diff --git a/src/crypto/verification/QRCode.js b/src/crypto/verification/QRCode.js
index 2eacf0041..f74ccc9cf 100644
--- a/src/crypto/verification/QRCode.js
+++ b/src/crypto/verification/QRCode.js
@@ -76,5 +76,12 @@ export class ReciprocateQRCode extends Base {
         if (this.startEvent.getContent()['secret'] !== this.request.encodedSharedSecret) {
             throw newKeyMismatchError();
         }
+
+        // If we've gotten this far, verify the user's master cross signing key
+        const xsignInfo = this._baseApis.getStoredCrossSigningInfo(this.userId);
+        if (!xsignInfo) throw new Error("Missing cross signing info");
+
+        const masterKey = xsignInfo.getId("master");
+        await this._verifyKeys(this.userId, [masterKey, masterKey]);
     }
 }