diff --git a/CHANGELOG.md b/CHANGELOG.md
index 408b28ca1d339d02bcea7ac8a01b2da0a834a20d..321e802a8e04f0968922da340c12a7099a23d48f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ### New features
 TBD
 ### Bug fixes
+- Fix MFA login failure when the totp `dict`'s attempted codes list changes size while being processed ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/899))
 - Resolve additional json being appended to downloaded files ([Merge Request](https://gitlab.com/crafty-controller/crafty-4/-/merge_requests/902))
 ### Tweaks
 TBD
diff --git a/app/classes/controllers/totp_controller.py b/app/classes/controllers/totp_controller.py
index 8aa807eeac6281f3ad641ce19824371f1d477f6f..057fd0042ee82239a427492a0f8d0b6d49060e98 100644
--- a/app/classes/controllers/totp_controller.py
+++ b/app/classes/controllers/totp_controller.py
@@ -100,8 +100,9 @@ class TOTPController:
         """clears out totp codes older than 1 minute when one is sent"""
         now = datetime.now(tz=timezone.utc)
         # Clean up expired entries reclaim some memory
-        for key, totp_dict in self.used_totp_codes.items():
-            for item, timestamp in totp_dict.items():
+        for key, totp_dict in list(self.used_totp_codes.items()):
+            # Iterate over copy of dict (list) to prevent size change during iteration
+            for item, timestamp in list(totp_dict.items()):
                 if now - timestamp > timedelta(seconds=60):
                     # needs to ref the self var to remove expired entries
                     del self.used_totp_codes[  # pylint: disable=unnecessary-dict-index-lookup