diff --git a/app/main/views/two_factor.py b/app/main/views/two_factor.py
index 1d8ccab2f..89c243925 100644
--- a/app/main/views/two_factor.py
+++ b/app/main/views/two_factor.py
@@ -29,9 +29,7 @@ def two_factor():
             services = service_api_client.get_active_services({'user_id': str(user_id)}).get('data', [])
             # Check if coming from new password page
             if 'password' in session['user_details']:
-                user.set_password(session['user_details']['password'])
-                user.reset_failed_login_count()
-                user_api_client.update_user(user)
+                user_api_client.update_password(user.id, password=session['user_details']['password'])
             if user.is_locked():
                 form.sms_code.errors.append('Code not found')
                 return render_template('views/two-factor.html', form=form)
diff --git a/tests/app/main/views/test_two_factor.py b/tests/app/main/views/test_two_factor.py
index 4eeb3a1c4..6f700cda7 100644
--- a/tests/app/main/views/test_two_factor.py
+++ b/tests/app/main/views/test_two_factor.py
@@ -164,7 +164,7 @@ def test_two_factor_should_set_password_when_new_password_exists_in_session(
     mock_get_user,
     mock_check_verify_code,
     mock_get_services_with_one_service,
-    mock_update_user,
+    mock_update_user_password,
 ):
     with client.session_transaction() as session:
         session['user_details'] = {
@@ -180,36 +180,7 @@ def test_two_factor_should_set_password_when_new_password_exists_in_session(
         service_id=SERVICE_ONE_ID,
         _external=True
     )
-    api_user_active.password = 'changedpassword'
-    mock_update_user.assert_called_once_with(api_user_active)
-
-
-def test_two_factor_reset_login_count_called(
-    client,
-    api_user_locked,
-    mock_get_locked_user,
-    mock_update_user,
-    mock_check_verify_code,
-    mock_get_services_with_one_service,
-):
-    with client.session_transaction() as session:
-        new_password = "1234567890"
-        session['user_details'] = {
-            'id': api_user_locked.id,
-            'email': api_user_locked.email_address,
-            'password': new_password
-        }
-    response = client.post(url_for('main.two_factor'),
-                           data={'sms_code': '12345'})
-    assert response.status_code == 302
-    assert response.location == url_for(
-        'main.service_dashboard',
-        service_id=SERVICE_ONE_ID,
-        _external=True
-    )
-    api_user_locked.reset_failed_login_count()
-    api_user_locked.password = new_password
-    mock_update_user.assert_called_once_with(api_user_locked)
+    mock_update_user_password.assert_called_once_with(api_user_active.id, password='changedpassword')
 
 
 def test_two_factor_returns_error_when_user_is_locked(