diff --git a/lib/Controller/EmailRecoveryApiController.php b/lib/Controller/EmailRecoveryApiController.php
index 19acb1338c49f17cd0d17c296d168b988d06f680..967645f5e8117b2c46d558b68fca76410ddef66d 100644
--- a/lib/Controller/EmailRecoveryApiController.php
+++ b/lib/Controller/EmailRecoveryApiController.php
@@ -92,6 +92,6 @@ class EmailRecoveryApiController extends ApiController {
 
 	private function checkAppCredentials(string $token) {
 		$storage_secret = $_ENV['NEXTCLOUD_EMAIL_RECOVERY_APP_SECRET'];
-		return strcmp($token, $storage_secret) === 0;
+		return hash_equals($storage_secret, $token);
 	}
 }