diff --git a/src/routes/users.js b/src/routes/users.js
index 2fffe1cd7..898c9ba60 100644
--- a/src/routes/users.js
+++ b/src/routes/users.js
@@ -132,7 +132,7 @@ async function verifyPassword(req, res, next) {
 
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'API call requires user password'));
 
-    const [error] = await safe(users.verifyWithUsername(req.user.username, req.body.password, users.AP_WEBADMIN));
+    const [error] = await safe(users.verify(req.user.id, req.body.password, users.AP_WEBADMIN));
     if (error) return next(BoxError.toHttpError(error));
 
     req.body.password = '<redacted>'; // this will prevent logs from displaying plain text password