diff --git a/internal/api/mfa.go b/internal/api/mfa.go
index 7f1eef3bc..d6158e964 100644
--- a/internal/api/mfa.go
+++ b/internal/api/mfa.go
@@ -71,6 +71,9 @@ const (
 )
 
 func validateFactors(db *storage.Connection, user *models.User, newFactorName string, config *conf.GlobalConfiguration, session *models.Session) error {
+	if err := models.DeleteExpiredFactors(db, config.MFA.FactorExpiryDuration); err != nil {
+		return err
+	}
 	if err := db.Load(user, "Factors"); err != nil {
 		return err
 	}
@@ -106,7 +109,6 @@ func validateFactors(db *storage.Connection, user *models.User, newFactorName st
 
 func (a *API) enrollPhoneFactor(w http.ResponseWriter, r *http.Request, params *EnrollFactorParams) error {
 	ctx := r.Context()
-	config := a.config
 	user := getUser(ctx)
 	session := getSession(ctx)
 	db := a.db.WithContext(ctx)
@@ -118,9 +120,6 @@ func (a *API) enrollPhoneFactor(w http.ResponseWriter, r *http.Request, params *
 	if err != nil {
 		return badRequestError(ErrorCodeValidationFailed, "Invalid phone number format (E.164 required)")
 	}
-	if err := models.DeleteExpiredFactors(db, config.MFA.FactorExpiryDuration); err != nil {
-		return err
-	}
 
 	var factorsToDelete []models.Factor
 	for _, factor := range user.Factors {
@@ -185,10 +184,6 @@ func (a *API) enrollTOTPFactor(w http.ResponseWriter, r *http.Request, params *E
 		issuer = params.Issuer
 	}
 
-	if err := models.DeleteExpiredFactors(db, config.MFA.FactorExpiryDuration); err != nil {
-		return err
-	}
-
 	if err := validateFactors(db, user, params.FriendlyName, config, session); err != nil {
 		return err
 	}