diff --git a/securedrop/models.py b/securedrop/models.py
index cb63cee7655..909fee0a4e5 100644
--- a/securedrop/models.py
+++ b/securedrop/models.py
@@ -24,9 +24,9 @@
 
 from db import db
 
-from typing import Callable, Optional, Union, Dict, List, Any
+from typing import Callable, Optional, Union, Dict, List, Any, AnyStr
 from logging import Logger
-from pyotp import OTP
+from pyotp import TOTP, HOTP
 
 
 LOGIN_HARDENING = True
@@ -531,6 +531,9 @@ def valid_password(self, passphrase: 'Optional[str]') -> bool:
         if not passphrase:
             return False
 
+        # For type checking
+        assert isinstance(self.pw_hash, bytes)
+
         # Avoid hashing passwords that are over the maximum length
         if len(passphrase) > self.MAX_PASSWORD_LEN:
             raise InvalidPasswordLength(passphrase)
@@ -576,14 +579,14 @@ def set_hotp_secret(self, otp_secret: str) -> None:
         self.hotp_counter = 0
 
     @property
-    def totp(self) -> 'OTP':
+    def totp(self) -> 'TOTP':
         if self.is_totp:
             return pyotp.TOTP(self.otp_secret)
         else:
             raise ValueError('{} is not using TOTP'.format(self))
 
     @property
-    def hotp(self) -> 'OTP':
+    def hotp(self) -> 'HOTP':
         if not self.is_totp:
             return pyotp.HOTP(self.otp_secret)
         else:
@@ -690,6 +693,8 @@ def login(cls,
 
             # Prevent TOTP token reuse
             if user.last_token is not None:
+                # For type checking
+                assert isinstance(token, str)
                 if pyotp.utils.compare_digest(token, user.last_token):
                     raise BadTokenException("previously used two-factor code "
                                             "{}".format(token))