                 },
diff --git a/src/server.js b/src/server.js
index 45462b93d..f9697c5c2 100644
--- a/src/server.js
+++ b/src/server.js
@@ -151,9 +151,9 @@ function initializeExpressSync() {
     router.post('/api/v1/profile/avatar',                          json, token, multipart, routes.profile.setAvatar); // avatar is not exposed in LDAP. so it's personal and not locked
     router.del ('/api/v1/profile/avatar',                                token, routes.profile.clearAvatar);
     router.post('/api/v1/profile/password',                        json, token, routes.users.verifyPassword, routes.profile.changePassword);
-    router.post('/api/v1/profile/twofactorauthentication',         json, token, routes.profile.setTwoFactorAuthenticationSecret);
-    router.post('/api/v1/profile/twofactorauthentication/enable',  json, token, routes.profile.enableTwoFactorAuthentication);
-    router.post('/api/v1/profile/twofactorauthentication/disable', json, token, routes.users.verifyPassword, routes.profile.disableTwoFactorAuthentication);
+    router.post('/api/v1/profile/twofactorauthentication_secret',  json, token, routes.profile.setTwoFactorAuthenticationSecret);
+    router.post('/api/v1/profile/twofactorauthentication_enable',  json, token, routes.profile.enableTwoFactorAuthentication);
+    router.post('/api/v1/profile/twofactorauthentication_disable', json, token, routes.users.verifyPassword, routes.profile.disableTwoFactorAuthentication);
 
     // app password routes
     router.get ('/api/v1/app_passwords',           token, routes.appPasswords.list);