diff --git a/src/api/routes/users/@me/mfa/totp/disable.ts b/src/api/routes/users/@me/mfa/totp/disable.ts
index 0b1956016..40251bcb1 100644
--- a/src/api/routes/users/@me/mfa/totp/disable.ts
+++ b/src/api/routes/users/@me/mfa/totp/disable.ts
@@ -43,7 +43,7 @@ router.post(
 
         const user = await User.findOneOrFail({
             where: { id: req.user_id },
-            select: { totp_secret: true },
+            select: { id: true, totp_secret: true },
         });
 
         const backup = await BackupCode.findOne({ where: { code: body.code } });
diff --git a/src/api/routes/users/@me/mfa/totp/enable.ts b/src/api/routes/users/@me/mfa/totp/enable.ts
index 869f1573f..aaaa4c12b 100644
--- a/src/api/routes/users/@me/mfa/totp/enable.ts
+++ b/src/api/routes/users/@me/mfa/totp/enable.ts
@@ -47,7 +47,7 @@ router.post(
 
         const user = await User.findOneOrFail({
             where: { id: req.user_id },
-            select: { data: true, email: true },
+            select: { id: true, data: true, email: true },
         });
 
         // TODO: Are guests allowed to enable 2fa?