diff --git a/src/proxyauth.js b/src/proxyauth.js
index 98b205d1f..deb29b304 100644
--- a/src/proxyauth.js
+++ b/src/proxyauth.js
@@ -124,9 +124,9 @@ function passwordAuth(req, res, next) {
 
     if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be non empty string' ));
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be non empty string' ));
-    if ('totpToken' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));
+    if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));
 
-    const { username, password, totpToken } = req.body.username;
+    const { username, password, totpToken } = req.body;
 
     const api = username.indexOf('@') !== -1 ? users.verifyWithEmail : users.verifyWithUsername;
 
diff --git a/src/routes/accesscontrol.js b/src/routes/accesscontrol.js
index 38a310803..e8e37ce0f 100644
--- a/src/routes/accesscontrol.js
+++ b/src/routes/accesscontrol.js
@@ -21,9 +21,9 @@ function passwordAuth(req, res, next) {
 
     if (!req.body.username || typeof req.body.username !== 'string') return next(new HttpError(400, 'A username must be non-empty string'));
     if (!req.body.password || typeof req.body.password !== 'string') return next(new HttpError(400, 'A password must be non-empty string'));
-    if ('totpToken' in req.body && typeof req.body.password !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));
+    if ('totpToken' in req.body && typeof req.body.totpToken !== 'string') return next(new HttpError(400, 'totpToken must be a string' ));
 
-    const { username, password, totpToken } = req.body.username;
+    const { username, password, totpToken } = req.body;
 
     function check2FA(user) {
         assert.strictEqual(typeof user, 'object');