diff --git a/ayanova/devdocs/todo.txt b/ayanova/devdocs/todo.txt
index 9573a97e..72186e9f 100644
--- a/ayanova/devdocs/todo.txt
+++ b/ayanova/devdocs/todo.txt
@@ -203,6 +203,8 @@ todo: 2fa is going to be an absolute must have pretty soon, look into what's inv
 			if they match / pass then the normal token is sent back and login proceeds as normal
 			NO TOKEN IS SENT ON 2fa enabled account without pin verification
 
+	TODO: failed login tries to navigate to login again, should carve out an exception in api no?
+
 
 
 todo: tag search in picklist, does it support more than one tag?  I forget  
diff --git a/ayanova/src/api/authutil.js b/ayanova/src/api/authutil.js
index 805a8a1e..00a0a686 100644
--- a/ayanova/src/api/authutil.js
+++ b/ayanova/src/api/authutil.js
@@ -13,8 +13,6 @@ export function processLogin(authResponse, loggedInWithKnownPassword) {
         return reject();
       }
 
-     
-
       //is token present?
       if (!authResponse || !authResponse.token) {
         window.$gz.store.commit(
diff --git a/ayanova/src/views/login.vue b/ayanova/src/views/login.vue
index 8bc106ad..75fb1d1a 100644
--- a/ayanova/src/views/login.vue
+++ b/ayanova/src/views/login.vue
@@ -11,6 +11,7 @@
               v-model="pin"
               :label="authEnterPin"
               required
+              :error-messages="pinError"
             ></v-text-field>
           </v-card-text>
           <v-card-actions>
@@ -196,9 +197,11 @@ export default {
       authTwoFactor: null,
       authEnterPin: null,
       authVerifyCode: null,
+      authPinInvalid: null,
       cancel: null,
       pin: null,
       tt: null,
+      pinError: null,
       loggedInWithKnownPassword: false,
       hasSmallLogo: false,
       hasMediumLogo: false,
@@ -373,13 +376,17 @@ export default {
       //send 2fa code to server if ok, then proceed as normal
       let vm = this;
       if (vm.pin && vm.pin != "") {
-        vm.errorBadCreds = false;
+        vm.pinError = null;
 
         try {
-          let res = await window.$gz.api.post("auth/tfa-authenticate", {
-            pin: vm.pin,
-            tempToken: vm.tt
-          });
+          let res = await window.$gz.api.upsert(
+            "auth/tfa-authenticate",
+            {
+              pin: vm.pin,
+              tempToken: vm.tt
+            },
+            true
+          );
 
           if (res.error) {
             //don't expect this to ever get called but just in case
@@ -389,12 +396,13 @@ export default {
 
           await this.step2(res);
         } catch (error) {
-          //bad creds?
+          //bad PIN?
+
           if (
             error.message &&
             error.message.includes("ErrorUserNotAuthenticated")
           ) {
-            vm.errorBadCreds = true;
+            vm.pinError = vm.authPinInvalid;
             return;
           }
           //server closed by server state setting?
@@ -429,6 +437,7 @@ export default {
       vm.tt = null;
       vm.pin = null;
       vm.errorBadCreds = false;
+      vm.pinError = [];
       vm.input.username = null;
       vm.input.password = null;
       vm.tfaDialog = false;
@@ -511,6 +520,7 @@ export default {
             this.authTwoFactor = res.data.authTwoFactor;
             this.authEnterPin = res.data.authEnterPin;
             this.authVerifyCode = res.data.authVerifyCode;
+            this.authPinInvalid = res.data.authPinInvalid;
             this.tt = res.data.tt;
             this.cancel = res.data.cancel;
             this.pin = null;