diff --git a/app/main/views/two_factor.py b/app/main/views/two_factor.py
index 9ed4b45fd..12cdb7103 100644
--- a/app/main/views/two_factor.py
+++ b/app/main/views/two_factor.py
@@ -60,8 +60,8 @@ def two_factor_email(token):
     return log_in_user(user_id)
 
 
-@main.route('/two-factor-sms', methods=['GET', 'POST'])
 @main.route('/two-factor', methods=['GET', 'POST'])
+@main.route('/two-factor-sms', methods=['GET', 'POST'])
 @redirect_to_sign_in
 def two_factor_sms():
     user_id = session['user_details']['id']
diff --git a/tests/app/main/views/test_sign_in.py b/tests/app/main/views/test_sign_in.py
index 4dfeaf7fe..a96fa0ad5 100644
--- a/tests/app/main/views/test_sign_in.py
+++ b/tests/app/main/views/test_sign_in.py
@@ -130,8 +130,6 @@ def test_process_sms_auth_sign_in_return_2fa_template(
             'email_address': email_address,
             'password': password})
     assert response.status_code == 302
-    # TODO: remove this assert once we start defaulting to returning two_factor_sms first
-    assert '/two-factor-sms' not in response.location
     assert response.location == url_for('.two_factor_sms', next=redirect_url, _external=True)
     mock_verify_password.assert_called_with(api_user_active['id'], password)
     mock_get_user_by_email.assert_called_with('valid@example.gov.uk')