diff --git a/app/controllers/users/two_factor_authentication_controller.rb b/app/controllers/users/two_factor_authentication_controller.rb
index 80c7164a168..623567aa4a1 100644
--- a/app/controllers/users/two_factor_authentication_controller.rb
+++ b/app/controllers/users/two_factor_authentication_controller.rb
@@ -5,12 +5,12 @@ class TwoFactorAuthenticationController < ApplicationController
     before_action :check_remember_device_preference
 
     def show
-      if current_user.totp_enabled?
+      if current_user.piv_cac_enabled?
+        redirect_to login_two_factor_piv_cac_url
+      elsif current_user.totp_enabled?
         redirect_to login_two_factor_authenticator_url
       elsif current_user.phone_enabled?
         validate_otp_delivery_preference_and_send_code
-      elsif current_user.piv_cac_enabled?
-        redirect_to login_two_factor_piv_cac_url
       else
         redirect_to two_factor_options_url
       end
diff --git a/spec/features/two_factor_authentication/sign_in_spec.rb b/spec/features/two_factor_authentication/sign_in_spec.rb
index c739411d34d..a64547a6e0e 100644
--- a/spec/features/two_factor_authentication/sign_in_spec.rb
+++ b/spec/features/two_factor_authentication/sign_in_spec.rb
@@ -444,8 +444,6 @@ def submit_prefilled_otp_code
       user = user_with_piv_cac
       sign_in_before_2fa(user)
 
-      click_link t('devise.two_factor_authentication.piv_cac_fallback.link')
-
       expect(current_path).to eq login_two_factor_piv_cac_path
 
       expect(page).not_to have_link(t('links.two_factor_authentication.app'))
@@ -465,8 +463,6 @@ def submit_prefilled_otp_code
       user = create(:user, :signed_up, :with_piv_or_cac, otp_secret_key: 'foo')
       sign_in_before_2fa(user)
 
-      click_link t('devise.two_factor_authentication.piv_cac_fallback.link')
-
       expect(current_path).to eq login_two_factor_piv_cac_path
 
       click_link t('links.two_factor_authentication.app')
@@ -477,7 +473,6 @@ def submit_prefilled_otp_code
     scenario 'user can cancel PIV/CAC process' do
       user = create(:user, :signed_up, :with_piv_or_cac)
       sign_in_before_2fa(user)
-      click_link t('devise.two_factor_authentication.piv_cac_fallback.link')
 
       expect(current_path).to eq login_two_factor_piv_cac_path
       click_link t('links.cancel')