diff --git a/ansible/roles/gunicorn/templates/gunicorn.service.jinja2 b/ansible/roles/gunicorn/templates/gunicorn.service.jinja2
index fbf9912..0e6ec96 100644
--- a/ansible/roles/gunicorn/templates/gunicorn.service.jinja2
+++ b/ansible/roles/gunicorn/templates/gunicorn.service.jinja2
@@ -13,7 +13,7 @@ ExecStart={{ bin_dir }}/gunicorn --paste {{ ini_file }} --config {{ app_dir }}/g
 ExecReload=/bin/kill -s HUP $MAINPID
 ExecStop=/bin/kill -s TERM $MAINPID
 PrivateTmp=true
-Environment=prometheus_multiproc_dir=/tmp
+Environment=PROMETHEUS_MULTIPROC_DIR=/tmp
 Restart=always
 RestartSec=30
 
diff --git a/tildes/requirements-dev.txt b/tildes/requirements-dev.txt
index e74536c..b29fba1 100644
--- a/tildes/requirements-dev.txt
+++ b/tildes/requirements-dev.txt
@@ -1,127 +1,128 @@
 ago==0.0.93
-alembic==1.4.3
+alembic==1.6.5
 appdirs==1.4.4
 argon2-cffi==20.1.0
-astroid==2.6.2
-attrs==20.2.0
+astroid==2.6.5
+attrs==21.2.0
 backcall==0.2.0
 beautifulsoup4==4.9.3
-black==21.6b0
-bleach==3.2.1
-cached-property==1.5.2
-certifi==2020.6.20
-cffi==1.14.3
-chardet==3.0.4
-click==7.1.2
-cornice==5.0.3
-decorator==4.4.2
+black==21.7b0
+bleach==3.3.1
+certifi==2021.5.30
+cffi==1.14.6
+charset-normalizer==2.0.3
+click==8.0.1
+cornice==5.2.0
+decorator==5.0.9
 dodgy==0.2.1
-flake8-polyfill==1.0.2
 flake8==3.9.2
-freezegun==1.0.0
-gunicorn==20.0.4
+flake8-polyfill==1.0.2
+freezegun==1.1.0
+gunicorn==20.1.0
 html5lib==1.1
-html5validator==0.3.3
-hupper==1.10.2
-idna==2.10
+html5validator==0.4.0
+hupper==1.10.3
+idna==3.2
 iniconfig==1.1.1
-invoke==1.4.1
+invoke==1.6.0
+ipython==7.25.0
 ipython-genutils==0.2.0
-ipython==7.19.0
 isort==5.9.2
-jedi==0.17.2
-jinja2==2.11.2
+jedi==0.18.0
+jinja2==3.0.1
 lazy-object-proxy==1.6.0
 lupa==1.9
-mako==1.1.3
-markupsafe==1.1.1
-marshmallow==3.9.0
+mako==1.1.4
+markupsafe==2.0.1
+marshmallow==3.13.0
+matplotlib-inline==0.1.2
 mccabe==0.6.1
-mypy-extensions==0.4.3
 mypy==0.910
-packaging==20.4
-parso==0.7.1
+mypy-extensions==0.4.3
+packaging==21.0
+parso==0.8.2
 pastedeploy==2.1.1
-pathspec==0.8.1
-pep517==0.10.0
+pathspec==0.9.0
+pep517==0.11.0
 pep8-naming==0.12.0
 pexpect==4.8.0
 pickleshare==0.7.5
-pillow==8.0.1
+pillow==8.3.1
 pip-tools==6.2.0
-plaster-pastedeploy==0.7
 plaster==1.0
+plaster-pastedeploy==0.7
 pluggy==0.13.1
-prometheus-client==0.8.0
-prompt-toolkit==3.0.8
+prometheus-client==0.11.0
+prompt-toolkit==3.0.19
 git+https://github.com/Deimos/prospector.git#egg=prospector
-psycopg2==2.8.6
-ptyprocess==0.6.0
+psycopg2==2.9.1
+ptyprocess==0.7.0
 publicsuffix2==2.20160818
-py==1.9.0
+py==1.10.0
 pycodestyle==2.7.0
 pycparser==2.20
 pydocstyle==6.1.1
 pyflakes==2.3.1
 pygit2==1.6.1
-pygments==2.7.2
+pygments==2.9.0
+pylint==2.9.5
 pylint-plugin-utils==0.6
-pylint==2.9.3
-pyotp==2.4.1
+pyotp==2.6.0
 pyparsing==2.4.7
-pyramid-debugtoolbar==4.8
+pyramid==1.10.8
+pyramid-debugtoolbar==4.9
 pyramid-ipython==0.2
 pyramid-jinja2==2.8
 pyramid-mako==1.1.0
 pyramid-session-redis==1.5.0
 pyramid-tm==2.4
 pyramid-webassets==0.10
-pyramid==1.10.4
-pytest-mock==3.3.1
-pytest==6.1.2
-python-dateutil==2.8.1
+pytest==6.2.4
+pytest-mock==3.6.1
+python-dateutil==2.8.2
 python-editor==1.0.4
 pyyaml==5.4.1
-qrcode==6.1
+qrcode==7.2
 redis==3.5.3
-regex==2020.10.28
+regex==2021.7.6
 repoze.lru==0.7
-requests==2.24.0
+requests==2.26.0
 requirements-detector==0.7
-sentry-sdk==0.19.1
+sentry-sdk==1.3.0
 setoptconf==0.2.0
-six==1.15.0
+six==1.16.0
 snowballstemmer==2.1.0
-soupsieve==2.0.1
-sqlalchemy-utils==0.36.8
-sqlalchemy==1.3.20
-stripe==2.55.0
+soupsieve==2.2.1
+sqlalchemy==1.3.24
+sqlalchemy-utils==0.37.8
+stripe==2.60.0
 testing.common.database==2.0.3
 testing.redis==1.1.1
-titlecase==1.1.1
+titlecase==2.3
 toml==0.10.2
+tomli==1.0.4
 traitlets==5.0.5
-transaction==3.0.0
+transaction==3.0.1
 translationstring==1.4
-typed-ast==1.4.1
 types-bleach==3.3.3
 types-python-dateutil==0.1.4
 types-redis==3.5.4
 types-requests==2.25.0
 typing-extensions==3.10.0.0
-urllib3==1.25.11
+urllib3==1.26.6
 venusian==3.0.0
-waitress==1.4.4
+waitress==2.0.0
 wcwidth==0.2.5
-webargs==6.1.1
+webargs==8.0.0
 webassets==2.0
 webencodings==0.5.1
-webob==1.8.6
+webob==1.8.7
 webtest==2.0.35
+wheel==0.36.2
 wrapt==1.12.1
 zope.deprecation==4.4.0
-zope.interface==5.1.2
-zope.sqlalchemy==1.3
+zope.interface==5.4.0
+zope.sqlalchemy==1.5
 
 # The following packages are considered to be unsafe in a requirements file:
 # pip
diff --git a/tildes/requirements.txt b/tildes/requirements.txt
index b09dfec..d570f0f 100644
--- a/tildes/requirements.txt
+++ b/tildes/requirements.txt
@@ -1,83 +1,84 @@
 ago==0.0.93
-alembic==1.4.3
+alembic==1.6.5
 argon2-cffi==20.1.0
 backcall==0.2.0
 beautifulsoup4==4.9.3
-bleach==3.2.1
-cached-property==1.5.2
-certifi==2020.6.20
-cffi==1.14.3
-chardet==3.0.4
-click==7.1.2
-cornice==5.0.3
-decorator==4.4.2
-gunicorn==20.0.4
+bleach==3.3.1
+certifi==2021.5.30
+cffi==1.14.6
+charset-normalizer==2.0.3
+click==8.0.1
+cornice==5.2.0
+decorator==5.0.9
+gunicorn==20.1.0
 html5lib==1.1
-hupper==1.10.2
-idna==2.10
-invoke==1.4.1
+hupper==1.10.3
+idna==3.2
+invoke==1.6.0
+ipython==7.25.0
 ipython-genutils==0.2.0
-ipython==7.19.0
-jedi==0.17.2
-jinja2==2.11.2
+jedi==0.18.0
+jinja2==3.0.1
 lupa==1.9
-mako==1.1.3
-markupsafe==1.1.1
-marshmallow==3.9.0
-packaging==20.4
-parso==0.7.1
+mako==1.1.4
+markupsafe==2.0.1
+marshmallow==3.13.0
+matplotlib-inline==0.1.2
+packaging==21.0
+parso==0.8.2
 pastedeploy==2.1.1
-pep517==0.10.0
+pep517==0.11.0
 pexpect==4.8.0
 pickleshare==0.7.5
-pillow==8.0.1
+pillow==8.3.1
 pip-tools==6.2.0
-plaster-pastedeploy==0.7
 plaster==1.0
-prometheus-client==0.8.0
-prompt-toolkit==3.0.8
-psycopg2==2.8.6
-ptyprocess==0.6.0
+plaster-pastedeploy==0.7
+prometheus-client==0.11.0
+prompt-toolkit==3.0.19
+psycopg2==2.9.1
+ptyprocess==0.7.0
 publicsuffix2==2.20160818
 pycparser==2.20
 pygit2==1.6.1
-pygments==2.7.2
-pyotp==2.4.1
+pygments==2.9.0
+pyotp==2.6.0
 pyparsing==2.4.7
+pyramid==1.10.8
 pyramid-ipython==0.2
 pyramid-jinja2==2.8
 pyramid-session-redis==1.5.0
 pyramid-tm==2.4
 pyramid-webassets==0.10
-pyramid==1.10.4
-python-dateutil==2.8.1
+python-dateutil==2.8.2
 python-editor==1.0.4
-pyyaml==5.3.1
-qrcode==6.1
+pyyaml==5.4.1
+qrcode==7.2
 redis==3.5.3
-regex==2020.10.28
-requests==2.24.0
-sentry-sdk==0.19.1
-six==1.15.0
-soupsieve==2.0.1
-sqlalchemy-utils==0.36.8
-sqlalchemy==1.3.20
-stripe==2.55.0
-titlecase==1.1.1
+requests==2.26.0
+sentry-sdk==1.3.0
+six==1.16.0
+soupsieve==2.2.1
+sqlalchemy==1.3.24
+sqlalchemy-utils==0.37.8
+stripe==2.60.0
+titlecase==2.3
+tomli==1.0.4
 traitlets==5.0.5
-transaction==3.0.0
+transaction==3.0.1
 translationstring==1.4
-urllib3==1.25.11
+urllib3==1.26.6
 venusian==3.0.0
 wcwidth==0.2.5
-webargs==6.1.1
+webargs==8.0.0
 webassets==2.0
 webencodings==0.5.1
-webob==1.8.6
+webob==1.8.7
+wheel==0.36.2
 wrapt==1.12.1
 zope.deprecation==4.4.0
-zope.interface==5.1.2
-zope.sqlalchemy==1.3
+zope.interface==5.4.0
+zope.sqlalchemy==1.5
 
 # The following packages are considered to be unsafe in a requirements file:
 # pip
diff --git a/tildes/tildes/models/user/user.py b/tildes/tildes/models/user/user.py
index 933f4d7..2229824 100644
--- a/tildes/tildes/models/user/user.py
+++ b/tildes/tildes/models/user/user.py
@@ -269,6 +269,9 @@ class User(DatabaseModel):
 
     def is_correct_two_factor_code(self, code: str) -> bool:
         """Verify that a TOTP/backup code is correct."""
+        if not self.two_factor_secret:
+            raise ValueError("User does not have 2FA enabled")
+
         totp = TOTP(self.two_factor_secret)
 
         code = code.strip().replace(" ", "").lower()
diff --git a/tildes/tildes/views/decorators.py b/tildes/tildes/views/decorators.py
index 2c41123..6312178 100644
--- a/tildes/tildes/views/decorators.py
+++ b/tildes/tildes/views/decorators.py
@@ -12,11 +12,13 @@ from marshmallow.schema import Schema
 from pyramid.httpexceptions import HTTPFound
 from pyramid.request import Request
 from pyramid.view import view_config
-from webargs import dict2schema, pyramidparser
+from webargs import pyramidparser
 
 
 def use_kwargs(
-    argmap: Union[Schema, dict[str, Field]], location: str = "query", **kwargs: Any
+    argmap: Union[Schema, dict[str, Union[Field, type]]],
+    location: str = "query",
+    **kwargs: Any
 ) -> Callable:
     """Wrap the webargs @use_kwargs decorator with preferred default modifications.
 
@@ -30,7 +32,7 @@ def use_kwargs(
     """
     # convert a dict argmap to a Schema (the same way webargs would on its own)
     if isinstance(argmap, dict):
-        argmap = dict2schema(argmap)()
+        argmap = Schema.from_dict(argmap)()
 
     assert isinstance(argmap, Schema)  # tell mypy the type is more restricted now