diff --git a/app/main/forms.py b/app/main/forms.py
index a228a8f61..4b8e400ba 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -20,6 +20,7 @@ class LoginForm(Form):
 
 gov_uk_email = "(^[^@^\\s]+@[^@^\\.^\\s]+(\\.[^@^\\.^\\s]*)*.gov.uk)"
 mobile_number = "^\\+44[\\d]{10}$"
+verify_code = "[\\d]{5}$"
 
 
 class RegisterUserForm(Form):
@@ -43,10 +44,10 @@ class RegisterUserForm(Form):
 class VerifyForm(Form):
     sms_code = StringField("Text message confirmation code",
                            validators=[DataRequired(message='SMS code can not be empty'),
-                                       Length(min=5, max=5, message='Code must be 5 digits')])
+                                       Regexp(regex=verify_code, message='Code must be 5 digits')])
     email_code = StringField("Email confirmation code",
                              validators=[DataRequired(message='Email code can not be empty'),
-                                         Length(min=5, max=5, message='Code must be 5 digits')])
+                                         Regexp(regex=verify_code, message='Code must be 5 digits')])
 
     def validate_email_code(self, a):
         if self.email_code.data is not None:
diff --git a/tests/app/main/views/test_verify.py b/tests/app/main/views/test_verify.py
index 7d9ea4f0e..17ebf35bf 100644
--- a/tests/app/main/views/test_verify.py
+++ b/tests/app/main/views/test_verify.py
@@ -107,8 +107,28 @@ def test_should_return_400_when_email_code_has_letter(notifications_admin, notif
         response = client.post('/verify',
                                data={'sms_code': '23456',
                                      'email_code': 'abcde'})
+        data = response.get_data(as_text=True)
         assert response.status_code == 400
-        assert 'Code does not match' in response.get_data(as_text=True)
+        assert 'email_code' in data
+        assert 'Code does not match' in data
+        assert 'Code must be 5 digits' in data
+
+
+def test_should_return_400_when_sms_code_is_too_short(notifications_admin, notifications_admin_db):
+    with notifications_admin.test_client() as client:
+        with client.session_transaction() as session:
+            user = _create_test_user()
+            session['user_id'] = user.id
+            session['sms_code'] = hashpw('23456')
+            session['email_code'] = hashpw('23456')
+        response = client.post('/verify',
+                               data={'sms_code': '2345',
+                                     'email_code': '23456'})
+        assert response.status_code == 400
+        data = response.get_data(as_text=True)
+        assert 'sms_code' in data
+        assert 'Code must be 5 digits' in data
+        assert 'Code does not match' in data
 
 
 def test_should_return_302_when_email_code_starts_with_zero(notifications_admin, notifications_admin_db):