diff --git a/irc/accounts.go b/irc/accounts.go
index 2ec3fd26..9ab9b84d 100644
--- a/irc/accounts.go
+++ b/irc/accounts.go
@@ -198,6 +198,12 @@ func authPlainHandler(server *Server, client *Client, mechanism string, value []
 	// load and check acct data all in one update to prevent races.
 	// as noted elsewhere, change to proper locking for Account type later probably
 	err = server.store.Update(func(tx *buntdb.Tx) error {
+		// confirm account is verified
+		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
+		if err != nil {
+			return errSaslFail
+		}
+
 		creds, err := loadAccountCredentials(tx, accountKey)
 		if err != nil {
 			return err
@@ -251,6 +257,12 @@ func authExternalHandler(server *Server, client *Client, mechanism string, value
 			return errSaslFail
 		}
 
+		// confirm account is verified
+		_, err = tx.Get(fmt.Sprintf(keyAccountVerified, accountKey))
+		if err != nil {
+			return errSaslFail
+		}
+
 		// confirm the certfp in that account's credentials
 		creds, err := loadAccountCredentials(tx, accountKey)
 		if err != nil || creds.Certificate != client.certfp {