diff --git a/src/UserLoginEnforce.php b/src/UserLoginEnforce.php
index 44aa4e5..d224856 100644
--- a/src/UserLoginEnforce.php
+++ b/src/UserLoginEnforce.php
@@ -51,9 +51,10 @@ class UserLoginEnforce {
     // before this validation, so this is not a bruteforce vector. We only see
     // this message if the user has successfully validated their password and
     // have not tripped a flood threshold.
+    /** @var \OTPHP\TOTP $one_time_pass */
     $one_time_pass = $user->one_time_password->getOneTimePassword();
     $user_provided_code = $form_state->getValue('one_time_password');
-    if (empty($user_provided_code) || !$one_time_pass->verify($user_provided_code)) {
+    if (empty($user_provided_code) || !$one_time_pass->verify($user_provided_code, NULL, 10)) {
       $form_state->setErrorByName('one_time_password', t('The entered two factor authentication code is incorrect.'));
     }
   }
diff --git a/tests/src/Functional/UserLoginEnforceTest.php b/tests/src/Functional/UserLoginEnforceTest.php
index ebdb4c7..d500357 100644
--- a/tests/src/Functional/UserLoginEnforceTest.php
+++ b/tests/src/Functional/UserLoginEnforceTest.php
@@ -69,6 +69,29 @@ class UserLoginEnforceTest extends BrowserTestBase {
   }
 
   /**
+   * Test the wider login window works.
+   */
+  public function testLoginWindow() {
+    $test_user_with_tfa = $this->createUser();
+    $test_user_with_tfa->one_time_password->regenerateOneTimePassword();
+    /** @var \OTPHP\TOTP $otp_object */
+    $otp_object = $test_user_with_tfa->one_time_password->getOneTimePassword();
+    $test_user_with_tfa->save();
+
+    // Attempt to login with the code that would have been valid about three
+    // minutes ago.
+    $this->drupalGet('user/login');
+    $this->submitForm([
+      'name' => $test_user_with_tfa->getUsername(),
+      'pass' => $test_user_with_tfa->passRaw,
+      'one_time_password' => $otp_object->at(time() - 195),
+    ], t('Log in'));
+
+    $test_user_with_tfa->sessionId = $this->getSession()->getCookie($this->getSessionName());
+    $this->assertTrue($this->drupalUserIsLoggedIn($test_user_with_tfa), 'User was logged in successfully with a TFA code.');
+  }
+
+  /**
    * Test no information disclosure through the flood table.
    */
   public function testFloodTableInformationDisclosure() {