diff --git a/api/models/profile/TwoFactorAuthForm.php b/api/models/profile/TwoFactorAuthForm.php
index 275ec97..1f2b47f 100644
--- a/api/models/profile/TwoFactorAuthForm.php
+++ b/api/models/profile/TwoFactorAuthForm.php
@@ -63,7 +63,7 @@ class TwoFactorAuthForm extends ApiForm {
         $provisioningUri = $this->getTotp()->getProvisioningUri();
 
         return [
-            'qr' => base64_encode($this->drawQrCode($provisioningUri)),
+            'qr' => 'data:image/svg+xml,' . htmlspecialchars(trim($this->drawQrCode($provisioningUri))),
             'uri' => $provisioningUri,
             'secret' => $this->account->otp_secret,
         ];
diff --git a/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php
index 780652c..36435f1 100644
--- a/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php
+++ b/tests/codeception/api/unit/models/profile/TwoFactorAuthFormTest.php
@@ -35,7 +35,7 @@ class TwoFactorAuthFormTest extends TestCase {
 
         $model->expects($this->once())
             ->method('drawQrCode')
-            ->willReturn('this is qr code, trust me');
+            ->willReturn('<_/>');
 
         $result = $model->getCredentials();
         $this->assertTrue(is_array($result));
@@ -44,7 +44,7 @@ class TwoFactorAuthFormTest extends TestCase {
         $this->assertArrayHasKey('secret', $result);
         $this->assertNotNull($account->otp_secret);
         $this->assertEquals($account->otp_secret, $result['secret']);
-        $this->assertEquals(base64_encode('this is qr code, trust me'), $result['qr']);
+        $this->assertEquals('data:image/svg+xml,&lt;_/&gt;', $result['qr']);
 
         /** @var Account|\PHPUnit_Framework_MockObject_MockObject $account */
         $account = $this->getMockBuilder(Account::class)