diff --git a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
index 09021bf73e..22e7c22b68 100644
--- a/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
+++ b/src/applications/people/controller/PhabricatorPeopleEmpowerController.php
@@ -1,75 +1,70 @@
 <?php
 
 final class PhabricatorPeopleEmpowerController
   extends PhabricatorPeopleController {
 
   public function handleRequest(AphrontRequest $request) {
     $viewer = $this->getViewer();
     $id = $request->getURIData('id');
 
     $user = id(new PhabricatorPeopleQuery())
       ->setViewer($viewer)
       ->withIDs(array($id))
       ->executeOne();
     if (!$user) {
       return new Aphront404Response();
     }
 
     $done_uri = $this->getApplicationURI("manage/{$id}/");
 
-    id(new PhabricatorAuthSessionEngine())->requireHighSecuritySession(
-      $viewer,
-      $request,
-      $done_uri);
-
     $validation_exception = null;
-
-    if ($request->isFormPost()) {
+    if ($request->isFormOrHisecPost()) {
       $xactions = array();
       $xactions[] = id(new PhabricatorUserTransaction())
         ->setTransactionType(
           PhabricatorUserEmpowerTransaction::TRANSACTIONTYPE)
         ->setNewValue(!$user->getIsAdmin());
 
       $editor = id(new PhabricatorUserTransactionEditor())
         ->setActor($viewer)
         ->setContentSourceFromRequest($request)
-        ->setContinueOnMissingFields(true);
+        ->setContinueOnMissingFields(true)
+        ->setCancelURI($done_uri);
 
       try {
         $editor->applyTransactions($user, $xactions);
         return id(new AphrontRedirectResponse())->setURI($done_uri);
       } catch (PhabricatorApplicationTransactionValidationException $ex) {
         $validation_exception = $ex;
       }
     }
 
     if ($user->getIsAdmin()) {
       $title = pht('Remove as Administrator?');
       $short = pht('Remove Administrator');
       $body = pht(
         'Remove %s as an administrator? They will no longer be able to '.
         'perform administrative functions on this Phabricator install.',
         phutil_tag('strong', array(), $user->getUsername()));
       $submit = pht('Remove Administrator');
     } else {
       $title = pht('Make Administrator?');
       $short = pht('Make Administrator');
       $body = pht(
         'Empower %s as an administrator? They will be able to create users, '.
         'approve users, make and remove administrators, delete accounts, and '.
         'perform other administrative functions on this Phabricator install.',
         phutil_tag('strong', array(), $user->getUsername()));
       $submit = pht('Make Administrator');
     }
 
     return $this->newDialog()
       ->setValidationException($validation_exception)
       ->setTitle($title)
       ->setShortTitle($short)
       ->appendParagraph($body)
       ->addCancelButton($done_uri)
       ->addSubmitButton($submit);
   }
 
 }
diff --git a/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php b/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
index 5499f5d8cb..d17418636f 100644
--- a/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
+++ b/src/applications/people/xaction/PhabricatorUserEmpowerTransaction.php
@@ -1,89 +1,96 @@
 <?php
 
 final class PhabricatorUserEmpowerTransaction
   extends PhabricatorUserTransactionType {
 
   const TRANSACTIONTYPE = 'user.admin';
 
   public function generateOldValue($object) {
     return (bool)$object->getIsAdmin();
   }
 
   public function generateNewValue($object, $value) {
     return (bool)$value;
   }
 
   public function applyInternalEffects($object, $value) {
     $object->setIsAdmin((int)$value);
   }
 
   public function validateTransactions($object, array $xactions) {
     $user = $object;
     $actor = $this->getActor();
 
     $errors = array();
     foreach ($xactions as $xaction) {
       $old = $xaction->getOldValue();
       $new = $xaction->getNewValue();
 
       if ($old === $new) {
         continue;
       }
 
       if ($user->getPHID() === $actor->getPHID()) {
         $errors[] = $this->newInvalidError(
           pht('After a time, your efforts fail. You can not adjust your own '.
               'status as an administrator.'), $xaction);
       }
 
       $is_admin = $actor->getIsAdmin();
       $is_omnipotent = $actor->isOmnipotent();
 
       if (!$is_admin && !$is_omnipotent) {
         $errors[] = $this->newInvalidError(
           pht('You must be an administrator to create administrators.'),
           $xaction);
       }
     }
 
     return $errors;
   }
 
   public function getTitle() {
     $new = $this->getNewValue();
     if ($new) {
       return pht(
         '%s empowered this user as an administrator.',
         $this->renderAuthor());
     } else {
       return pht(
         '%s defrocked this user.',
         $this->renderAuthor());
     }
   }
 
   public function getTitleForFeed() {
     $new = $this->getNewValue();
     if ($new) {
       return pht(
         '%s empowered %s as an administrator.',
         $this->renderAuthor(),
         $this->renderObject());
     } else {
       return pht(
         '%s defrocked %s.',
         $this->renderAuthor(),
         $this->renderObject());
     }
   }
 
   public function getRequiredCapabilities(
     $object,
     PhabricatorApplicationTransaction $xaction) {
 
     // Unlike normal user edits, admin promotions require admin
     // permissions, which is enforced by validateTransactions().
 
     return null;
   }
+
+  public function shouldTryMFA(
+    $object,
+    PhabricatorApplicationTransaction $xaction) {
+    return true;
+  }
+
 }