diff --git a/src/api2/access/mod.rs b/src/api2/access/mod.rs
index e6c70498..d77b2e97 100644
--- a/src/api2/access/mod.rs
+++ b/src/api2/access/mod.rs
@@ -40,7 +40,7 @@ enum AuthResult {
     CreateTicket,
 
     /// A partial ticket which requires a 2nd factor will be created.
-    Partial(TfaChallenge),
+    Partial(Box<TfaChallenge>),
 }
 
 fn authenticate_user(
@@ -110,7 +110,7 @@ fn authenticate_user(
 
     Ok(match crate::config::tfa::login_challenge(userid)? {
         None => AuthResult::CreateTicket,
-        Some(challenge) => AuthResult::Partial(challenge),
+        Some(challenge) => AuthResult::Partial(Box::new(challenge)),
     })
 }
 
@@ -119,7 +119,7 @@ fn authenticate_2nd(
     challenge_ticket: &str,
     response: &str,
 ) -> Result<AuthResult, Error> {
-    let challenge: TfaChallenge = Ticket::<ApiTicket>::parse(challenge_ticket)?
+    let challenge: Box<TfaChallenge> = Ticket::<ApiTicket>::parse(challenge_ticket)?
         .verify_with_time_frame(public_auth_key(), "PBS", Some(userid.as_str()), -60..600)?
         .require_partial()?;
 
@@ -205,7 +205,7 @@ pub fn create_ticket(
     match authenticate_user(&username, &password, path, privs, port, tfa_challenge) {
         Ok(AuthResult::Success) => Ok(json!({ "username": username })),
         Ok(AuthResult::CreateTicket) => {
-            let api_ticket = ApiTicket::full(username.clone());
+            let api_ticket = ApiTicket::Full(username.clone());
             let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_key(), None)?;
             let token = assemble_csrf_prevention_token(csrf_secret(), &username);
 
@@ -218,7 +218,7 @@ pub fn create_ticket(
             }))
         }
         Ok(AuthResult::Partial(challenge)) => {
-            let api_ticket = ApiTicket::partial(challenge);
+            let api_ticket = ApiTicket::Partial(challenge);
             let ticket = Ticket::new("PBS", &api_ticket)?
                 .sign(private_auth_key(), Some(username.as_str()))?;
             Ok(json!({
diff --git a/src/api2/access/openid.rs b/src/api2/access/openid.rs
index 4a12e571..3bc4df8e 100644
--- a/src/api2/access/openid.rs
+++ b/src/api2/access/openid.rs
@@ -200,7 +200,7 @@ pub fn openid_login(
             }
         }
 
-        let api_ticket = ApiTicket::full(user_id.clone());
+        let api_ticket = ApiTicket::Full(user_id.clone());
         let ticket = Ticket::new("PBS", &api_ticket)?.sign(private_auth_key(), None)?;
         let token = assemble_csrf_prevention_token(csrf_secret(), &user_id);
 
diff --git a/src/server/ticket.rs b/src/server/ticket.rs
index ab6b7040..a651bc38 100644
--- a/src/server/ticket.rs
+++ b/src/server/ticket.rs
@@ -21,7 +21,7 @@ pub struct PartialTicket {
 /// parse the userid ticket content.
 pub enum ApiTicket {
     Full(Userid),
-    Partial(tfa::TfaChallenge),
+    Partial(Box<tfa::TfaChallenge>),
 }
 
 impl ApiTicket {
@@ -35,22 +35,12 @@ impl ApiTicket {
 
     /// Expect the ticket to contain a tfa challenge, otherwise error with a meaningful error
     /// message.
-    pub fn require_partial(self) -> Result<tfa::TfaChallenge, Error> {
+    pub fn require_partial(self) -> Result<Box<tfa::TfaChallenge>, Error> {
         match self {
             ApiTicket::Full(_) => bail!("invalid tfa challenge"),
             ApiTicket::Partial(challenge) => Ok(challenge),
         }
     }
-
-    /// Create a new full ticket.
-    pub fn full(userid: Userid) -> Self {
-        ApiTicket::Full(userid)
-    }
-
-    /// Create a new partial ticket.
-    pub fn partial(challenge: tfa::TfaChallenge) -> Self {
-        ApiTicket::Partial(challenge)
-    }
 }
 
 impl fmt::Display for ApiTicket {