diff --git a/app/models/user.rb b/app/models/user.rb
index b7337bc7..7b68afe6 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -234,6 +234,14 @@ def has_active_stripe_subscription?
     subscriptions.any? { |subscription| %w[trialing active].include?(subscription.status) }
   end
 
+  def generate_otp_secret
+    self.update(
+      otp_auth_secret: ROTP::Base32.random_base32,
+      otp_recovery_secret: ROTP::Base32.random_base32,
+      otp_persistence_seed: SecureRandom.hex
+    )
+  end
+
   private
 
   def restrict_free_frequency
diff --git a/app/views/devise/otp_tokens/_token_secret.html.erb b/app/views/devise/otp_tokens/_token_secret.html.erb
index 9169f2c9..6694061d 100644
--- a/app/views/devise/otp_tokens/_token_secret.html.erb
+++ b/app/views/devise/otp_tokens/_token_secret.html.erb
@@ -1,7 +1,9 @@
-<% unless resource.otp_enabled? %>
+<% current_user.generate_otp_secret unless current_user.otp_auth_secret? %>
+
+<% unless current_user.otp_enabled? %>
   <hr>
   <p><%= I18n.t('explain', :scope => 'devise.otp.token_secret') %></p>
-  <%= otp_authenticator_token_image(resource) %>
+  <%= otp_authenticator_token_image(current_user) %>
   <br/>
   <!--
   <p>
@@ -11,8 +13,8 @@
   -->
 <% end %>
 
-<% if resource.otp_enabled? %>
-  <%- if recovery_enabled? && resource.otp_enabled_on > 10.minutes.ago %>
+<% if current_user.otp_enabled? %>
+  <%- if recovery_enabled? && current_user.otp_enabled_on > 10.minutes.ago %>
     <div class="well" style="margin: 20px auto;">
       <h4><%= I18n.t('title', :scope => 'devise.otp.otp_tokens.recovery') %></h4>
       <p><%= I18n.t('explain', :scope => 'devise.otp.otp_tokens.recovery') %></p>
@@ -27,9 +29,9 @@
     <%= I18n.t('reset_explain', :scope => 'devise.otp.token_secret') %>
     <strong><%= I18n.t('reset_explain_warn', :scope => 'devise.otp.token_secret') %></strong>
   </p>
-  <p><%= button_to I18n.t('reset_otp', :scope => 'devise.otp.token_secret'), @resource, :method => :delete, :data => { "turbo-method": "DELETE" }, class: "btn btn-danger" %></p>  
+  <p><%= button_to I18n.t('reset_otp', :scope => 'devise.otp.token_secret'), current_user, :method => :delete, :data => { "turbo-method": "DELETE" }, class: "btn btn-danger" %></p>  
 <% else %>
-    <%= form_for(resource, :as => resource_name, :url => validate_otp_path, :html => { :method => :post, "data-turbo" => false }) do |f| %>
+    <%= form_for(current_user, :as => resource_name, :url => validate_otp_path, :html => { :method => :post, "data-turbo" => false }) do |f| %>
 
       <%= f.hidden_field :challenge, {:value => @challenge} %>
       <%= f.hidden_field :recovery, {:value => @recovery} %>