diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9fdeb38..b5d28b8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -36,6 +36,7 @@ There's a change in flash messages handling, please see #391
 - Enh #458: Multiple 2FA channels (email, sms) (acordeddu)
 - Fix #432: Fix documentation overlap by shortening page names (cgsmith)
 - Enh #472: implement module viewPath in all views instead of static file reference (tonisormisson)
+- Fix: Clear 2FA auth key when feature is disabled by user
 - Fix: check user before accessing 2FA code
 
 ## 1.5.1 April 5, 2020
diff --git a/src/User/Controller/SettingsController.php b/src/User/Controller/SettingsController.php
old mode 100755
new mode 100644
index d218626..4cdb8d7
--- a/src/User/Controller/SettingsController.php
+++ b/src/User/Controller/SettingsController.php
@@ -40,6 +40,7 @@ use Da\User\Validator\TwoFactorEmailValidator;
 use Da\User\Validator\TwoFactorTextMessageValidator;
 use Yii;
 use yii\base\DynamicModel;
+use yii\base\InvalidParamException;
 use yii\filters\AccessControl;
 use yii\filters\VerbFilter;
 use yii\helpers\ArrayHelper;
@@ -453,6 +454,10 @@ class SettingsController extends Controller
 
     public function actionTwoFactor($id)
     {
+        if(!$this->module->enableTwoFactorAuthentication){ 
+            throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.'));
+        }
+
         if($id != Yii::$app->user->id) {
             throw new ForbiddenHttpException();
         } 
@@ -477,18 +482,20 @@ class SettingsController extends Controller
                 $mobilePhone = $user->getAuthTfMobilePhone();
                 $smsCode = $this->make(TwoFactorSmsCodeGeneratorService::class, [$user])->run();
                 return $this->renderAjax('two-factor-sms', ['id' => $id, 'code' => $smsCode, 'mobilePhone' => $mobilePhone]);
+            default:
+                throw new InvalidParamException("Invalid 2FA choice");
         }
     }
 
     public function actionTwoFactorEnable($id)
     {
+        if(!$this->module->enableTwoFactorAuthentication){ 
+            throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.'));
+        }
+        
         Yii::$app->response->format = Response::FORMAT_JSON;
 
-        /**
-        *
-        *
-        * @var User $user
-        */
+        /** @var User $user */
         $user = $this->userQuery->whereId($id)->one();
 
         if (null === $user) {
@@ -518,9 +525,15 @@ class SettingsController extends Controller
 
     public function actionTwoFactorDisable($id)
     {
+        if(!$this->module->enableTwoFactorAuthentication){ 
+            throw new ForbiddenHttpException(Yii::t('usuario','Application not configured for two factor authentication.'));
+        }
+        
+        if($id != Yii::$app->user->id) {
+            throw new ForbiddenHttpException();
+        }
+        
         /**
-        *
-        *
         * @var User $user
         */
         $user = $this->userQuery->whereId($id)->one();
@@ -529,7 +542,7 @@ class SettingsController extends Controller
             throw new NotFoundHttpException();
         }
 
-        if ($user->updateAttributes(['auth_tf_enabled' => '0'])) {
+        if ($user->updateAttributes(['auth_tf_enabled' => '0', 'auth_tf_key' => NULL])) {
             Yii::$app
                 ->getSession()
                 ->setFlash('success', Yii::t('usuario', 'Two factor authentication has been disabled.'));