diff --git a/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
index 027a228cdc..bcdbace1a8 100644
--- a/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
+++ b/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/user/UserVerificationService.java
@@ -112,7 +112,8 @@ private UserTOTPKey getKey(UserContext context,
 
         // If no key is defined, attempt to generate a new key
         String secret = attributes.get(TOTPUser.TOTP_KEY_SECRET_ATTRIBUTE_NAME);
-        if (secret == null || secret.isEmpty()) {
+        boolean confirmed = "true".equals(attributes.get(TOTPUser.TOTP_KEY_CONFIRMED_ATTRIBUTE_NAME));
+        if (secret == null || secret.isEmpty() || !confirmed) {
 
             // Generate random key for user
             TOTPGenerator.Mode mode = confService.getMode();
@@ -140,7 +141,6 @@ private UserTOTPKey getKey(UserContext context,
         }
 
         // Otherwise, parse value from attributes
-        boolean confirmed = "true".equals(attributes.get(TOTPUser.TOTP_KEY_CONFIRMED_ATTRIBUTE_NAME));
         return new UserTOTPKey(username, key, confirmed);
 
     }