diff --git a/factor/email/email.php b/factor/email/email.php
index 5ee788b6..eb12a6aa 100644
--- a/factor/email/email.php
+++ b/factor/email/email.php
@@ -44,6 +44,9 @@
 // If pass is set, require login to force $SESSION and user, and pass for that session.
 if (!empty($instance) && $pass != 0 && $secret != 0) {
     require_login();
+    if ((int)$instance->userid !== (int)$USER->id) {
+        throw new moodle_exception('error:parameters', 'factor_email');
+    }
     if ($factor->get_state() === \tool_mfa\plugininfo\factor::STATE_LOCKED) {
         // Redirect through to auth, this will bounce them to the next factor.
         redirect(new moodle_url('/admin/tool/mfa/auth.php'));