diff --git a/src/Api/Controllers/TwoFactorController.cs b/src/Api/Controllers/TwoFactorController.cs
index 7d22687e1c..036f3cc969 100644
--- a/src/Api/Controllers/TwoFactorController.cs
+++ b/src/Api/Controllers/TwoFactorController.cs
@@ -15,7 +15,7 @@ using Newtonsoft.Json;
 namespace Bit.Api.Controllers
 {
     [Route("two-factor")]
-    [Authorize("Application")]
+    [Authorize("Web")]
     public class TwoFactorController : Controller
     {
         private readonly IUserService _userService;
diff --git a/src/Api/Startup.cs b/src/Api/Startup.cs
index f8faa0ceee..77d44eaed1 100644
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@@ -79,6 +79,15 @@ namespace Bit.Api
                     policy.AddAuthenticationSchemes("Bearer2", "Bearer3");
                     policy.RequireAuthenticatedUser();
                     policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
+                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
+                });
+                config.AddPolicy("Web", policy =>
+                {
+                    policy.AddAuthenticationSchemes("Bearer2", "Bearer3");
+                    policy.RequireAuthenticatedUser();
+                    policy.RequireClaim(JwtClaimTypes.AuthenticationMethod, "Application");
+                    policy.RequireClaim(JwtClaimTypes.Scope, "api");
+                    policy.RequireClaim(JwtClaimTypes.ClientId, "web");
                 });
             });