diff --git a/CHANGELOG.md b/CHANGELOG.md
index 44c1b5b07..1fae8ec20 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
 - Fix remote profile avatar urls when storing locally ([b0422d4f](https://github.com/pixelfed/pixelfed/commit/b0422d4f))
 - Enable network timeline caching by default ([c990ac2a](https://github.com/pixelfed/pixelfed/commit/c990ac2a))
 - Redirect /home to / ([97032997](https://github.com/pixelfed/pixelfed/commit/97032997))
+- Fix 2FA backup code bug ([a231b3c5](https://github.com/pixelfed/pixelfed/commit/a231b3c5))
 -  ([](https://github.com/pixelfed/pixelfed/commit/))
 
 ## [v0.11.4 (2022-10-04)](https://github.com/pixelfed/pixelfed/compare/v0.11.3...v0.11.4)
diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php
index 0d3177b9d..89f46e046 100644
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -513,26 +513,25 @@ class AccountController extends Controller
 		}
 	}
 
-	protected function twoFactorBackupCheck($request, $code, User $user)
-	{
-		$backupCodes = $user->{'2fa_backup_codes'};
-		if($backupCodes) {
-			$codes = json_decode($backupCodes, true);
-			foreach ($codes as $c) {
-				if(hash_equals($c, $code)) {
-					$codes = array_flatten(array_diff($codes, [$code]));
-					$user->{'2fa_backup_codes'} = json_encode($codes);
-					$user->save();
-					$request->session()->push('2fa.session.active', true);
-					return true;
-				} else {
-					return false;
-				}
-			}
-		} else {
-			return false;
-		}
-	}
+    protected function twoFactorBackupCheck($request, $code, User $user)
+    {
+        $backupCodes = $user->{'2fa_backup_codes'};
+        if($backupCodes) {
+            $codes = json_decode($backupCodes, true);
+            foreach ($codes as $c) {
+                if(hash_equals($c, $code)) {
+                    $codes = array_flatten(array_diff($codes, [$code]));
+                    $user->{'2fa_backup_codes'} = json_encode($codes);
+                    $user->save();
+                    $request->session()->push('2fa.session.active', true);
+                    return true;
+                }
+            }
+            return false;
+        } else {
+            return false;
+        }
+    }
 
 	public function accountRestored(Request $request)
 	{