diff --git a/src/tss2-esys/api/Esys_StartAuthSession.c b/src/tss2-esys/api/Esys_StartAuthSession.c
index 076760d0b..a090acaac 100644
--- a/src/tss2-esys/api/Esys_StartAuthSession.c
+++ b/src/tss2-esys/api/Esys_StartAuthSession.c
@@ -458,8 +458,17 @@ Esys_StartAuthSession_Finish(
             size_t secret_size = 0;
             if (tpmKey != ESYS_TR_NONE)
                 secret_size += keyHash_size;
-            if (bind != ESYS_TR_NONE && bindNode != NULL)
+            if (bind != ESYS_TR_NONE && bindNode != NULL) {
+                /*
+                 * TPM2.0 Architecture 19.6.5 Note 2
+                 *
+                 * Remove tailing zeroes from the auth value
+                 */
+                while ((bindNode->auth.size > 0) &&
+                       (bindNode->auth.buffer[bindNode->auth.size - 1] == 0x00))
+                    bindNode->auth.size--;
                 secret_size += bindNode->auth.size;
+            }
             /*
              * A non null pointer for secret is required by the subsequent functions,
              * hence a malloc is called with size 1 if secret_size is zero.
@@ -470,11 +479,11 @@ Esys_StartAuthSession_Finish(
                 return TSS2_ESYS_RC_MEMORY;
             }
             if  (bind != ESYS_TR_NONE && bindNode != NULL
-                 && bindNode->auth.size > 0)
-                memcpy(&secret[0], &bindNode->auth.buffer[0], bindNode->auth.size);
+                 && bind_auth_size > 0)
+                memcpy(&secret[0], &bindNode->auth.buffer[0], bind_auth_size);
             if (tpmKey != ESYS_TR_NONE)
                 memcpy(&secret[(bind == ESYS_TR_NONE || bindNode == NULL) ? 0
-                               : bindNode->auth.size],
+                               : bind_auth_size],
                        &esysContext->salt.buffer[0], keyHash_size);
             if (bind != ESYS_TR_NONE &&  bindNode != NULL)
                 iesys_compute_bound_entity(&bindNode->rsrc.name,