diff --git a/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs b/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
index 70aba8ef75..f6ef3a5dd0 100644
--- a/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/EmailTokenProvider.cs
@@ -65,7 +65,7 @@ public class EmailTokenProvider : IUserTwoFactorTokenProvider<User>
         }
 
         var code = Encoding.UTF8.GetString(cachedValue);
-        var valid = string.Equals(token, code);
+        var valid = CoreHelpers.FixedTimeEquals(token, code);
         if (valid)
         {
             await _distributedCache.RemoveAsync(cacheKey);
diff --git a/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs b/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
index b6280e13fe..ae394f817e 100644
--- a/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
+++ b/src/Core/Auth/Identity/TokenProviders/OtpTokenProvider/OtpTokenProvider.cs
@@ -64,7 +64,7 @@ public class OtpTokenProvider<TOptions>(
         }
 
         var code = Encoding.UTF8.GetString(cachedValue);
-        var valid = string.Equals(token, code);
+        var valid = CoreHelpers.FixedTimeEquals(token, code);
         if (valid)
         {
             await _distributedCache.RemoveAsync(cacheKey);