diff --git a/src/middleware/auth.ts b/src/middleware/auth.ts
index 11708cae8..22f9a2fd6 100644
--- a/src/middleware/auth.ts
+++ b/src/middleware/auth.ts
@@ -42,18 +42,26 @@ export const authenticationGate = (
       return next();
     }
 
-    const { authUserSecurityKeys } = await gqlSdk.getUserSecurityKeys({
-      id: auth.userId,
-    });
-
-    if (authUserSecurityKeys.length === 0 && ENV.AUTH_REQUIRE_ELEVATED_CLAIM === 'recommended') {
-        return next();
-    }
-
-    if (authUserSecurityKeys.length === 0 && bypassIfNoKeys) {
-        return next();
+    if (await failsElevatedCheck(auth.userId, bypassIfNoKeys)) {
+        return sendError(res, 'elevated-claim-required');
     }
 
-    return sendError(res, 'elevated-claim-required');
+    return next();
   };
 }
+
+export const failsElevatedCheck = async (userId: string, bypassIfNoKeys = false) => {
+  const response = await gqlSdk.getUserSecurityKeys({
+    id: userId,
+  });
+
+  if (response.authUserSecurityKeys.length === 0 && ENV.AUTH_REQUIRE_ELEVATED_CLAIM === 'recommended') {
+    return false;
+  }
+
+  if (response.authUserSecurityKeys.length === 0 && bypassIfNoKeys) {
+    return false;
+  }
+
+  return true;
+};
diff --git a/src/routes/user/index.ts b/src/routes/user/index.ts
index 7f8cbd3ae..3054d0913 100644
--- a/src/routes/user/index.ts
+++ b/src/routes/user/index.ts
@@ -71,7 +71,7 @@ router.post(
 router.post(
   '/user/password',
   bodyValidator(userPasswordSchema),
-  authenticationGate(true, false, (req) => req.body.ticket !== undefined),
+  // authenticationGate(true, false, (req) => req.body.ticket !== undefined), // this is done in the handler because the handler has an auhtenticated and unauthenticated mode.............
   aw(userPasswordHandler)
 );
 
diff --git a/src/routes/user/password.ts b/src/routes/user/password.ts
index 661257325..dd4cb04d4 100644
--- a/src/routes/user/password.ts
+++ b/src/routes/user/password.ts
@@ -1,6 +1,8 @@
 import { RequestHandler } from 'express';
 import { ReasonPhrases } from 'http-status-codes';
 
+import { failsElevatedCheck } from '@/middleware/auth';
+
 import { gqlSdk, hashPassword, getUserByTicket } from '@/utils';
 import { sendError } from '@/errors';
 import { Joi, password } from '@/validation';
@@ -27,6 +29,11 @@ export const userPasswordHandler: RequestHandler<
     if (!req.auth?.userId) {
       return sendError(res, 'unauthenticated-user');
     }
+
+    if (await failsElevatedCheck(req.auth?.userId)) {
+        return sendError(res, 'elevated-claim-required');
+    }
+
     user = (await gqlSdk.user({ id: req.auth?.userId })).user;
   }