diff --git a/verifyOTP.php b/verifyOTP.php
index 81d0c45..df7c577 100644
--- a/verifyOTP.php
+++ b/verifyOTP.php
@@ -34,15 +34,14 @@ if ($ad == null) {
 	debug($ad);
 }
 
-//// Check the client ID
+//// Check the client ID - does the client own the Yubikey?
 //
-// TODO - This may be too strict. Since our database doesn't keep track of that
 
-//if ($ad['client_id'] != $client) {
-//	debug('Client-'.$client.' is not the owner of the Yubikey! The key will be suspended with excessive failed attempts.');
-//	sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey');
-//	exit;
-//}
+if ($ad['chk_owner'] && $ad['client_id'] != $client) {
+	debug('Client-'.$client.' is not the owner of the Yubikey!');
+	sendResp(S_BAD_CLIENT, 'Not owner of the Yubikey');
+	exit;
+}
 
 $k = b64ToModhex($ad['secret']);
 //debug('aes key in modhex = '.$k);