diff --git a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
--- a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
+++ b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
@@ -17,14 +17,8 @@
 
     $done_uri = $this->getApplicationURI("manage/{$id}/");
 
-    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
-      $viewer,
-      $request,
-      $done_uri);
-
     $validation_exception = null;
-
-    if ($request->isFormPost()) {
+    if ($request->isFormOrHisecPost()) {
       $xactions = array();
       $xactions[] = id(new PhabricatorUserTransaction())
         ->setTransactionType(
@@ -34,7 +28,8 @@
       $editor = id(new PhabricatorUserTransactionEditor())
         ->setActor($viewer)
         ->setContentSourceFromRequest($request)
-        ->setContinueOnMissingFields(true);
+        ->setContinueOnMissingFields(true)
+        ->setCancelURI($done_uri);
 
       try {
         $editor->applyTransactions($user, $xactions);
diff --git a/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php b/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
--- a/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
+++ b/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
@@ -86,4 +86,11 @@
 
     return null;
   }
+
+  public function shouldTryMFA(
+    $object,
+    PhabricatorApplicationTransaction $xaction) {
+    return true;
+  }
+
 }