diff --git a/auth_totp/controllers/main.py b/auth_totp/controllers/main.py
index d1ef90c7c..384437f9a 100644
--- a/auth_totp/controllers/main.py
+++ b/auth_totp/controllers/main.py
@@ -42,18 +42,18 @@ class AuthTotp(Home):
 
     @http.route('/auth_totp/login', type='http', auth='none', methods=['POST'])
     def mfa_login_post(self, *args, **kwargs):
-        """Process MFA login attempt
+        """Process MFA login attempt.
 
         Overview:
             * Identify current user based on login in session. If this doesn't
-              work, redirect to the password login page with an error message
+              work, redirect to the password login page with an error message.
             * Validate the confirmation code provided by the user. If it's not
-              valid, redirect to the previous login step with an error message
+              valid, redirect to the previous login step with an error message.
             * Update the session to indicate that the MFA login process for
-              this user is complete and attempt password authentication again
+              this user is complete and attempt password authentication again.
             * Build a trusted device cookie and add it to the response if the
-              trusted device option was checked
-            * Redirect to the provided URL or to '/web' if one was not given
+              trusted device option was checked.
+            * Redirect to the provided URL or to '/web' if one was not given.
         """
 
         # sudo() is required because there is no request.env.uid (likely since
diff --git a/auth_totp/migrations/10.0.2.0.0/post-migrate.py b/auth_totp/migrations/10.0.2.0.0/post-migrate.py
index 4ea21b323..7838c6a40 100644
--- a/auth_totp/migrations/10.0.2.0.0/post-migrate.py
+++ b/auth_totp/migrations/10.0.2.0.0/post-migrate.py
@@ -2,18 +2,18 @@
 # Copyright 2017 LasLabs Inc.
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
 
-import uuid
+from uuid import uuid4
 from odoo import api, SUPERUSER_ID
 
 
 def migrate(cr, version):
-    """Generate cookie keys for all users with MFA enabled and clean up"""
+    """Generate cookie keys for all users with MFA enabled and clean up."""
     env = api.Environment(cr, SUPERUSER_ID, {})
     user_model = env['res.users'].with_context(active_test=False)
     mfa_users = user_model.search([('mfa_enabled', '=', True)])
 
     for mfa_user in mfa_users:
-        mfa_user.trusted_device_cookie_key = uuid.uuid4()
+        mfa_user.trusted_device_cookie_key = uuid4()
 
     # Clean up ir records for device model to prevent warnings
     removed_model = 'res.users.device'
diff --git a/auth_totp/models/res_users.py b/auth_totp/models/res_users.py
index d3dd86147..c04a539f5 100644
--- a/auth_totp/models/res_users.py
+++ b/auth_totp/models/res_users.py
@@ -2,7 +2,7 @@
 # Copyright 2016-2017 LasLabs Inc.
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl.html).
 
-import uuid
+from uuid import uuid4
 from odoo import _, api, fields, models
 from odoo.exceptions import ValidationError
 from odoo.http import request
@@ -39,7 +39,7 @@ class ResUsers(models.Model):
     def _compute_trusted_device_cookie_key(self):
         for record in self:
             if record.mfa_enabled:
-                record.trusted_device_cookie_key = uuid.uuid4()
+                record.trusted_device_cookie_key = uuid4()
             else:
                 record.trusted_device_cookie_key = False
 
@@ -56,30 +56,27 @@ class ResUsers(models.Model):
 
     @api.model
     def check_credentials(self, password):
-        """Add MFA logic to core authentication process
+        """Add MFA logic to core authentication process.
 
         Overview:
-            * If user does not have MFA enabled, defer to parent logic
+            * If user does not have MFA enabled, defer to parent logic.
             * If user has MFA enabled and has gone through MFA login process
-              this session or has correct device cookie, defer to parent logic
+              this session or has correct device cookie, defer to parent logic.
             * If neither of these is true, call parent logic. If successful,
               prevent auth while updating session to indicate that MFA login
-              process can now commence
+              process can now commence.
         """
-        user_model_sudo = self.sudo()
-        user = user_model_sudo.search([('id', '=', self.env.uid)])
-
-        if not user.mfa_enabled:
+        if not self.env.user.mfa_enabled:
             return super(ResUsers, self).check_credentials(password)
 
         if request:
-            if request.session.get('mfa_login_active') == user.id:
+            if request.session.get('mfa_login_active') == self.env.uid:
                 return super(ResUsers, self).check_credentials(password)
 
-            cookie_key = 'trusted_devices_%d' % user.id
+            cookie_key = 'trusted_devices_%d' % self.env.uid
             device_cook = request.httprequest.cookies.get(cookie_key)
             if device_cook:
-                secret = user.trusted_device_cookie_key
+                secret = self.env.user.trusted_device_cookie_key
                 device_cook = JsonSecureCookie.unserialize(device_cook, secret)
                 if device_cook:
                     return super(ResUsers, self).check_credentials(password)