diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 74b3910..c55a7b3 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -344,6 +344,7 @@ __PACKAGE__->register_method ({
 		minLength => 5,
 		maxLength => 64,
 	    },
+	    'confirmation-password' => $PVE::API2::TFA::OPTIONAL_PASSWORD_SCHEMA,
 	}
     },
     returns => { type => "null" },
@@ -353,9 +354,12 @@ __PACKAGE__->register_method ({
 	my $rpcenv = PVE::RPCEnvironment::get();
 	my $authuser = $rpcenv->get_user();
 
-	my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
-
-	$rpcenv->check_user_exist($userid);
+	my ($userid, $ruid, $realm) = $rpcenv->reauth_user_for_user_modification(
+	    $authuser,
+	    $param->{userid},
+	    $param->{'confirmation-password'},
+	    'confirmation-password',
+	);
 
 	if ($authuser eq 'root@pam') {
 	    # OK - root can change anything
diff --git a/src/PVE/API2/TFA.pm b/src/PVE/API2/TFA.pm
index 50ab925..62ddd95 100644
--- a/src/PVE/API2/TFA.pm
+++ b/src/PVE/API2/TFA.pm
@@ -18,8 +18,8 @@ use PVE::RESTHandler;
 
 use base qw(PVE::RESTHandler);
 
-my $OPTIONAL_PASSWORD_SCHEMA = {
-    description => "The current password.",
+our $OPTIONAL_PASSWORD_SCHEMA = {
+    description => "The current password of the user performing the change.",
     type => 'string',
     optional => 1, # Only required if not root@pam
     minLength => 5,