diff --git a/lib/auth/legacy.js b/lib/auth/legacy.js
index 9aa3696625011..5cea1d80f4539 100644
--- a/lib/auth/legacy.js
+++ b/lib/auth/legacy.js
@@ -52,7 +52,7 @@ function login (conf) {
     })
     .catch((err) => {
       if (err.code !== 'EOTP') throw err
-      return read.otp('Authenticator provided OTP:').then((otp) => {
+      return read.otp('Enter one-time password from your authenticator: ').then((otp) => {
         conf.auth.otp = otp
         const u = conf.creds.username
         const p = conf.creds.password
diff --git a/lib/profile.js b/lib/profile.js
index 18bc8158eb9c0..bdd5df74dea92 100644
--- a/lib/profile.js
+++ b/lib/profile.js
@@ -195,7 +195,7 @@ function set (args) {
       newUser[prop] = value
       return profile.set(newUser, conf).catch((err) => {
         if (err.code !== 'EOTP') throw err
-        return readUserInfo.otp('Enter OTP:  ').then((otp) => {
+        return readUserInfo.otp().then((otp) => {
           conf.auth.otp = otp
           return profile.set(newUser, conf)
         })
@@ -262,7 +262,7 @@ function enable2fa (args) {
         return pulseTillDone.withPromise(profile.set({tfa: {password, mode: 'disable'}}, conf))
       } else {
         if (conf.auth.otp) return
-        return readUserInfo.otp('Enter OTP:  ').then((otp) => {
+        return readUserInfo.otp('Enter one-time password from your authenticator: ').then((otp) => {
           conf.auth.otp = otp
         })
       }
diff --git a/lib/token.js b/lib/token.js
index 8745bf9b0e481..d442d37eb806b 100644
--- a/lib/token.js
+++ b/lib/token.js
@@ -164,7 +164,7 @@ function rm (args) {
       return profile.removeToken(key, conf).catch((ex) => {
         if (ex.code !== 'EOTP') throw ex
         log.info('token', 'failed because revoking this token requires OTP')
-        return readUserInfo.otp('Authenticator provided OTP:').then((otp) => {
+        return readUserInfo.otp().then((otp) => {
           conf.auth.otp = otp
           return profile.removeToken(key, conf)
         })
@@ -192,7 +192,7 @@ function create (args) {
     return profile.createToken(password, readonly, validCIDR, conf).catch((ex) => {
       if (ex.code !== 'EOTP') throw ex
       log.info('token', 'failed because it requires OTP')
-      return readUserInfo.otp('Authenticator provided OTP:').then((otp) => {
+      return readUserInfo.otp().then((otp) => {
         conf.auth.otp = otp
         log.info('token', 'creating with OTP')
         return pulseTillDone.withPromise(profile.createToken(password, readonly, validCIDR, conf))