diff --git a/core/src/main/java/com/jongsoft/finance/core/exception/StatusException.java b/core/src/main/java/com/jongsoft/finance/core/exception/StatusException.java
index bccf8139..531ff7c4 100644
--- a/core/src/main/java/com/jongsoft/finance/core/exception/StatusException.java
+++ b/core/src/main/java/com/jongsoft/finance/core/exception/StatusException.java
@@ -34,6 +34,10 @@ public static StatusException notAuthorized(String message) {
         return new StatusException(401, message, null);
     }
 
+    public static StatusException forbidden(String message) {
+        return new StatusException(403, message, null);
+    }
+
     public static StatusException internalError(String message) {
         return new StatusException(500, message, null);
     }
diff --git a/fintrack-api/src/main/java/com/jongsoft/finance/rest/security/MultiFactorResource.java b/fintrack-api/src/main/java/com/jongsoft/finance/rest/security/MultiFactorResource.java
index 242e357a..69c71df4 100644
--- a/fintrack-api/src/main/java/com/jongsoft/finance/rest/security/MultiFactorResource.java
+++ b/fintrack-api/src/main/java/com/jongsoft/finance/rest/security/MultiFactorResource.java
@@ -46,7 +46,7 @@ public MultiFactorResource(
     public HttpResponse<?> validateToken(@Valid @Body MultiFactorRequest verification, HttpRequest<?> request) {
         var user = currentUserProvider.currentUser();
         if (!TwoFactorHelper.verifySecurityCode(user.getSecret(), verification.verificationCode())) {
-            throw StatusException.notAuthorized("Invalid verification code");
+            throw StatusException.forbidden("Invalid verification code");
         }
 
         var authentication = Authentication.build(