diff --git a/bubble-server/src/main/java/bubble/resources/account/AuthResource.java b/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
index e36d93fd..51bfa2dd 100644
--- a/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
+++ b/bubble-server/src/main/java/bubble/resources/account/AuthResource.java
@@ -277,19 +277,19 @@ public class AuthResource {
             final String accountName = NameAndValue.find(data, DATA_ACCOUNT_NAME);
             final Account account = accountDAO.findById(accountName);
             if (caller != null && account != null && !caller.getUuid().equals(account.getUuid())) {
-                return invalid("err.totpToken.invalid");
+                return invalid("err.approvalToken.invalid");
             }
             if (caller == null && account == null) {
-                return invalid("err.totpToken.invalid");
+                return invalid("err.approvalToken.invalid");
             }
             caller = account;
         }
         final AccountMessage approval = messageService.approve(caller, getRemoteHost(req), token, data);
-        if (approval == null) return invalid("err.totpToken.invalid");
+        if (approval == null) return invalid("err.approvalToken.invalid");
         final Account account = validateCallerForApproveOrDeny(caller, approval, token);
 
         if (approval.getMessageType() == AccountMessageType.confirmation) {
-            if (account == null) return invalid("err.totpToken.invalid");
+            if (account == null) return invalid("err.approvalToken.invalid");
             if (approval.getAction() == AccountAction.login) {
                 return ok(account.setToken(sessionDAO.create(account)));
             } else {
diff --git a/bubble-server/src/main/java/bubble/service/account/StandardAccountMessageService.java b/bubble-server/src/main/java/bubble/service/account/StandardAccountMessageService.java
index 9cae6216..55578f72 100644
--- a/bubble-server/src/main/java/bubble/service/account/StandardAccountMessageService.java
+++ b/bubble-server/src/main/java/bubble/service/account/StandardAccountMessageService.java
@@ -128,6 +128,7 @@ public class StandardAccountMessageService implements AccountMessageService {
         if (approval == null) {
             return null;
         }
+        if (account == null) account = accountDAO.findByUuid(approval.getAccount());
         final AccountMessageApprovalStatus approvalStatus = messageDAO.requestApproved(account, approval);
         if (approvalStatus == AccountMessageApprovalStatus.ok_confirmed) {
             final AccountPolicy policy = policyDAO.findSingleByAccount(account.getUuid());
diff --git a/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties b/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties
index 588797a7..d26f1635 100644
--- a/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties
+++ b/bubble-server/src/main/resources/message_templates/en_US/server/pre_auth/ResourceMessages.properties
@@ -85,7 +85,8 @@ err.timezone.unknown=An error occurred trying to determine the time zone
 err.timezone.length=Time zone is too long
 err.timezone.required=Time zone is required
 
-# Authenticator token errors
+# Token errors
+err.approvalToken.invalid=Code is incorrect or no longer valid
 err.totpToken.invalid=Code is incorrect
 err.totpToken.invalidActionTarget=Action target was invalid (expected 'account' or 'network')
 err.totpToken.noSession=Session required for authenticator
diff --git a/bubble-web b/bubble-web
index 519e0e49..588df941 160000
--- a/bubble-web
+++ b/bubble-web
@@ -1 +1 @@
-Subproject commit 519e0e4948ae275886913a8e4e956bd3b9d7e38b
+Subproject commit 588df94156b229b7cfebd1e3364ab00aebd319b0