diff --git a/src/Microsoft.AspNet.Identity.Owin/DataProtectorTokenProvider.cs b/src/Microsoft.AspNet.Identity.Owin/DataProtectorTokenProvider.cs
index 0d84e81..4862053 100644
--- a/src/Microsoft.AspNet.Identity.Owin/DataProtectorTokenProvider.cs
+++ b/src/Microsoft.AspNet.Identity.Owin/DataProtectorTokenProvider.cs
@@ -126,7 +126,7 @@ public async Task<bool> ValidateAsync(string purpose, string token, UserManager<
 
                     if (manager.SupportsUserSecurityStamp)
                     {
-                        var expectedStamp = await manager.GetSecurityStampAsync(user.Id).WithCurrentCulture();
+                        var expectedStamp = await manager.GetSecurityStampAsync(user.Id).WithCurrentCulture() ?? string.Empty;
                         return stamp == expectedStamp;
                     }
                     return stamp == "";