diff --git a/CHANGELOG.md b/CHANGELOG.md
index fd32ea3..2ca9ab5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 - Fix: use correct password recovery url in welcome mail and add functionality to plain text version of the mail (@eluhr)
 - Fix: correct viewPath error in LoginWidget (niciz)
 - Enh: possibility to call all the api endpoints with either id or username or email (liviuk2)
+- Fix: use configured User model in SecurityController 2FA confirmation (jussiaho)
 
 ## 1.6.0 January 9, 2023
 
diff --git a/src/User/Controller/SecurityController.php b/src/User/Controller/SecurityController.php
index d7a3205..c49cf79 100644
--- a/src/User/Controller/SecurityController.php
+++ b/src/User/Controller/SecurityController.php
@@ -221,9 +221,10 @@ class SecurityController extends Controller
             $validators = $module->twoFactorAuthenticationValidators;
             $credentials = Yii::$app->session->get('credentials');
             $login = $credentials['login'];
-            $user = User::findOne(['email' => $login]);
+            $userModel = $this->getClassMap()->get(User::class);
+            $user = $userModel::findOne(['email' => $login]);
             if ($user == null) {
-                $user = User::findOne(['username' => $login]);
+                $user = $userModel::findOne(['username' => $login]);
             }
             $tfType = $user->getAuthTfType();