diff --git a/CHANGES b/CHANGES
index 8dcf8ac76..bbe456534 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1573,4 +1573,5 @@
 * Ad graphite to services
 * Add labels and tags to apps
 * Ensure MySQL is storing data/time in UTC
+* Fix bug where the UI redirects to login screen when enabling 2FA with invalid token
 
diff --git a/src/routes/apps.js b/src/routes/apps.js
index eb1246c58..3e236a183 100644
--- a/src/routes/apps.js
+++ b/src/routes/apps.js
@@ -60,7 +60,7 @@ function verifyOwnership(req, res, next) {
         if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
         if (error) return next(new HttpError(500, error));
 
-        if (app.ownerId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
+        if (app.ownerId !== req.user.id) return next(new HttpError(403, 'User is not owner'));
 
         next();
     });
diff --git a/src/routes/notifications.js b/src/routes/notifications.js
index 360894f73..4a5fc57ba 100644
--- a/src/routes/notifications.js
+++ b/src/routes/notifications.js
@@ -20,7 +20,7 @@ function verifyOwnership(req, res, next) {
         if (error && error.reason === NotificationsError.NOT_FOUND) return next(new HttpError(404, 'No such notification'));
         if (error) return next(new HttpError(500, error));
 
-        if (result.userId !== req.user.id) return next(new HttpError(401, 'Unauthorized'));
+        if (result.userId !== req.user.id) return next(new HttpError(403, 'User is not owner'));
 
         req.notification = result;
 
diff --git a/src/routes/profile.js b/src/routes/profile.js
index 0dc0486a9..9b614e894 100644
--- a/src/routes/profile.js
+++ b/src/routes/profile.js
@@ -89,7 +89,7 @@ function enableTwoFactorAuthentication(req, res, next) {
 
     users.enableTwoFactorAuthentication(req.user.id, req.body.totpToken, function (error) {
         if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'User not found'));
-        if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(401, 'Invalid token'));
+        if (error && error.reason === UsersError.BAD_TOKEN) return next(new HttpError(403, 'Invalid token'));
         if (error && error.reason === UsersError.ALREADY_EXISTS) return next(new HttpError(409, 'TwoFactor Authentication is already enabled'));
         if (error) return next(new HttpError(500, error));
 
diff --git a/src/routes/users.js b/src/routes/users.js
index d00256fcd..9addd036d 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -136,7 +136,7 @@ function verifyPassword(req, res, next) {
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
 
     users.verifyWithUsername(req.user.username, req.body.password, function (error) {
-        if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect')); // not 401 intentionally
+        if (error && error.reason === UsersError.WRONG_PASSWORD) return next(new HttpError(403, 'Password incorrect')); // not 401 intentionally since the UI redirects for 401
         if (error && error.reason === UsersError.NOT_FOUND) return next(new HttpError(404, 'No such user'));
         if (error) return next(new HttpError(500, error));