diff --git a/auth.go b/auth.go
index 5c446a1..4021d04 100644
--- a/auth.go
+++ b/auth.go
@@ -3,6 +3,8 @@ package scsusers
 import (
 	"fmt"
 	"log"
+	"strconv"
+	"time"
 
 	"golang.org/x/crypto/bcrypt"
 )
@@ -13,8 +15,23 @@ func Login(username, password string) bool {
 		return false
 	}
 	if bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password)) != nil {
-		log.Printf("scsusers.Login: Failed password for " + username)
-		return false
+		rc, ok := u.Get("recoverycode")
+		if !ok || bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(rc)) != nil {
+			log.Printf("scsusers.Login: Failed password for " + username)
+			return false
+		}
+		tmp, ok := u.Get("recoverytime")
+		if !ok {
+			log.Printf("scsusers.Login: recoverytime missing " + username)
+			return false
+		}
+		rt, _ := strconv.ParseInt(tmp, 10, 64)
+		if time.Now().Unix() > rt {
+			log.Printf("scsusers.Login: recovery time expired")
+			return false
+		}
+		u.Delete("recoverykey")
+		u.Delete("recoverytime")
 	}
 	log.Printf("User %s logged in\n", username)
 	return true
diff --git a/emails.go b/emails.go
index 0650055..4129704 100644
--- a/emails.go
+++ b/emails.go
@@ -19,7 +19,7 @@ func RecoverByEmail(email string) {
 	recoverycode := randBytes(16)
 
 	u.Set("recoverycode", string(recoverycode))
-	u.Set("recoverytime", fmt.Sprintf("%d", time.Now().Unix()))
+	u.Set("recoverytime", fmt.Sprintf("%d", time.Now().Add(time.Minute*60).Unix()))
 
 	SendRecoveryEmail(email, email, string(recoverycode))
 }
diff --git a/meta.go b/meta.go
index a1205fe..7379001 100644
--- a/meta.go
+++ b/meta.go
@@ -22,6 +22,7 @@ func (u *UserData) Delete(key string) {
 		if err != nil {
 			log.Printf("scsauth: set: delete: %s", err.Error())
 		}
+		delete(u.Meta, key)
 	}
 }