diff --git a/app/models/user.rb b/app/models/user.rb
index 0969fa93088ec053e6b57e04e059e992f74dddc8..70972eb27158fd4da1d32a161343fd5472ff2b37 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -81,7 +81,7 @@ class User < ActiveRecord::Base
   devise :two_factor_authenticatable,
          otp_secret_encryption_key: File.read(Rails.root.join('.secret')).chomp
 
-  devise :two_factor_backupable
+  devise :two_factor_backupable, otp_number_of_backup_codes: 10
   serialize :otp_backup_codes, JSON
 
   devise :lockable, :async, :recoverable, :rememberable, :trackable,
diff --git a/spec/features/login_spec.rb b/spec/features/login_spec.rb
index e44ddc179937b296806a3968fa3d741fe29720cf..61066e7e923d5128d8d883de615a0aabc3b9ea11 100644
--- a/spec/features/login_spec.rb
+++ b/spec/features/login_spec.rb
@@ -39,7 +39,7 @@ feature 'Login' do
         let(:codes) { user.generate_otp_backup_codes! }
 
         before do
-          expect(codes.size).to eq 5
+          expect(codes.size).to eq 10
 
           # Ensure the generated codes get saved
           user.save
@@ -63,7 +63,7 @@ feature 'Login' do
             expect(user.invalidate_otp_backup_code!(code)).to eq true
 
             user.save!
-            expect(user.reload.otp_backup_codes.size).to eq 4
+            expect(user.reload.otp_backup_codes.size).to eq 9
 
             enter_code(code)
             expect(page).to have_content('Invalid two-factor code')