diff --git a/src/requests/login.cr b/src/requests/login.cr
index 3e84884..0fcd150 100644
--- a/src/requests/login.cr
+++ b/src/requests/login.cr
@@ -19,6 +19,12 @@ class AuthD::Request
 			# No user means DODB::MissingEntry, so it's already covered.
 			return Response::ErrorInvalidCredentials.new if user.nil?
 
+			# In case the user hasn't validated his email address,
+			# authentication shouldn't be possible.
+			if user.contact.activation_key
+				return Response::ErrorInvalidCredentials.new
+			end
+
 			if user.password_hash != authd.hash_password @password
 				return Response::ErrorInvalidCredentials.new
 			end