diff --git a/src/config.rs b/src/config.rs
index a66d5f2..58dc394 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -167,14 +167,32 @@ impl PasswordHelper {
         use PasswordHelper::*;
         match self {
             Systemd => unimplemented!(),
-            Stdin => Ok(rpassword::read_password_from_tty(Some("Password: "))?),
+            Stdin => Ok(rpassword::read_password_from_tty(Some("Password: "))
+                .map_err(|e| Fido2LuksError::AskPassError {
+                    cause: AskPassError::IO(e),
+                })
+                .and_then(|pass| {
+                    match rpassword::read_password_from_tty(Some("Password again: ")).map_err(|e| {
+                        Fido2LuksError::AskPassError {
+                            cause: AskPassError::IO(e),
+                        }
+                    }) {
+                        Ok(ref pass2) if &pass == pass2 => Ok(pass),
+                        Ok(_) => Err(Fido2LuksError::AskPassError {
+                            cause: error::AskPassError::Mismatch,
+                        }),
+                        e => e,
+                    }
+                })?),
             Script(password_helper) => {
                 let mut helper_parts = password_helper.split(" ");
 
                 let password = Command::new((&mut helper_parts).next().unwrap())
                     .args(helper_parts)
                     .output()
-                    .map_err(|e| Fido2LuksError::AskPassError { cause: e })?
+                    .map_err(|e| Fido2LuksError::AskPassError {
+                        cause: error::AskPassError::IO(e),
+                    })?
                     .stdout;
                 Ok(String::from_utf8(password)?.trim().to_owned())
             }
diff --git a/src/error.rs b/src/error.rs
index c707840..97bfb0a 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -1,12 +1,12 @@
 use ctap::FidoError;
-use std::io;
+use std::{fmt, io};
 
 pub type Fido2LuksResult<T> = Result<T, Fido2LuksError>;
 
 #[derive(Debug, Fail)]
 pub enum Fido2LuksError {
     #[fail(display = "unable to retrieve password: {}", cause)]
-    AskPassError { cause: io::Error },
+    AskPassError { cause: AskPassError },
     #[fail(display = "unable to read keyfile: {}", cause)]
     KeyfileError { cause: io::Error },
     #[fail(display = "authenticator error: {}", cause)]
@@ -32,6 +32,14 @@ pub enum ConfigurationError {
     MissingField(String),
 }
 
+#[derive(Debug, Fail)]
+pub enum AskPassError {
+    #[fail(display = "unable to retrieve password: {}", _0)]
+    IO(io::Error),
+    #[fail(display = "provided passwords don't match")]
+    Mismatch,
+}
+
 impl From<serde_json::error::Error> for Fido2LuksError {
     fn from(e: serde_json::error::Error) -> Self {
         Fido2LuksError::ConfigurationError {