diff --git a/legacy/firmware/fsm_msg_common.h b/legacy/firmware/fsm_msg_common.h
index 8b396d1c8..fb9dec4ab 100644
--- a/legacy/firmware/fsm_msg_common.h
+++ b/legacy/firmware/fsm_msg_common.h
@@ -251,6 +251,8 @@ void fsm_msgWipeDevice(const WipeDevice *msg) {
 }
 
 void fsm_msgGetEntropy(const GetEntropy *msg) {
+  CHECK_PIN
+
 #if !DEBUG_RNG
   layoutDialogSwipe(&bmp_icon_question, _("Cancel"), _("Confirm"), NULL,
                     _("Do you really want to"), _("send entropy?"), NULL, NULL,
@@ -523,6 +525,8 @@ void fsm_msgWordAck(const WordAck *msg) {
 }
 
 void fsm_msgSetU2FCounter(const SetU2FCounter *msg) {
+  CHECK_PIN
+
   layoutDialogSwipe(&bmp_icon_question, _("Cancel"), _("Confirm"), NULL,
                     _("Do you want to set"), _("the U2F counter?"), NULL, NULL,
                     NULL, NULL);
@@ -537,6 +541,8 @@ void fsm_msgSetU2FCounter(const SetU2FCounter *msg) {
 }
 
 void fsm_msgGetNextU2FCounter() {
+  CHECK_PIN
+
   layoutDialogSwipe(&bmp_icon_question, _("Cancel"), _("Confirm"), NULL,
                     _("Do you want to"), _("increase and retrieve"),
                     _("the U2F counter?"), NULL, NULL, NULL);
diff --git a/legacy/firmware/fsm_msg_crypto.h b/legacy/firmware/fsm_msg_crypto.h
index bb6fe22e7..7904be01a 100644
--- a/legacy/firmware/fsm_msg_crypto.h
+++ b/legacy/firmware/fsm_msg_crypto.h
@@ -75,6 +75,8 @@ void fsm_msgSignIdentity(const SignIdentity *msg) {
 
   CHECK_INITIALIZED
 
+  CHECK_PIN
+
   layoutSignIdentity(&(msg->identity),
                      msg->has_challenge_visual ? msg->challenge_visual : 0);
   if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
@@ -83,8 +85,6 @@ void fsm_msgSignIdentity(const SignIdentity *msg) {
     return;
   }
 
-  CHECK_PIN
-
   uint8_t hash[32];
   if (cryptoIdentityFingerprint(&(msg->identity), hash) == 0) {
     fsm_sendFailure(FailureType_Failure_DataError, _("Invalid identity"));
@@ -179,6 +179,8 @@ void fsm_msgGetECDHSessionKey(const GetECDHSessionKey *msg) {
 
   CHECK_INITIALIZED
 
+  CHECK_PIN
+
   layoutDecryptIdentity(&msg->identity);
   if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
     fsm_sendFailure(FailureType_Failure_ActionCancelled, NULL);
@@ -186,8 +188,6 @@ void fsm_msgGetECDHSessionKey(const GetECDHSessionKey *msg) {
     return;
   }
 
-  CHECK_PIN
-
   uint8_t hash[32];
   if (cryptoIdentityFingerprint(&(msg->identity), hash) == 0) {
     fsm_sendFailure(FailureType_Failure_DataError, _("Invalid identity"));
@@ -258,6 +258,8 @@ void fsm_msgCosiCommit(const CosiCommit *msg) {
 
   CHECK_PARAM(msg->has_data, _("No data provided"));
 
+  CHECK_PIN
+
   if (!fsm_checkCosiPath(msg->address_n_count, msg->address_n)) {
     layoutHome();
     return;
@@ -271,8 +273,6 @@ void fsm_msgCosiCommit(const CosiCommit *msg) {
     return;
   }
 
-  CHECK_PIN
-
   const HDNode *node = fsm_getDerivedNode(ED25519_NAME, msg->address_n,
                                           msg->address_n_count, NULL);
   if (!node) return;
@@ -311,6 +311,8 @@ void fsm_msgCosiSign(const CosiSign *msg) {
     return;
   }
 
+  CHECK_PIN
+
   layoutCosiCommitSign(msg->address_n, msg->address_n_count, msg->data.bytes,
                        msg->data.size, true);
   if (!protectButton(ButtonRequestType_ButtonRequest_ProtectCall, false)) {
@@ -319,8 +321,6 @@ void fsm_msgCosiSign(const CosiSign *msg) {
     return;
   }
 
-  CHECK_PIN
-
   const HDNode *node = fsm_getDerivedNode(ED25519_NAME, msg->address_n,
                                           msg->address_n_count, NULL);
   if (!node) return;
diff --git a/legacy/firmware/fsm_msg_nem.h b/legacy/firmware/fsm_msg_nem.h
index c17b68a58..579ee50cb 100644
--- a/legacy/firmware/fsm_msg_nem.h
+++ b/legacy/firmware/fsm_msg_nem.h
@@ -333,6 +333,8 @@ void fsm_msgNEMDecryptMessage(NEMDecryptMessage *msg) {
   CHECK_PARAM(msg->has_public_key, _("No public key provided"));
   CHECK_PARAM(msg->public_key.size == 32, _("Invalid public key"));
 
+  CHECK_PIN
+
   char address[NEM_ADDRESS_SIZE + 1];
   nem_get_address(msg->public_key.bytes, msg->network, address);
 
@@ -344,13 +346,10 @@ void fsm_msgNEMDecryptMessage(NEMDecryptMessage *msg) {
     return;
   }
 
-  CHECK_PIN
-
   if (!fsm_nemCheckPath(msg->address_n_count, msg->address_n, msg->network)) {
     layoutHome();
     return;
   }
-
   const HDNode *node = fsm_getDerivedNode(ED25519_KECCAK_NAME, msg->address_n,
                                           msg->address_n_count, NULL);
   if (!node) return;
diff --git a/tests/device_tests/test_protection_levels.py b/tests/device_tests/test_protection_levels.py
index 9640859bf..e1ef5d2bf 100644
--- a/tests/device_tests/test_protection_levels.py
+++ b/tests/device_tests/test_protection_levels.py
@@ -158,21 +158,7 @@ def test_ping(client: Client):
         client.ping("msg", True)
 
 
-@pytest.mark.skip_t2
-def test_get_entropy_t1(client: Client):
-    _assert_protection(client)
-    with client:
-        client.set_expected_responses(
-            [
-                messages.ButtonRequest(code=B.ProtectCall),
-                messages.Entropy,
-            ]
-        )
-        misc.get_entropy(client, 10)
-
-
-@pytest.mark.skip_t1
-def test_get_entropy_t2(client: Client):
+def test_get_entropy(client: Client):
     _assert_protection(client)
     with client:
         client.use_pin_sequence([PIN4])