diff --git a/app/main/forms.py b/app/main/forms.py
index 5131b6696..ec8e4a254 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -1,6 +1,6 @@
 from flask import session
 from flask_wtf import Form
-from wtforms import StringField, PasswordField, IntegerField
+from wtforms import StringField, PasswordField
 from wtforms.validators import DataRequired, Email, Length, Regexp
 
 from app.main.encryption import checkpw
@@ -42,7 +42,8 @@ class RegisterUserForm(Form):
 
 
 class TwoFactorForm(Form):
-    sms_code = IntegerField('sms code', validators=[DataRequired(message='Please enter your code')])
+    sms_code = StringField('sms code', validators=[DataRequired(message='Please enter your code'),
+                                                   Regexp(regex=verify_code, message='Code must be 5 digits')])
 
     def validate_sms_code(self, a):
         if self.sms_code.data is not None:
diff --git a/tests/app/main/views/test_two_factor.py b/tests/app/main/views/test_two_factor.py
index 1d00d27c3..37a4abb95 100644
--- a/tests/app/main/views/test_two_factor.py
+++ b/tests/app/main/views/test_two_factor.py
@@ -44,3 +44,15 @@ def test_should_return_400_when_sms_code_is_empty(notifications_admin, notificat
         assert response.status_code == 400
         assert 'sms_code' in response.get_data(as_text=True)
         assert 'Please enter your code' in response.get_data(as_text=True)
+
+
+def test_should_return_400_when_sms_code_is_too_short(notifications_admin, notifications_admin_db):
+    with notifications_admin.test_client() as client:
+        with client.session_transaction() as session:
+            user = create_test_user()
+            session['user_id'] = user.id
+            session['sms_code'] = hashpw('12345')
+        response = client.post('/two-factor', data={'sms_code': '2346'})
+        assert response.status_code == 400
+        assert 'sms_code' in response.get_data(as_text=True)
+        assert 'Code must be 5 digits' in response.get_data(as_text=True)