Only create the opt_secret once. If created leave alone.

app/controllers/mfas_controller.rb

@@ -2,8 +2,10 @@ class MfasController < ApplicationController
     def new
         issuer = "Hidden Agenda Email"
         label = "#{issuer}:#{current_user.email}"
-        current_user.otp_secret = User.generate_otp_secret
+        if current_user.otp_secret.to_s.length == 0
-        current_user.save!
+            current_user.otp_secret = User.generate_otp_secret
+            current_user.save!
+        end
 
         qrcode = RQRCode::QRCode.new([{ data: current_user.otp_provisioning_uri(label, issuer: issuer), mode: :byte_8bit }])