diff --git a/totp/key_test.go b/totp/key_test.go
index f8f2941..b66c949 100644
--- a/totp/key_test.go
+++ b/totp/key_test.go
@@ -4,6 +4,7 @@ import (
 	"crypto/ecdh"
 	"crypto/rand"
 	"encoding/pem"
+	"math"
 	"testing"
 	"time"
 
@@ -342,12 +343,17 @@ func TestKey_skew_as_one(t *testing.T) {
 	numValid := 0
 	numIterations := 10
 
+	if timeSleep > uint(math.MaxInt) {
+		t.Fatalf("output length too large: %d", timeSleep)
+	}
+
 	// If skew is set to 0, the validation fails 60-70% of the time.
 	for range numIterations {
 		passCode, err := key.PassCode()
 		require.NoError(t, err, "failed to generate passcode")
 
 		// Sleep to validate passcode with an almost last-minute deadline.
+		//nolint:gosec // timeSleep is checked above
 		time.Sleep(time.Second * time.Duration(timeSleep))
 
 		if ok := key.Validate(passCode); ok {
diff --git a/totp/options.go b/totp/options.go
index 5da9296..d035816 100644
--- a/totp/options.go
+++ b/totp/options.go
@@ -2,6 +2,7 @@ package totp
 
 import (
 	"crypto/ecdh"
+	"math"
 
 	"github.com/pkg/errors"
 	"github.com/zeebo/blake3"
@@ -19,6 +20,12 @@ const (
 // OptionKDFDefault is the default key derivation function (KDF) for TOTP secret
 // key derivation from ECDH shared secret. The underlying KDF is BLAKE3.
 func OptionKDFDefault(secret, ctx []byte, outLen uint) ([]byte, error) {
+	// Check if outLen is within the int range
+	if outLen > uint(math.MaxInt) {
+		return nil, errors.Errorf("output length too large: %d", outLen)
+	}
+
+	//nolint:gosec // outLen is checked above
 	out := int(outLen)
 	if out <= 0 {
 		return nil, errors.Errorf("invalid output length: %d", out)
diff --git a/totp/options_test.go b/totp/options_test.go
index c258c71..4a76eec 100644
--- a/totp/options_test.go
+++ b/totp/options_test.go
@@ -53,9 +53,9 @@ func TestOptionKDFDefault_invalid_length(t *testing.T) {
 
 		require.Error(t, err,
 			"requesting key with length 0 should return an error")
+		require.Contains(t, err.Error(), "output length too large",
+			"error message must contain the error reason")
 		require.Nil(t, newSecret,
 			"returned key must be nil on error")
-		require.Contains(t, err.Error(), "invalid output length",
-			"error message must contain the error reason")
 	})
 }