diff --git a/lib/auth/srv_test.go b/lib/auth/srv_test.go
index 5e223114ebd8c..e44a2170a9ed8 100644
--- a/lib/auth/srv_test.go
+++ b/lib/auth/srv_test.go
@@ -232,12 +232,19 @@ func (s *APISuite) TestPasswordCRUD(c *C) {
 	c.Assert(s.clt.CheckPassword("user1", pass, token2), IsNil)
 	c.Assert(s.clt.CheckPassword("user1", pass, token1), NotNil)
 
-	token3 := otp.OTP()
-	token4 := otp.OTP()
-	c.Assert(s.clt.CheckPassword("user1", pass, token4), NotNil)
-	c.Assert(s.clt.CheckPassword("user1", pass, token3), IsNil)
+	_ = otp.OTP()
+	_ = otp.OTP()
+	_ = otp.OTP()
+	token6 := otp.OTP()
+	token7 := otp.OTP()
+	c.Assert(s.clt.CheckPassword("user1", pass, token7), NotNil)
+	c.Assert(s.clt.CheckPassword("user1", pass, token6), IsNil)
 	c.Assert(s.clt.CheckPassword("user1", pass, "123456"), NotNil)
-	c.Assert(s.clt.CheckPassword("user1", pass, token4), IsNil)
+	c.Assert(s.clt.CheckPassword("user1", pass, token7), IsNil)
+
+	_ = otp.OTP()
+	token9 := otp.OTP()
+	c.Assert(s.clt.CheckPassword("user1", pass, token9), IsNil)
 }
 
 func (s *APISuite) TestSessions(c *C) {
diff --git a/lib/services/test_suite.go b/lib/services/test_suite.go
index cb87b79f4f840..c4aac9ed61518 100644
--- a/lib/services/test_suite.go
+++ b/lib/services/test_suite.go
@@ -363,12 +363,20 @@ func (s *ServicesTestSuite) PasswordCRUD(c *C) {
 	c.Assert(s.WebS.CheckPassword("user1", pass, token2), IsNil)
 	c.Assert(s.WebS.CheckPassword("user1", pass, token1), FitsTypeOf, &teleport.BadParameterError{})
 
-	token3 := otp.OTP()
-	token4 := otp.OTP()
-	c.Assert(s.WebS.CheckPassword("user1", pass, token4), FitsTypeOf, &teleport.BadParameterError{})
-	c.Assert(s.WebS.CheckPassword("user1", pass, token3), IsNil)
+	_ = otp.OTP()
+	_ = otp.OTP()
+	_ = otp.OTP()
+	token6 := otp.OTP()
+	token7 := otp.OTP()
+	c.Assert(s.WebS.CheckPassword("user1", pass, token7), FitsTypeOf, &teleport.BadParameterError{})
+	c.Assert(s.WebS.CheckPassword("user1", pass, token6), IsNil)
 	c.Assert(s.WebS.CheckPassword("user1", pass, "123456"), FitsTypeOf, &teleport.BadParameterError{})
-	c.Assert(s.WebS.CheckPassword("user1", pass, token4), IsNil)
+	c.Assert(s.WebS.CheckPassword("user1", pass, token7), IsNil)
+
+	_ = otp.OTP()
+	token9 := otp.OTP()
+	c.Assert(s.WebS.CheckPassword("user1", pass, token9), IsNil)
+
 }
 
 func (s *ServicesTestSuite) PasswordGarbage(c *C) {
diff --git a/lib/services/web.go b/lib/services/web.go
index 5a133a1421ed4..a334b2f8eece9 100644
--- a/lib/services/web.go
+++ b/lib/services/web.go
@@ -256,7 +256,7 @@ func (s *WebService) CheckPassword(user string, password []byte, hotpToken strin
 	if err != nil {
 		return trace.Wrap(err)
 	}
-	if !otp.Check(hotpToken) {
+	if !otp.Scan(hotpToken, 4) {
 		return &teleport.BadParameterError{Err: "tokens do not match"}
 	}