diff --git a/src/Api/Controllers/TwoFactorController.cs b/src/Api/Controllers/TwoFactorController.cs
index cf785987e1..ed3fc12b36 100644
--- a/src/Api/Controllers/TwoFactorController.cs
+++ b/src/Api/Controllers/TwoFactorController.cs
@@ -359,7 +359,8 @@ namespace Bit.Api.Controllers
         [AllowAnonymous]
         public async Task PostRecover([FromBody]TwoFactorRecoveryRequestModel model)
         {
-            if(!await _userService.RecoverTwoFactorAsync(model.Email, model.MasterPasswordHash, model.RecoveryCode))
+            if(!await _userService.RecoverTwoFactorAsync(model.Email, model.MasterPasswordHash, model.RecoveryCode,
+                _organizationService))
             {
                 await Task.Delay(2000);
                 throw new BadRequestException(string.Empty, "Invalid information. Try again.");
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index ee7e9f8af9..822f8e9de9 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -39,7 +39,8 @@ namespace Bit.Core.Services
         Task UpdateTwoFactorProviderAsync(User user, TwoFactorProviderType type);
         Task DisableTwoFactorProviderAsync(User user, TwoFactorProviderType type,
             IOrganizationService organizationService);
-        Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode);
+        Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode,
+            IOrganizationService organizationService);
         Task<string> GenerateUserTokenAsync(User user, string tokenProvider, string purpose);
         Task<IdentityResult> DeleteAsync(User user);
         Task<IdentityResult> DeleteAsync(User user, string token);
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index f61e96d9c0..089239e8ef 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -668,28 +668,12 @@ namespace Bit.Core.Services
 
             if(!await TwoFactorIsEnabledAsync(user))
             {
-                var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
-                var twoFactorPolicies = policies.Where(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled);
-                if(twoFactorPolicies.Any())
-                {
-                    var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
-                    var ownerOrgs = userOrgs.Where(o => o.Type == OrganizationUserType.Owner)
-                        .Select(o => o.OrganizationId).ToHashSet();
-                    foreach(var policy in twoFactorPolicies)
-                    {
-                        if(!ownerOrgs.Contains(policy.OrganizationId))
-                        {
-                            await organizationService.DeleteUserAsync(policy.OrganizationId, user.Id);
-                            var organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId);
-                            await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
-                                organization.Name, user.Email);
-                        }
-                    }
-                }
+                await CheckPoliciesOnTwoFactorRemovalAsync(user, organizationService);
             }
         }
 
-        public async Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode)
+        public async Task<bool> RecoverTwoFactorAsync(string email, string masterPassword, string recoveryCode,
+            IOrganizationService organizationService)
         {
             var user = await _userRepository.GetByEmailAsync(email);
             if(user == null)
@@ -713,6 +697,7 @@ namespace Bit.Core.Services
             await SaveUserAsync(user);
             await _mailService.SendRecoverTwoFactorEmail(user.Email, DateTime.UtcNow, _currentContext.IpAddress);
             await _eventService.LogUserEventAsync(user.Id, EventType.User_Recovered2fa);
+            await CheckPoliciesOnTwoFactorRemovalAsync(user, organizationService);
 
             return true;
         }
@@ -1094,5 +1079,27 @@ namespace Bit.Core.Services
                 user.TwoFactorRecoveryCode = CoreHelpers.SecureRandomString(32, upper: false, special: false);
             }
         }
+
+        private async Task CheckPoliciesOnTwoFactorRemovalAsync(User user, IOrganizationService organizationService)
+        {
+            var policies = await _policyRepository.GetManyByUserIdAsync(user.Id);
+            var twoFactorPolicies = policies.Where(p => p.Type == PolicyType.TwoFactorAuthentication && p.Enabled);
+            if(twoFactorPolicies.Any())
+            {
+                var userOrgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
+                var ownerOrgs = userOrgs.Where(o => o.Type == OrganizationUserType.Owner)
+                    .Select(o => o.OrganizationId).ToHashSet();
+                foreach(var policy in twoFactorPolicies)
+                {
+                    if(!ownerOrgs.Contains(policy.OrganizationId))
+                    {
+                        await organizationService.DeleteUserAsync(policy.OrganizationId, user.Id);
+                        var organization = await _organizationRepository.GetByIdAsync(policy.OrganizationId);
+                        await _mailService.SendOrganizationUserRemovedForPolicyTwoStepEmailAsync(
+                            organization.Name, user.Email);
+                    }
+                }
+            }
+        }
     }
 }