diff --git a/internal/service/user.go b/internal/service/user.go
index 3eac15e8..875d379b 100644
--- a/internal/service/user.go
+++ b/internal/service/user.go
@@ -11,11 +11,13 @@ import (
 	"net"
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/go-rat/chix"
 	"github.com/go-rat/sessions"
 	"github.com/knadh/koanf/v2"
 	"github.com/leonelquinteros/gotext"
+	"github.com/pquerna/otp"
 	"github.com/pquerna/otp/totp"
 	"github.com/spf13/cast"
 
@@ -92,7 +94,11 @@ func (s *UserService) Login(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if user.TwoFA != "" {
-		if !totp.Validate(req.PassCode, user.TwoFA) {
+		if valid, _ := totp.ValidateCustom(req.PassCode, user.TwoFA, time.Now().UTC(), totp.ValidateOpts{
+			Skew:      1,
+			Digits:    otp.DigitsSix,
+			Algorithm: otp.AlgorithmSHA256,
+		}); !valid {
 			Error(w, http.StatusForbidden, s.t.Get("invalid 2FA code"))
 			return
 		}