diff --git a/backend/internal/2fa.js b/backend/internal/2fa.js
index 4251520c..43307e02 100644
--- a/backend/internal/2fa.js
+++ b/backend/internal/2fa.js
@@ -161,9 +161,12 @@ const internal2fa = {
 		}
 
 		const result = await verify({
-			token: code,
-			secret: auth.meta.totp_secret,
-		});
+            token: code,
+            secret: auth.meta.totp_secret,
+            guardrails: createGuardrails({
+                MIN_SECRET_BYTES: 10,
+            }),
+        });
 
 		if (!result.valid) {
 			throw new errs.AuthError("Invalid verification code");