diff --git a/core/modules/user/user.module b/core/modules/user/user.module
index 7666ed2..9bb49be 100644
--- a/core/modules/user/user.module
+++ b/core/modules/user/user.module
@@ -1321,13 +1321,13 @@ function user_login_authenticate_validate($form, &$form_state) {
       if ($flood_config->get('uid_only')) {
         // Register flood events based on the uid only, so they apply for any
         // IP address. This is the most secure option.
-        $identifier = $account->id();
+        $identifier = $account->uid;
       }
       else {
         // The default identifier is a combination of uid and IP address. This
         // is less secure but more resistant to denial-of-service attacks that
         // could lock out all users with public user names.
-        $identifier = $account->id() . '-' . Drupal::request()->getClientIP();
+        $identifier = $account->uid . '-' . Drupal::request()->getClientIP();
       }
       $form_state['flood_control_user_identifier'] = $identifier;