diff --git a/management/mfa.py b/management/mfa.py
index b7f29bce..541fbc26 100644
--- a/management/mfa.py
+++ b/management/mfa.py
@@ -43,9 +43,9 @@ def enable_mfa(email, type, secret, token, label, env):
 	c.execute('INSERT INTO mfa (user_id, type, secret, label) VALUES (?, ?, ?, ?)', (get_user_id(email, c), type, secret, label))
 	conn.commit()
 
-def set_mru_token(email, token, env):
+def set_mru_token(email, mfa_id, token, env):
 	conn, c = open_database(env, with_connection=True)
-	c.execute('UPDATE mfa SET mru_token=? WHERE user_id=?', (token, get_user_id(email, c)))
+	c.execute('UPDATE mfa SET mru_token=? WHERE user_id=? AND id=?', (token, get_user_id(email, c), mfa_id))
 	conn.commit()
 
 def disable_mfa(email, mfa_id, env):
@@ -127,7 +127,7 @@ def validate_auth_mfa(email, request, env):
 				continue
 
 			# On success, record the token to prevent a replay attack.
-			set_mru_token(email, token, env)
+			set_mru_token(email, mfa_mode['id'], token, env)
 			return (True, [])
 
 	# On a failed login, indicate failure and any hints for what the user can do instead.