diff --git a/internal/api/mfa.go b/internal/api/mfa.go
index 434a7117c..94c422f0a 100644
--- a/internal/api/mfa.go
+++ b/internal/api/mfa.go
@@ -62,6 +62,7 @@ const (
 func (a *API) EnrollFactor(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	user := getUser(ctx)
+	session := getSession(ctx)
 	config := a.config
 
 	params := &EnrollFactorParams{}
@@ -110,6 +111,10 @@ func (a *API) EnrollFactor(w http.ResponseWriter, r *http.Request) error {
 		return forbiddenError("Maximum number of enrolled factors reached, unenroll to continue")
 	}
 
+	if numVerifiedFactors > 0 && !session.IsAAL2() {
+		return forbiddenError("AAL2 required to enroll a new factor")
+	}
+
 	key, err := totp.Generate(totp.GenerateOpts{
 		Issuer:      issuer,
 		AccountName: user.GetEmail(),