diff --git a/packages/accounts-base/accounts_common.js b/packages/accounts-base/accounts_common.js
index 02f24f4359..b94e927a2d 100644
--- a/packages/accounts-base/accounts_common.js
+++ b/packages/accounts-base/accounts_common.js
@@ -14,6 +14,8 @@ const VALID_CONFIG_KEYS = [
   'ambiguousErrorMessages',
   'bcryptRounds',
   'defaultFieldSelector',
+  'loginTokenExpirationHours',
+  'tokenSequenceLength',
 ];
 
 /**
@@ -218,6 +220,8 @@ export class AccountsCommon {
    * @param {Number} options.passwordEnrollTokenExpiration The number of milliseconds from when a link to set initial password is sent until token expires and user can't set password with the link anymore. If `passwordEnrollTokenExpirationInDays` is set, it takes precedent.
    * @param {Boolean} options.ambiguousErrorMessages Return ambiguous error messages from login failures to prevent user enumeration. Defaults to false.
    * @param {MongoFieldSpecifier} options.defaultFieldSelector To exclude by default large custom fields from `Meteor.user()` and `Meteor.findUserBy...()` functions when called without a field selector, and all `onLogin`, `onLoginFailure` and `onLogout` callbacks.  Example: `Accounts.config({ defaultFieldSelector: { myBigArray: 0 }})`. Beware when using this. If, for instance, you do not include `email` when excluding the fields, you can have problems with functions like `forgotPassword` that will break because they won't have the required data available. It's recommend that you always keep the fields `_id`, `username`, and `email`.
+   * @param {Number} options.loginTokenExpirationHours When using the package `accounts-2fa`, use this to set the amount of time a token sent is valid. As it's just a number, you can use, for example, 0.5 to make the token valid for just half hour. The default is 1 hour.
+   * @param {Number} options.tokenSequenceLength When using the package `accounts-2fa`, use this to the size of the token sequence generated. The default is 6.
    */
   config(options) {
     // We don't want users to accidentally only call Accounts.config on the
diff --git a/packages/accounts-passwordless/passwordless_server.js b/packages/accounts-passwordless/passwordless_server.js
index 2638c038c3..bd6d33acaf 100644
--- a/packages/accounts-passwordless/passwordless_server.js
+++ b/packages/accounts-passwordless/passwordless_server.js
@@ -1,5 +1,5 @@
 import { Accounts } from 'meteor/accounts-base';
-import {getUserById, NonEmptyString, tokenValidator} from './server_utils';
+import { getUserById, NonEmptyString, tokenValidator } from './server_utils';
 import { Random } from 'meteor/random';
 
 const ONE_HOUR_IN_MILLISECONDS = 60 * 60 * 1000;
@@ -11,11 +11,12 @@ const checkToken = ({ user, sequence, selector }) => {
 
   const { createdAt, token: userToken } = user.services.passwordless;
 
+  const { loginTokenExpirationHours = 1 } = Accounts._options || {};
+
   if (
     new Date(
-      createdAt.getTime() +
-        Accounts._options.loginTokenExpirationHours * ONE_HOUR_IN_MILLISECONDS
-    ) >= new Date()
+      createdAt.getTime() + loginTokenExpirationHours * ONE_HOUR_IN_MILLISECONDS
+    ) <= new Date()
   ) {
     result.error = Accounts._handleError('Expired token', false);
   }