diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
index d516ca46c..de5b8673a 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
@@ -437,6 +437,12 @@ sub _choice {
         return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
     }
 
+    unless ( $session->{_2fRealSession} ) {
+        $self->logger->error("Invalid 2FA session token");
+        $req->noLoginDisplay(1);
+        return $self->p->do( $req, [ sub { PE_ERROR } ] );
+    }
+
     $req->sessionInfo($session);
 
     # New token
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
index d56200f5e..cb8da3519 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
@@ -5,6 +5,7 @@ use Mouse;
 use Lemonldap::NG::Portal::Main::Constants qw(
   PE_SENDRESPONSE
   PE_OK
+  PE_ERROR
   PE_NOTOKEN
   PE_TOKENEXPIRED
   PE_BADCREDENTIALS
@@ -104,6 +105,11 @@ sub _verify {
         $req->noLoginDisplay(1);
         return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
     }
+    unless ( $session->{_2fRealSession} ) {
+        $self->logger->error("Invalid 2FA session token");
+        $req->noLoginDisplay(1);
+        return $self->p->do( $req, [ sub { PE_ERROR } ] );
+    }
 
     # Launch second factor verification
     my $res = $self->verify( $req, $session );