diff --git a/lib/recognizer_web/controllers/accounts/user_settings_controller.ex b/lib/recognizer_web/controllers/accounts/user_settings_controller.ex
index 0bc09bdf..b71bf9b7 100644
--- a/lib/recognizer_web/controllers/accounts/user_settings_controller.ex
+++ b/lib/recognizer_web/controllers/accounts/user_settings_controller.ex
@@ -94,15 +94,22 @@ defmodule RecognizerWeb.Accounts.UserSettingsController do
 
   def review(conn, _params) do
     user = Authentication.fetch_current_user(conn)
-    {:ok, %{recovery_codes: recovery_codes}} = Accounts.get_new_two_factor_settings(user)
 
-    recovery_block =
-      recovery_codes
-      |> Enum.map(& &1.code)
-      |> Enum.map(& &1 <> "\n")
+    case Accounts.get_new_two_factor_settings(user) do
+      {:ok, %{recovery_codes: recovery_codes}} ->
+        recovery_block =
+          recovery_codes
+          |> Enum.map(& &1.code)
+          |> Enum.map(&(&1 <> "\n"))
 
-    conn
-    |> render("recovery_codes.html", recovery_block: recovery_block)
+        conn
+        |> render("recovery_codes.html", recovery_block: recovery_block)
+
+      _ ->
+        conn
+        |> put_flash(:error, "Two factor setup not yet initiated")
+        |> redirect(to: Routes.user_settings_path(conn, :edit))
+    end
   end
 
   defp assign_email_and_password_changesets(conn, _opts) do
diff --git a/test/recognizer_web/controllers/accounts/user_settings_controller_test.exs b/test/recognizer_web/controllers/accounts/user_settings_controller_test.exs
index bd784dc3..f9dc37ed 100644
--- a/test/recognizer_web/controllers/accounts/user_settings_controller_test.exs
+++ b/test/recognizer_web/controllers/accounts/user_settings_controller_test.exs
@@ -112,4 +112,18 @@ defmodule RecognizerWeb.Accounts.UserSettingsControllerTest do
       assert response =~ "must not contain special characters"
     end
   end
+
+  describe "GET /users/settings/two-factor/review (backup codes)" do
+    test "gets review page after 2fa setup", %{conn: conn, user: user} do
+      Recognizer.Accounts.generate_and_cache_new_two_factor_settings(user, "app")
+      conn = get(conn, Routes.user_settings_path(conn, :review))
+      _response = html_response(conn, 200)
+    end
+
+    test "review 2fa without setup is ?", %{conn: conn} do
+      conn = get(conn, Routes.user_settings_path(conn, :review))
+      _response = html_response(conn, 302)
+      assert get_flash(conn, :error) == "Two factor setup not yet initiated"
+    end
+  end
 end