diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index d77b2e97..01736269 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -106,7 +106,9 @@ fn authenticate_user(
     }
 
     #[allow(clippy::let_unit_value)]
-    let _: () = crate::auth::authenticate_user(userid, password)?;
+    {
+        let _: () = crate::auth::authenticate_user(userid, password)?;
+    }
 
     Ok(match crate::config::tfa::login_challenge(userid)? {
         None => AuthResult::CreateTicket,
@@ -124,7 +126,9 @@ fn authenticate_2nd(
         .require_partial()?;
 
     #[allow(clippy::let_unit_value)]
-    let _: () = crate::config::tfa::verify_challenge(userid, &challenge, response.parse()?)?;
+    {
+        let _: () = crate::config::tfa::verify_challenge(userid, &challenge, response.parse()?)?;
+    }
 
     Ok(AuthResult::CreateTicket)
 }
diff --git a/src/api2/access/tfa.rs b/src/api2/access/tfa.rs
index ca77b756..7e6d028a 100644
--- a/src/api2/access/tfa.rs
+++ b/src/api2/access/tfa.rs
@@ -30,8 +30,10 @@ fn tfa_update_auth(
     if authid.user() != Userid::root_userid() {
         let password = password.ok_or_else(|| http_err!(UNAUTHORIZED, "missing password"))?;
         #[allow(clippy::let_unit_value)]
-        let _: () = crate::auth::authenticate_user(authid.user(), &password)
-            .map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
+        {
+            let _: () = crate::auth::authenticate_user(authid.user(), &password)
+                .map_err(|err| http_err!(UNAUTHORIZED, "{}", err))?;
+        }
     }
 
     // After authentication, verify that the to-be-modified user actually exists: