diff --git a/internal/rtsp/rtsp.go b/internal/rtsp/rtsp.go
index 2e1d04e8..c680dd07 100644
--- a/internal/rtsp/rtsp.go
+++ b/internal/rtsp/rtsp.go
@@ -1,6 +1,7 @@
 package rtsp
 
 import (
+	"errors"
 	"io"
 	"net"
 	"net/url"
@@ -237,7 +238,7 @@ func tcpHandler(conn *rtsp.Conn) {
 	})
 
 	if err := conn.Accept(); err != nil {
-		if err == rtsp.FailedAuth {
+		if errors.Is(err, rtsp.FailedAuth) {
 			log.Warn().Str("remote_addr", conn.Connection.RemoteAddr).Msg("[rtsp] failed authentication")
 		} else if err != io.EOF {
 			log.WithLevel(level).Err(err).Caller().Send()
diff --git a/pkg/rtsp/server.go b/pkg/rtsp/server.go
index 9527e155..d7e89f5f 100644
--- a/pkg/rtsp/server.go
+++ b/pkg/rtsp/server.go
@@ -47,7 +47,7 @@ func (c *Conn) Accept() error {
 
 		c.Fire(req)
 
-		if !c.auth.Validate(req) {
+		if valid, empty := c.auth.Validate(req); !valid {
 			res := &tcp.Response{
 				Status:  "401 Unauthorized",
 				Header:  map[string][]string{"Www-Authenticate": {`Basic realm="go2rtc"`}},
@@ -56,13 +56,12 @@ func (c *Conn) Accept() error {
 			if err = c.WriteResponse(res); err != nil {
 				return err
 			}
-			if req.Header.Get("Authorization") != "" {
+			if empty {
 				// eliminate false positive: ffmpeg sends first request without
 				// authorization header even if the user provides credentials
-				return FailedAuth
-			} else {
 				continue
 			}
+			return FailedAuth
 		}
 
 		// Receiver: OPTIONS > DESCRIBE > SETUP... > PLAY > TEARDOWN
diff --git a/pkg/tcp/auth.go b/pkg/tcp/auth.go
index ac212fcf..3eb26024 100644
--- a/pkg/tcp/auth.go
+++ b/pkg/tcp/auth.go
@@ -85,14 +85,14 @@ func (a *Auth) Write(req *Request) {
 	}
 }
 
-func (a *Auth) Validate(req *Request) bool {
+func (a *Auth) Validate(req *Request) (valid, empty bool) {
 	if a == nil {
-		return true
+		return true, true
 	}
 
 	header := req.Header.Get("Authorization")
 	if header == "" {
-		return false
+		return false, true
 	}
 
 	if a.Method == AuthUnknown {
@@ -100,7 +100,7 @@ func (a *Auth) Validate(req *Request) bool {
 		a.header = "Basic " + B64(a.user, a.pass)
 	}
 
-	return header == a.header
+	return header == a.header, false
 }
 
 func (a *Auth) ReadNone(res *Response) bool {