diff --git a/internal/data/user.go b/internal/data/user.go
index b57c5bf8..ba5bf9a8 100644
--- a/internal/data/user.go
+++ b/internal/data/user.go
@@ -3,7 +3,6 @@ package data
 import (
 	"errors"
 	"image"
-	"time"
 
 	"github.com/go-rat/utils/hash"
 	"github.com/leonelquinteros/gotext"
@@ -145,7 +144,7 @@ func (r *userRepo) GenerateTwoFA(id uint) (image.Image, string, string, error) {
 		Issuer:      "RatPanel",
 		AccountName: cast.ToString(id),
 		SecretSize:  32,
-		Algorithm:   otp.AlgorithmSHA256,
+		Algorithm:   otp.AlgorithmSHA1,
 	})
 	if err != nil {
 		return nil, "", "", err
@@ -167,11 +166,7 @@ func (r *userRepo) UpdateTwoFA(id uint, code, secret string) error {
 
 	// 保存前先验证一次，防止错误开启
 	if secret != "" {
-		if valid, _ := totp.ValidateCustom(code, secret, time.Now().UTC(), totp.ValidateOpts{
-			Skew:      1,
-			Digits:    otp.DigitsSix,
-			Algorithm: otp.AlgorithmSHA256,
-		}); !valid {
+		if valid := totp.Validate(code, secret); !valid {
 			return errors.New(r.t.Get("invalid 2FA code"))
 		}
 	}
@@ -190,11 +185,7 @@ func (r *userRepo) CheckTwoFA(id uint, code string) (bool, error) {
 		return true, nil // 未开启2FA，无需验证
 	}
 
-	if valid, _ := totp.ValidateCustom(code, user.TwoFA, time.Now().UTC(), totp.ValidateOpts{
-		Skew:      1,
-		Digits:    otp.DigitsSix,
-		Algorithm: otp.AlgorithmSHA256,
-	}); !valid {
+	if valid := totp.Validate(code, user.TwoFA); !valid {
 		return false, errors.New(r.t.Get("invalid 2FA code"))
 	}
 
diff --git a/internal/service/user.go b/internal/service/user.go
index 875d379b..0ed07510 100644
--- a/internal/service/user.go
+++ b/internal/service/user.go
@@ -11,13 +11,11 @@ import (
 	"net"
 	"net/http"
 	"strings"
-	"time"
 
 	"github.com/go-rat/chix"
 	"github.com/go-rat/sessions"
 	"github.com/knadh/koanf/v2"
 	"github.com/leonelquinteros/gotext"
-	"github.com/pquerna/otp"
 	"github.com/pquerna/otp/totp"
 	"github.com/spf13/cast"
 
@@ -94,11 +92,7 @@ func (s *UserService) Login(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if user.TwoFA != "" {
-		if valid, _ := totp.ValidateCustom(req.PassCode, user.TwoFA, time.Now().UTC(), totp.ValidateOpts{
-			Skew:      1,
-			Digits:    otp.DigitsSix,
-			Algorithm: otp.AlgorithmSHA256,
-		}); !valid {
+		if valid := totp.Validate(req.PassCode, user.TwoFA); !valid {
 			Error(w, http.StatusForbidden, s.t.Get("invalid 2FA code"))
 			return
 		}