diff --git a/common.php b/common.php
index b163cd2..4ed43ef 100644
--- a/common.php
+++ b/common.php
@@ -9,7 +9,8 @@ define('S_NO_SUCH_CLIENT', 'NO_SUCH_CLIENT');
 define('S_OPERATION_NOT_ALLOWED', 'OPERATION_NOT_ALLOWED');
 define('S_BACKEND_ERROR', 'BACKEND_ERROR');
 define('TS_SEC', 0.119);
-define('TS_TOLERANCE', 0.3);
+define('TS_REL_TOLERANCE', 0.3);
+define('TS_ABS_TOLERANCE', 20);
 
 require_once 'yubikey.php';
 require_once 'config.php';
diff --git a/verify.php b/verify.php
index 09adae3..22b83d9 100644
--- a/verify.php
+++ b/verify.php
@@ -132,15 +132,15 @@ if ($sessionCounter == $seenSessionCounter && $sessionUse > $seenSessionUse) {
   $now = time();
   $elapsed = $now - $lastTime;
   $deviation = abs($elapsed - $tsDelta);
-  $percent = round(100*$deviation/$elapsed);
+  $percent = $deviation/$elapsed;
   debug("Timestamp seen=" . $seenTs . " this=" . $ts .
 	" delta=" . $tsDiff . ' secs=' . $tsDelta .
 	' accessed=' . $lastTime .' (' . $ad['accessed'] . ') now='
 	. $now . ' (' . strftime("%Y-%m-%d %H:%M:%S", $now)
 	. ') elapsed=' . $elapsed .
 	' deviation=' . $deviation . ' secs or '.
-	$percent . '%');
-  if ($deviation > TS_TOLERANCE * $elapsed) {
+	round(100*$percent) . '%');
+  if ($deviation > TS_ABS_TOLERANCE && $percent > TS_REL_TOLERANCE) {
     debug("OTP failed phishing test");
     if ($ad['chk_time']) {
       sendResp(S_DELAYED_OTP);