diff --git a/CHANGELOG.md b/CHANGELOG.md
index e17f9a602..eadfc9bed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -95,5 +95,6 @@ Please add a _short_ line describing the PR you make, if the PR implements a spe
 - Bug: Check for timestamp `0000-00-00 00:00:00` added and invite deleted ([#1163](https://github.com/ScilifelabDataCentre/dds_web/pull/1163))
 - Add documentation of status codes in `api/project.py` ([#1164](https://github.com/ScilifelabDataCentre/dds_web/pull/1164))
 - Add ability to switch to using TOTP and back to HOTP for MFA ([#936](https://github.com/scilifelabdatacentre/dds_web/issues/936))
+- Patch: Fix the warning in web for too soon TOTP login (within 90 seconds) ([#1173](https://github.com/ScilifelabDataCentre/dds_web/pull/1173))
 - Bug: Do not remove the bucket when emptying the project ([#1172](https://github.com/ScilifelabDataCentre/dds_web/pull/1172))
 - New `add-missing-buckets` argument option to the `lost-files` flask command ([#1174](https://github.com/ScilifelabDataCentre/dds_web/pull/1174))
diff --git a/dds_web/web/user.py b/dds_web/web/user.py
index 18398a970..340b3716e 100644
--- a/dds_web/web/user.py
+++ b/dds_web/web/user.py
@@ -320,8 +320,10 @@ def confirm_2fa():
         # Raises authenticationerror if invalid
         try:
             twofactor_verify(twofactor_value.encode())
-        except ddserr.AuthenticationError:
-            flask.flash("Invalid one-time code.", "warning")
+        except ddserr.AuthenticationError as err:
+            message = str(err)
+            message = message.removeprefix("401 Unauthorized: ")
+            flask.flash(message, "warning")
             return flask.redirect(
                 flask.url_for(
                     "auth_blueprint.confirm_2fa",