diff --git a/tests/app/main/views/__init__.py b/tests/app/main/views/__init__.py
index e69de29bb..b1fbeaa07 100644
--- a/tests/app/main/views/__init__.py
+++ b/tests/app/main/views/__init__.py
@@ -0,0 +1,16 @@
+from datetime import datetime
+
+from app.main.dao import users_dao
+from app.models import User
+
+
+def create_test_user():
+    user = User(name='Test User',
+                password='somepassword',
+                email_address='test@user.gov.uk',
+                mobile_number='+441234123412',
+                created_at=datetime.now(),
+                role_id=1,
+                state='pending')
+    users_dao.insert_user(user)
+    return user
diff --git a/tests/app/main/views/test_two_factor.py b/tests/app/main/views/test_two_factor.py
index 4e976d63d..1d00d27c3 100644
--- a/tests/app/main/views/test_two_factor.py
+++ b/tests/app/main/views/test_two_factor.py
@@ -1,8 +1,5 @@
-from datetime import datetime
-
-from app.main.dao import users_dao
 from app.main.encryption import hashpw
-from app.models import User
+from tests.app.main.views import create_test_user
 
 
 def test_should_render_two_factor_page(notifications_admin, notifications_admin_db):
@@ -14,7 +11,7 @@ def test_should_render_two_factor_page(notifications_admin, notifications_admin_
 def test_should_login_user_and_redirect_to_dashboard(notifications_admin, notifications_admin_db):
     with notifications_admin.test_client() as client:
         with client.session_transaction() as session:
-            user = _create_test_user()
+            user = create_test_user()
             session['user_id'] = user.id
             session['sms_code'] = hashpw('12345')
         response = client.post('/two-factor',
@@ -27,7 +24,7 @@ def test_should_login_user_and_redirect_to_dashboard(notifications_admin, notifi
 def test_should_return_400_with_sms_code_error_when_sms_code_is_wrong(notifications_admin, notifications_admin_db):
     with notifications_admin.test_client() as client:
         with client.session_transaction() as session:
-            user = _create_test_user()
+            user = create_test_user()
             session['user_id'] = user.id
             session['sms_code'] = hashpw('12345')
         response = client.post('/two-factor',
@@ -37,13 +34,13 @@ def test_should_return_400_with_sms_code_error_when_sms_code_is_wrong(notificati
         assert 'Code does not match' in response.get_data(as_text=True)
 
 
-def _create_test_user():
-    user = User(name='Test User',
-                password='somepassword',
-                email_address='test@user.gov.uk',
-                mobile_number='+441234123412',
-                created_at=datetime.now(),
-                role_id=1,
-                state='pending')
-    users_dao.insert_user(user)
-    return user
+def test_should_return_400_when_sms_code_is_empty(notifications_admin, notifications_admin_db):
+    with notifications_admin.test_client() as client:
+        with client.session_transaction() as session:
+            user = create_test_user()
+            session['user_id'] = user.id
+            session['sms_code'] = hashpw('12345')
+        response = client.post('/two-factor')
+        assert response.status_code == 400
+        assert 'sms_code' in response.get_data(as_text=True)
+        assert 'Please enter your code' in response.get_data(as_text=True)