diff --git a/oauth3.core.js b/oauth3.core.js
index 5d46546..1328160 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -169,7 +169,7 @@
     return result;
   };
 
-  core.loginCode = function (directive, username, opts) {
+  core.loginCode = function (directive, opts) {
     //
     // Example Resource Owner Password Request
     // (generally for 1st party and direct-partner mobile apps, and webapps)
@@ -183,7 +183,7 @@
 
     var args = directive.otp;
     var params = {
-      "username": username || opts.id || opts.username
+      "username": opts.id || opts.username
     , "request_otp": true // opts.requestOtp || undefined
     //, "jwt": opts.jwt // TODO sign a proof
     };
@@ -232,7 +232,9 @@
     var params = {
       "grant_type": grantType
     , "username": username
-    , "password": (opts.otpUuid && (opts.otpUuid + ':') || '') + passphrase // might be otpCode
+      // ('otp:' + opts.otpUuid + ':' + opts.otp)) // for backwards compat?
+      // ('totp:' + opts.totp) // for backwards compat?
+    , "password": passphrase || undefined
     , "totp": opts.totp || opts.totpToken || undefined
     , "otp": opts.otp || opts.otpCode || undefined
     , "otp_uuid": opts.otpUuid || undefined