diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
index a5123f49b..de5b8673a 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/2F/Engines/Default.pm
@@ -433,9 +433,16 @@ sub _choice {
     my $session;
     unless ( $session = $self->ott->getToken($token) ) {
         $self->userLogger->info('Token expired');
+        $req->noLoginDisplay(1);
         return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
     }
 
+    unless ( $session->{_2fRealSession} ) {
+        $self->logger->error("Invalid 2FA session token");
+        $req->noLoginDisplay(1);
+        return $self->p->do( $req, [ sub { PE_ERROR } ] );
+    }
+
     $req->sessionInfo($session);
 
     # New token
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
index 8328db79c..cb8da3519 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/SecondFactor.pm
@@ -5,6 +5,7 @@ use Mouse;
 use Lemonldap::NG::Portal::Main::Constants qw(
   PE_SENDRESPONSE
   PE_OK
+  PE_ERROR
   PE_NOTOKEN
   PE_TOKENEXPIRED
   PE_BADCREDENTIALS
@@ -101,9 +102,14 @@ sub _verify {
     my $session;
     unless ( $session = $self->ott->getToken($token) ) {
         $self->userLogger->info('Token expired');
-        $self->setSecurity($req);
+        $req->noLoginDisplay(1);
         return $self->p->do( $req, [ sub { PE_TOKENEXPIRED } ] );
     }
+    unless ( $session->{_2fRealSession} ) {
+        $self->logger->error("Invalid 2FA session token");
+        $req->noLoginDisplay(1);
+        return $self->p->do( $req, [ sub { PE_ERROR } ] );
+    }
 
     # Launch second factor verification
     my $res = $self->verify( $req, $session );
diff --git a/lemonldap-ng-portal/t/70-2F-TOTP-8-with-global-storage.t b/lemonldap-ng-portal/t/70-2F-TOTP-8-with-global-storage.t
index fe4358272..a0ad0dc7e 100644
--- a/lemonldap-ng-portal/t/70-2F-TOTP-8-with-global-storage.t
+++ b/lemonldap-ng-portal/t/70-2F-TOTP-8-with-global-storage.t
@@ -3,7 +3,7 @@ use strict;
 use IO::String;
 
 require 't/test-lib.pm';
-my $maintests = 27;
+my $maintests = 28;
 
 SKIP: {
     eval { require Convert::Base32 };
@@ -186,10 +186,13 @@ SKIP: {
         ),
         'Post code'
     );
-    ( $host, $url, $query ) =
-      expectForm( $res, '#', undef, 'user', 'password', 'token' );
     ok( $res->[2]->[0] =~ /<span trmsg="82"><\/span>/, 'Token expired' )
       or print STDERR Dumper( $res->[2]->[0] );
+    unlike(
+        $res->[2]->[0],
+        qr/input id="userfield"/,
+        'Login form is not displayed'
+    );
 
     # Try to sign-in
     ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );
diff --git a/lemonldap-ng-portal/t/70-2F-TOTP-encryption.t b/lemonldap-ng-portal/t/70-2F-TOTP-encryption.t
index 7ba1e65a2..8e61ab1ed 100644
--- a/lemonldap-ng-portal/t/70-2F-TOTP-encryption.t
+++ b/lemonldap-ng-portal/t/70-2F-TOTP-encryption.t
@@ -4,7 +4,7 @@ use IO::String;
 use JSON qw/from_json to_json/;
 
 require 't/test-lib.pm';
-my $maintests = 30;
+my $maintests = 31;
 
 SKIP: {
     eval { require Convert::Base32 };
@@ -187,10 +187,14 @@ SKIP: {
         ),
         'Post code'
     );
-    ( $host, $url, $query ) =
-      expectForm( $res, '#', undef, 'user', 'password', 'token' );
+
     ok( $res->[2]->[0] =~ /<span trmsg="82"><\/span>/, 'Token expired' )
       or print STDERR Dumper( $res->[2]->[0] );
+    unlike(
+        $res->[2]->[0],
+        qr/input id="userfield"/,
+        'Login form is not displayed'
+    );
 
     # Try to sign-in
     ok( $res = $client->_get( '/', accept => 'text/html' ), 'Get Menu', );