diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -390,6 +390,11 @@
       .map_err(handle_db_error)?
     {
       None => return Err(tonic::Status::invalid_argument("invalid nonce")),
+      Some(nonce) if nonce.is_expired() => {
+        // we don't need to remove the nonce from the table here
+        // because the DynamoDB TTL will take care of it
+        return Err(tonic::Status::aborted("nonce expired"));
+      }
       Some(_) => self
         .client
         .remove_nonce_from_nonces_table(&parsed_message.nonce)
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -149,7 +149,7 @@
 // Nonce
 
 pub const NONCE_LENGTH: usize = 17;
-pub const NONCE_TTL_DURATION: i64 = 30;
+pub const NONCE_TTL_DURATION: i64 = 120; // seconds
 
 // Identity
 
diff --git a/services/identity/src/nonce.rs b/services/identity/src/nonce.rs
--- a/services/identity/src/nonce.rs
+++ b/services/identity/src/nonce.rs
@@ -10,7 +10,7 @@
 pub fn generate_nonce_data(rng: &mut (impl Rng + CryptoRng)) -> NonceData {
   let nonce = Alphanumeric.sample_string(rng, NONCE_LENGTH);
   let created = Utc::now();
-  let expiration_time = created + Duration::minutes(NONCE_TTL_DURATION);
+  let expiration_time = created + Duration::seconds(NONCE_TTL_DURATION);
   NonceData {
     nonce,
     created,
@@ -24,3 +24,9 @@
   pub created: DateTime<Utc>,
   pub expiration_time: DateTime<Utc>,
 }
+
+impl NonceData {
+  pub fn is_expired(&self) -> bool {
+    Utc::now() > self.expiration_time
+  }
+}