diff --git a/src/routes/developer.js b/src/routes/developer.js
index cfa62378a..1b0c58ef9 100644
--- a/src/routes/developer.js
+++ b/src/routes/developer.js
@@ -7,7 +7,8 @@ exports = module.exports = {
 var developer = require('../developer.js'),
     passport = require('passport'),
     HttpError = require('connect-lastmile').HttpError,
-    HttpSuccess = require('connect-lastmile').HttpSuccess;
+    HttpSuccess = require('connect-lastmile').HttpSuccess,
+    speakeasy = require('speakeasy');
 
 function login(req, res, next) {
     passport.authenticate('local', function (error, user) {
@@ -16,6 +17,13 @@ function login(req, res, next) {
 
         var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress || null;
 
+        if (user.twoFactorAuthenticationEnabled) {
+            if (!req.body.totpToken) return next(new HttpError(401, 'A totpToken must be provided'));
+
+            let verified = speakeasy.totp.verify({ secret: user.twoFactorAuthenticationSecret, encoding: 'base32', token: req.body.totpToken });
+            if (!verified) return next(new HttpError(401, 'Invalid totpToken'));
+        }
+
         developer.issueDeveloperToken(user, ip, function (error, result) {
             if (error) return next(new HttpError(500, error));