diff --git a/lib/Auth/Utils.php b/lib/Auth/Utils.php
index 35a24c00b16e0789c6a22cabc588bab2f7ece25c..adff02f9bd55ec7d4e331e53c667733cddbb0ed6 100644
--- a/lib/Auth/Utils.php
+++ b/lib/Auth/Utils.php
@@ -103,7 +103,7 @@ class Utils
                     self::handlePrivacyIDEAException($e, $state);
                 }
             }
-        } else {
+        } elseif ($formParams['mode'] === 'totp') {
             try {
                 // limit otp validation to totp tokens to prevent incrementing of webauthn failcounter
                 $params["type"] = "totp";
@@ -123,6 +123,13 @@ class Utils
             } catch (\Exception $e) {
                 self::handlePrivacyIDEAException($e, $state);
             }
+        } else {
+            // Backup code validation
+            try {
+                $response = $pi->validateCheck($username, $formParams['otp'], $transactionID);
+            } catch (\Exception $e) {
+                self::handlePrivacyIDEAException($e, $state);
+            }
         }
         $counter = $formParams['loadCounter'];
         $state['privacyidea:privacyidea:ui']['loadCounter'] = $counter + 1;