diff --git a/codeforlife/settings/django.py b/codeforlife/settings/django.py
index 308ca02b..1917dc82 100644
--- a/codeforlife/settings/django.py
+++ b/codeforlife/settings/django.py
@@ -25,8 +25,8 @@
 
 AUTHENTICATION_BACKENDS = [
     "codeforlife.user.auth.backends.EmailAndPasswordBackend",
-    "codeforlife.user.auth.backends.EmailAndTokenBackend",
     "codeforlife.user.auth.backends.OtpBackend",
+    "codeforlife.user.auth.backends.TokenBackend",
     "codeforlife.user.auth.backends.UserIdAndLoginIdBackend",
     "codeforlife.user.auth.backends.UsernameAndPasswordAndClassIdBackend",
 ]
diff --git a/codeforlife/user/auth/backends/__init__.py b/codeforlife/user/auth/backends/__init__.py
index 78e97f6a..c1b9a17c 100644
--- a/codeforlife/user/auth/backends/__init__.py
+++ b/codeforlife/user/auth/backends/__init__.py
@@ -1,6 +1,6 @@
 from .email_and_password import EmailAndPasswordBackend
-from .email_and_token import EmailAndTokenBackend
 from .otp import OtpBackend
+from .token import TokenBackend
 from .user_id_and_login_id import UserIdAndLoginIdBackend
 from .username_and_password_and_class_id import (
     UsernameAndPasswordAndClassIdBackend,
diff --git a/codeforlife/user/auth/backends/otp.py b/codeforlife/user/auth/backends/otp.py
index dc41100d..943980a8 100644
--- a/codeforlife/user/auth/backends/otp.py
+++ b/codeforlife/user/auth/backends/otp.py
@@ -23,8 +23,9 @@ def authenticate(
             otp is None
             or not isinstance(request.user, User)
             or not request.user.userprofile.otp_secret
-            or not AuthFactor.Type.OTP
-            in request.user.session.session_auth_factors
+            or not request.user.session.session_auth_factors.filter(
+                auth_factor__type=AuthFactor.Type.OTP
+            ).exists()
         ):
             return
 
diff --git a/codeforlife/user/auth/backends/email_and_token.py b/codeforlife/user/auth/backends/token.py
similarity index 53%
rename from codeforlife/user/auth/backends/email_and_token.py
rename to codeforlife/user/auth/backends/token.py
index 41f5d370..06f94f92 100644
--- a/codeforlife/user/auth/backends/email_and_token.py
+++ b/codeforlife/user/auth/backends/token.py
@@ -4,29 +4,28 @@
 from django.contrib.auth.base_user import AbstractBaseUser
 
 from ....request import WSGIRequest
-from ...models import User
+from ...models import AuthFactor, User
 
 
-class EmailAndTokenBackend(BaseBackend):
+class TokenBackend(BaseBackend):
     def authenticate(
         self,
         request: WSGIRequest,
-        email: t.Optional[str] = None,
         token: t.Optional[str] = None,
         **kwargs,
     ) -> t.Optional[AbstractBaseUser]:
-        if email is None or token is None:
+        if (
+            token is None
+            or not isinstance(request.user, User)
+            or not request.user.session.session_auth_factors.filter(
+                auth_factor__type=AuthFactor.Type.OTP
+            ).exists()
+        ):
             return
 
-        try:
-            user = User.objects.get(email=email)
-            if any(
-                backup_token.check_token(token)
-                for backup_token in user.backup_tokens
-            ):
-                return user
-        except User.DoesNotExist:
-            return
+        for backup_token in request.user.backup_tokens.all():
+            if backup_token.check_token(token):
+                return request.user
 
     def get_user(self, user_id: int) -> t.Optional[AbstractBaseUser]:
         try: