diff --git a/app/main/forms.py b/app/main/forms.py
index c4ee1c995..edfbebbbf 100644
--- a/app/main/forms.py
+++ b/app/main/forms.py
@@ -71,7 +71,7 @@ class VerifyForm(Form):
 
 
 def validate_code(field, code):
-    if code.expiry_datetime > datetime.now():
+    if code.expiry_datetime <= datetime.now():
         field.errors.append('Code has expired')
         return False
     if field.data is not None:
diff --git a/tests/app/main/test_two_factor_form.py b/tests/app/main/test_two_factor_form.py
index 7b6bec243..107f7757c 100644
--- a/tests/app/main/test_two_factor_form.py
+++ b/tests/app/main/test_two_factor_form.py
@@ -50,11 +50,11 @@ def test_returns_errors_when_code_contains_letters(notifications_admin, notifica
 
 def test_should_return_errors_when_code_is_expired(notifications_admin, notifications_admin_db, notify_db_session):
     with notifications_admin.test_request_context(method='POST',
-                                                  data={'sms_code': '12345'}) as req:
-        user = set_up_test_data()
+                                                  data={'sms_code': '23456'}) as req:
+        user = create_test_user()
         req.session['user_id'] = user.id
         verify_codes_dao.add_code_with_expiry(user_id=user.id,
-                                              code='12345',
+                                              code='23456',
                                               code_type='sms',
                                               expiry=datetime.now() + timedelta(hours=-2))
         req.session['user_id'] = user.id
diff --git a/tests/app/main/test_verify_form.py b/tests/app/main/test_verify_form.py
index 7cd33c676..9c4b7dedd 100644
--- a/tests/app/main/test_verify_form.py
+++ b/tests/app/main/test_verify_form.py
@@ -49,7 +49,7 @@ def test_should_return_errors_when_code_is_too_short(notifications_admin, notifi
 
 def test_should_return_errors_when_code_does_not_match(notifications_admin, notifications_admin_db, notify_db_session):
     with notifications_admin.test_request_context(method='POST',
-                                                  data={'sms_code': '23456', 'email_code': '23456'}) as req:
+                                                  data={'sms_code': '34567', 'email_code': '34567'}) as req:
         user = set_up_test_data()
         req.session['user_id'] = user.id
         form = VerifyForm(req.request.form)
@@ -65,7 +65,7 @@ def test_should_return_errors_when_code_is_expired(notifications_admin, notifica
     with notifications_admin.test_request_context(method='POST',
                                                   data={'sms_code': '23456',
                                                         'email_code': '23456'}) as req:
-        user = set_up_test_data()
+        user = create_test_user()
         req.session['user_id'] = user.id
         verify_codes_dao.add_code_with_expiry(user_id=user.id,
                                               code='23456',
@@ -80,10 +80,10 @@ def test_should_return_errors_when_code_is_expired(notifications_admin, notifica
         form = VerifyForm(req.request.form)
         assert form.validate() is False
         errors = form.errors
-        expected = set({'sms_code': ['Code has expired'],
-                        'email_code': ['Code has exprired']})
+        expected = {'sms_code': ['Code has expired'],
+                    'email_code': ['Code has expired']}
         assert len(errors) == 2
-        assert set(errors) == expected
+        assert set(errors) == set(expected)
 
 
 def set_up_test_data():
diff --git a/tests/app/main/views/test_two_factor.py b/tests/app/main/views/test_two_factor.py
index 893408a3b..18992f0d9 100644
--- a/tests/app/main/views/test_two_factor.py
+++ b/tests/app/main/views/test_two_factor.py
@@ -35,27 +35,3 @@ def test_should_return_400_with_sms_code_error_when_sms_code_is_wrong(notificati
                                data={'sms_code': '23456'})
         assert response.status_code == 400
         assert {'sms_code': ['Code does not match']} == json.loads(response.get_data(as_text=True))
-
-
-def test_should_return_400_when_sms_code_is_empty(notifications_admin, notifications_admin_db, notify_db_session):
-    with notifications_admin.test_client() as client:
-        with client.session_transaction() as session:
-            user = create_test_user()
-            session['user_id'] = user.id
-        verify_codes_dao.add_code(user_id=user.id, code='12345', code_type='sms')
-        response = client.post('/two-factor')
-        assert response.status_code == 400
-        assert {'sms_code': ['Please enter your code']} == json.loads(response.get_data(as_text=True))
-
-
-def test_should_return_400_when_sms_code_is_too_short(notifications_admin, notifications_admin_db, notify_db_session):
-    with notifications_admin.test_client() as client:
-        with client.session_transaction() as session:
-            user = create_test_user()
-            session['user_id'] = user.id
-        verify_codes_dao.add_code(user_id=user.id, code='23467', code_type='sms')
-        response = client.post('/two-factor', data={'sms_code': '2346'})
-        assert response.status_code == 400
-        data = json.loads(response.get_data(as_text=True))
-        assert len(data.keys()) == 1
-        assert set(data) == set({'sms_code': ['Code must be 5 digits', 'Code does not match']})