diff --git a/java/google/registry/tools/ValidateLoginCredentialsCommand.java b/java/google/registry/tools/ValidateLoginCredentialsCommand.java
index 591659aba..b03f68af1 100644
--- a/java/google/registry/tools/ValidateLoginCredentialsCommand.java
+++ b/java/google/registry/tools/ValidateLoginCredentialsCommand.java
@@ -15,42 +15,29 @@
 package google.registry.tools;
 
 import static com.google.common.base.Preconditions.checkArgument;
+import static com.google.common.base.Preconditions.checkState;
 import static com.google.common.base.Strings.isNullOrEmpty;
-import static com.google.common.io.Resources.getResource;
-import static google.registry.flows.EppXmlTransformer.marshalWithLenientRetry;
-import static google.registry.flows.EppXmlTransformer.unmarshal;
 import static google.registry.util.X509Utils.getCertificateHash;
 import static google.registry.util.X509Utils.loadCertificate;
 import static java.nio.charset.StandardCharsets.US_ASCII;
-import static java.nio.charset.StandardCharsets.UTF_8;
 
 import com.google.common.base.Optional;
-import com.google.template.soy.SoyFileSet;
-import com.google.template.soy.data.SoyMapData;
 
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.Parameters;
 
-import google.registry.flows.EppRequestSource;
-import google.registry.flows.FlowRunner;
-import google.registry.flows.SessionMetadata;
 import google.registry.flows.TlsCredentials;
-import google.registry.flows.session.LoginFlow;
-import google.registry.model.eppcommon.Trid;
-import google.registry.model.eppinput.EppInput;
+import google.registry.model.registrar.Registrar;
 import google.registry.tools.Command.GtechCommand;
 import google.registry.tools.Command.RemoteApiCommand;
 import google.registry.tools.params.PathParameter;
-import google.registry.tools.soy.LoginSoyInfo;
-import google.registry.util.SystemClock;
 
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.Set;
 
 import javax.annotation.Nullable;
 
-/** A command to execute an epp command. */
+/** A command to test registrar login credentials. */
 @Parameters(separators = " =", commandDescription = "Test registrar login credentials")
 final class ValidateLoginCredentialsCommand implements RemoteApiCommand, GtechCommand {
 
@@ -86,70 +73,16 @@ final class ValidateLoginCredentialsCommand implements RemoteApiCommand, GtechCo
 
   @Override
   public void run() throws Exception {
-    checkArgument(clientCertificatePath == null || isNullOrEmpty(clientCertificateHash),
+    checkArgument(
+        clientCertificatePath == null || isNullOrEmpty(clientCertificateHash),
         "Can't specify both --cert_hash and --cert_file");
     if (clientCertificatePath != null) {
-      String asciiCrt = new String(Files.readAllBytes(clientCertificatePath), US_ASCII);
-      clientCertificateHash = getCertificateHash(loadCertificate(asciiCrt));
-    }
-    byte[] inputXmlBytes = SoyFileSet.builder()
-        .add(getResource(LoginSoyInfo.class, LoginSoyInfo.getInstance().getFileName()))
-        .build()
-        .compileToTofu()
-        .newRenderer(LoginSoyInfo.LOGIN)
-        .setData(new SoyMapData("clientIdentifier", clientIdentifier, "password", password))
-        .render()
-        .getBytes(UTF_8);
-
-    System.out.println(new String(marshalWithLenientRetry(
-        new FlowRunner(
-            LoginFlow.class,
-            unmarshal(EppInput.class, inputXmlBytes),
-            Trid.create(null),
-            new StubSessionMetadata(),
-            new TlsCredentials(
-                clientCertificateHash,
-                Optional.of(clientIpAddress),
-                "placeholder"),  // behave as if we have SNI on, since we're validating a cert
-            EppRequestSource.TOOL,
-            false,
-            false,
-            inputXmlBytes,
-            null,
-            new SystemClock()).run()), UTF_8));
-  }
-
-  /** A {@link SessionMetadata} that ignores setters rather than throwing exceptions. */
-  private static class StubSessionMetadata implements SessionMetadata {
-
-    @Override
-    public void setClientId(String clientId) {}
-
-    @Override
-    public void setServiceExtensionUris(Set<String> serviceExtensionUris) {}
-
-    @Override
-    public void incrementFailedLoginAttempts() {}
-
-    @Override
-    public void resetFailedLoginAttempts() {}
-
-    @Override
-    public void invalidate() {}
-
-    @Override
-    public String getClientId() {
-      return null;
-    }
-
-    @Override
-    public Set<String> getServiceExtensionUris() {
-      return null;
-    }
-
-    @Override
-    public int getFailedLoginAttempts() {
-      return 0;
+      clientCertificateHash = getCertificateHash(
+          loadCertificate(new String(Files.readAllBytes(clientCertificatePath), US_ASCII)));
     }
+    Registrar registrar = Registrar.loadByClientId(clientIdentifier);
+    new TlsCredentials(clientCertificateHash, Optional.of(clientIpAddress), null)
+        .validate(registrar, password);
+    checkState(!registrar.getState().equals(Registrar.State.PENDING), "Account pending");
   }
 }
diff --git a/java/google/registry/tools/soy/Login.soy b/java/google/registry/tools/soy/Login.soy
deleted file mode 100644
index ada38db0e..000000000
--- a/java/google/registry/tools/soy/Login.soy
+++ /dev/null
@@ -1,27 +0,0 @@
-{namespace domain.registry.tools autoescape="strict"}
-
-/**
- * Login request.
- */
-{template .login}
-{@param clientIdentifier: string}
-{@param password: string}
-<epp xmlns="urn:ietf:params:xml:ns:epp-1.0">
-  <command>
-    <login>
-      <clID>{$clientIdentifier}</clID>
-      <pw>{$password}</pw>
-      <options>
-        <version>1.0</version>
-        <lang>en</lang>
-      </options>
-      <svcs>
-        <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
-        <objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
-        <objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
-      </svcs>
-    </login>
-    <clTRID>FakeClTrid</clTRID>
-  </command>
-</epp>
-{/template}
diff --git a/javatests/google/registry/tools/ValidateLoginCredentialsCommandTest.java b/javatests/google/registry/tools/ValidateLoginCredentialsCommandTest.java
index abe0818a5..83c9329a0 100644
--- a/javatests/google/registry/tools/ValidateLoginCredentialsCommandTest.java
+++ b/javatests/google/registry/tools/ValidateLoginCredentialsCommandTest.java
@@ -24,6 +24,7 @@ import com.google.common.collect.ImmutableSet;
 import com.beust.jcommander.ParameterException;
 
 import google.registry.flows.EppException;
+import google.registry.flows.TransportCredentials.BadRegistrarPasswordException;
 import google.registry.model.registrar.Registrar;
 import google.registry.testing.CertificateSamples;
 import google.registry.util.CidrAddressBlock;
@@ -62,7 +63,7 @@ public class ValidateLoginCredentialsCommandTest
 
   @Test
   public void testFailure_loginWithBadPassword() throws Exception {
-    thrown.expect(EppException.class);
+    thrown.expect(BadRegistrarPasswordException.class);
     runCommand(
         "--client=NewRegistrar",
         "--password=" + new StringBuffer(PASSWORD).reverse(),