diff --git a/modals/user_mfa_modal.php b/modals/user_mfa_modal.php
new file mode 100644
index 00000000..a5f9987b
--- /dev/null
+++ b/modals/user_mfa_modal.php
@@ -0,0 +1,50 @@
+<?php
+require_once 'plugins/totp/totp.php';
+
+//Generate a base32 Key
+$token = key32gen();
+
+// Generate QR Code
+$data = "otpauth://totp/ITFlow:$session_email?secret=$token";
+
+?>
+
+<div class="modal" id="enableMFAModal" tabindex="-1">
+    <div class="modal-dialog">
+        <div class="modal-content bg-dark">
+            <div class="modal-header">
+                <h5 class="modal-title"><i class="fa fa-fw fa-lock mr-2"></i>Enabling Multi-Factor Authentication</h5>
+                <button type="button" class="close text-white" data-dismiss="modal">
+                    <span>&times;</span>
+                </button>
+            </div>
+            <form action="post.php" method="post" autocomplete="off">
+                <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+                <input type="hidden" name="token" value="<?php echo $token; ?>">
+                <div class="modal-body bg-white">
+                        
+                    <div class="text-center">
+                        <img src='plugins/barcode/barcode.php?f=png&s=qr&d=<?php echo $data; ?>'>
+                        <p><span class='text-secondary'>Secret:</span> <?php echo $token; ?>
+                            <button type="button" class='btn btn-sm clipboardjs' data-clipboard-text='<?php echo $token; ?>'><i class='far fa-copy text-secondary'></i></button>
+                        </p>
+                    </div>
+
+                    <div class="form-group">
+                        <div class="input-group">
+                            <div class="input-group-prepend">
+                                <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
+                            </div>
+                            <input type="text" class="form-control" inputmode="numeric" pattern="[0-9]*" name="verify_code" placeholder="Enter 6 digit code to verify MFA" required>
+                        </div>
+                    </div>
+
+                </div>
+                <div class="modal-footer bg-white">
+                    <button type="submit" name="enable_mfa" class="btn btn-primary text-bold"><i class="fa fa-check mr-2"></i>Enable</button>
+                    <button type="button" class="btn btn-light" data-dismiss="modal"><i class="fa fa-times mr-2"></i>Cancel</button>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>
diff --git a/post/user/profile.php b/post/user/profile.php
index 0ff38f49..79fdb22b 100644
--- a/post/user/profile.php
+++ b/post/user/profile.php
@@ -208,6 +208,76 @@ if (isset($_POST['verify'])) {
 
 }
 
+if (isset($_POST['enable_mfa'])) {
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    require_once "plugins/totp/totp.php";
+
+    $verify_code = intval($_POST['verify_code']);  //code to validate, for example received from device
+    $token = sanitizeInput($_POST['token']);
+
+    if (TokenAuth6238::verify($token, $verify_code)) {
+
+        mysqli_query($mysqli,"UPDATE users SET user_token = '$token' WHERE user_id = $session_user_id");
+
+        // Delete any existing 2FA tokens - these browsers should be re-validated
+        mysqli_query($mysqli, "DELETE FROM remember_tokens WHERE remember_token_user_id = $session_user_id");
+
+        // Logging
+        logAction("User Account", "Edit", "$session_name enabled MFA on their account");
+
+        $_SESSION['alert_message'] = "Multi-Factor authentication enabled";
+
+    } else {
+        $_SESSION['alert_type'] = "error";
+        $_SESSION['alert_message'] = "Verification Code Invalid, Multi-Factor Authenticaion not enabled, Try again!";
+    }    
+
+    header("Location: user_security.php");
+
+}
+
+if (isset($_GET['disable_mfa'])){
+
+    // CSRF Check
+    validateCSRFToken($_GET['csrf_token']);
+
+    mysqli_query($mysqli,"UPDATE users SET user_token = '' WHERE user_id = $session_user_id");
+
+    // Sanitize Config Vars from get_settings.php and Session Vars from check_login.php
+    $config_mail_from_name = sanitizeInput($config_mail_from_name);
+    $config_mail_from_email = sanitizeInput($config_mail_from_email);
+    $config_app_name = sanitizeInput($config_app_name);
+
+    // Email notification
+    if (!empty($config_smtp_host)) {
+        $subject = "$config_app_name account update confirmation for $session_name";
+        $body = "Hi $session_name, <br><br>Your $config_app_name account has been updated, details below: <br><br> <b>2FA was disabled.</b> <br><br> If you did not perform this change, contact your $config_app_name administrator immediately. <br><br>Thanks, <br>ITFlow<br>$session_company_name";
+
+        $data = [
+            [
+                'from' => $config_mail_from_email,
+                'from_name' => $config_mail_from_name,
+                'recipient' => $session_email,
+                'recipient_name' => $session_name,
+                'subject' => $subject,
+                'body' => $body
+            ]
+            ];
+        $mail = addToMailQueue($data);
+    }
+
+    // Logging
+    logAction("User Account", "Edit", "$session_name disabled MFA on their account");
+
+    $_SESSION['alert_type'] = "error";
+    $_SESSION['alert_message'] = "Multi-Factor authentication disabled";
+
+    header("Location: " . $_SERVER["HTTP_REFERER"]);
+
+}
+
 if (isset($_POST['enable_2fa']) || isset($_GET['enable_2fa_force'])) {
 
     // CSRF Check
diff --git a/user_security.php b/user_security.php
index 7c26d3c6..0dd10d84 100644
--- a/user_security.php
+++ b/user_security.php
@@ -31,65 +31,20 @@ $remember_token_count = mysqli_num_rows($sql_remember_tokens);
             <button type="submit" name="edit_your_user_password" class="btn btn-primary"><i class="fas fa-check mr-2"></i>Change</button>
 
         </form>
-    </div>
-</div>
-
-<div class="card card-dark">
-    <div class="card-header">
-        <h3 class="card-title"><i class="fas fa-lock mr-2"></i>Mult-Factor Authentication</h3>
-    </div>
-    <div class="card-body">
-        <form action="post.php" method="post" autocomplete="off">
-            <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
 
+         <div class="float-right">
             <?php if (empty($session_token)) { ?>
-                <button type="submit" name="enable_2fa" class="btn btn-success"><i class="fa fa-fw fa-lock"></i><br> Enable 2FA</button>
+                <button type="button" class="btn btn-primary" data-toggle="modal" data-target="#enableMFAModal">
+                    <i class="fas fa-lock mr-2"></i>Enable Multi-Factor Authentication
+                </button>
+
+                <?php require_once "modals/user_mfa_modal.php"; ?>
+            
             <?php } else { ?>
-                <p>You have set up 2FA. Your QR code is below.</p>
-                <button type="submit" name="disable_2fa" class="btn btn-danger"><i class="fa fa-fw fa-unlock"></i><br>Disable 2FA</button>
+                <a href="post.php?disable_mfa&csrf_token=<?php echo $_SESSION['csrf_token'] ?>" class="btn btn-danger"><i class="fas fa-unlock mr-2"></i>Disable Multi-Factor Authentication</a>
             <?php } ?>
+        </div>
 
-            <center>
-                <?php
-
-                require_once 'plugins/totp/totp.php';
-
-                //Generate a base32 Key
-                $secretkey = key32gen();
-
-                if (!empty($session_token)) {
-
-                    // Generate QR Code
-                    $data = "otpauth://totp/ITFlow:$session_email?secret=$session_token";
-                    print "<img src='plugins/barcode/barcode.php?f=png&s=qr&d=$data'>";
-
-                    echo "<p class='text-secondary'>$session_token</p>";
-
-                }
-
-                ?>
-            </center>
-
-            <input type="hidden" name="token" value="<?php echo $secretkey; ?>">
-
-        </form>
-
-        <?php if (!empty($session_token)) { ?>
-            <form action="post.php" method="post" autocomplete="off">
-                <div class="form-group">
-                    <div class="input-group">
-                        <div class="input-group-prepend">
-                            <span class="input-group-text"><i class="fa fa-fw fa-key"></i></span>
-                        </div>
-                        <input type="text" class="form-control" inputmode="numeric" pattern="[0-9]*" name="code" placeholder="Verify 2FA Code" required>
-                        <div class="input-group-append">
-                            <button type="submit" name="verify" class="btn btn-success">Verify</button>
-                        </div>
-                    </div>
-                </div>
-
-            </form>
-        <?php } ?>
     </div>
 </div>
 
