diff --git a/app/services/sign_in/session_spawner.rb b/app/services/sign_in/session_spawner.rb
index 9fd24e975e0..293ac71c5fb 100644
--- a/app/services/sign_in/session_spawner.rb
+++ b/app/services/sign_in/session_spawner.rb
@@ -76,7 +76,7 @@ def create_new_access_token
         refresh_token_hash:,
         parent_refresh_token_hash:,
         anti_csrf_token:,
-        last_regeneration_time: refresh_creation,
+        last_regeneration_time:,
         user_attributes: JSON.parse(user_attributes)
       )
     end
@@ -106,7 +106,11 @@ def create_new_session
     end
 
     def refresh_expiration_time
-      @refresh_expiration_time ||= refresh_creation + client_config.refresh_token_duration
+      @refresh_expiration_time ||= last_regeneration_time + client_config.refresh_token_duration
+    end
+
+    def last_regeneration_time
+      @last_regeneration_time ||= Time.zone.now
     end
 
     def get_hash(object)
diff --git a/spec/services/sign_in/session_spawner_spec.rb b/spec/services/sign_in/session_spawner_spec.rb
index 0299cfedc68..237f0e56f83 100644
--- a/spec/services/sign_in/session_spawner_spec.rb
+++ b/spec/services/sign_in/session_spawner_spec.rb
@@ -10,7 +10,10 @@
   describe '#perform' do
     subject { session_spawner.perform }
 
-    let(:current_session) { create(:oauth_session, handle: current_session_handle, user_verification:) }
+    let(:current_session) do
+      create(:oauth_session, handle: current_session_handle, user_verification:, refresh_creation:)
+    end
+    let(:refresh_creation) { 5.minutes.ago }
     let(:current_session_handle) { 'edd4c2fc-d776-4596-8dce-71a9848e15e0' }
     let(:user_uuid) { current_session.user_verification.backing_credential_identifier }
     let(:user_verification) { create(:user_verification, locked:) }
@@ -25,6 +28,10 @@
     let(:enforced_terms) { nil }
     let(:device_sso) { false }
 
+    before { Timecop.freeze }
+
+    after { Timecop.return }
+
     context 'expected credential_lock validation' do
       let(:locked) { false }
       let(:expected_error) { SignIn::Errors::CredentialLockedError }
@@ -84,7 +91,8 @@
       let(:expected_token_uuid) { SecureRandom.uuid }
       let(:expected_parent_token_uuid) { SecureRandom.uuid }
       let(:expected_user_uuid) { user_uuid }
-      let(:expected_expiration_time) { expected_created_time + refresh_token_duration }
+      let(:expected_last_regeneration_time) { Time.zone.now }
+      let(:expected_expiration_time) { expected_last_regeneration_time + refresh_token_duration }
       let(:expected_user_attributes) { JSON.parse(current_session.user_attributes) }
       let(:expected_double_hashed_parent_refresh_token) do
         Digest::SHA256.hexdigest(parent_refresh_token_hash)
@@ -214,7 +222,7 @@
                anti_csrf_token: expected_anti_csrf_token)
       end
       let(:expected_parent_refresh_token_hash) { Digest::SHA256.hexdigest(parent_refresh_token.to_json) }
-      let(:expected_last_regeneration_time) { current_session.refresh_creation }
+      let(:expected_last_regeneration_time) { Time.zone.now }
 
       before do
         allow(SecureRandom).to receive_messages(hex: stubbed_random_number, uuid: expected_handle)
diff --git a/spec/services/sign_in/token_exchanger_spec.rb b/spec/services/sign_in/token_exchanger_spec.rb
index 6032b45b4db..faddf4d6cef 100644
--- a/spec/services/sign_in/token_exchanger_spec.rb
+++ b/spec/services/sign_in/token_exchanger_spec.rb
@@ -154,9 +154,10 @@
                     let(:expected_hashed_refresh_token) do
                       Digest::SHA256.hexdigest(new_refresh_token.parent_refresh_token_hash)
                     end
+                    let(:expected_last_regeneration_time) { Time.zone.now }
 
                     let(:expected_refresh_expiration) do
-                      expected_refresh_creation + new_client_config.refresh_token_duration
+                      expected_last_regeneration_time + new_client_config.refresh_token_duration
                     end
                     let(:expected_session_handle) { Faker::Internet.uuid }
                     let(:expected_client_id) { new_client_config.client_id }
@@ -166,7 +167,12 @@
                     let(:expected_device_secret_hash) { nil }
                     let(:expected_user_uuid) { current_session.user_verification.backing_credential_identifier }
 
-                    before { allow(SecureRandom).to receive(:uuid).and_return(expected_session_handle) }
+                    before do
+                      Timecop.freeze
+                      allow(SecureRandom).to receive(:uuid).and_return(expected_session_handle)
+                    end
+
+                    after { Timecop.return }
 
                     it 'creates a session with the expected attributes' do
                       new_session = token_exchanger.perform.session
@@ -186,7 +192,7 @@
                       expect(new_access_token.session_handle).to eq(expected_session_handle)
                       expect(new_access_token.audience).to eq(expected_audience)
                       expect(new_access_token.client_id).to eq(expected_client_id)
-                      expect(new_access_token.last_regeneration_time).to eq(expected_refresh_creation)
+                      expect(new_access_token.last_regeneration_time).to eq(expected_last_regeneration_time)
                       expect(new_access_token.user_attributes).to eq(JSON.parse(expected_user_attributes))
                       expect(new_access_token.user_uuid).to eq(expected_user_uuid)
                       expect(new_access_token.device_secret_hash).to eq(expected_device_secret_hash)