diff --git a/src/Microsoft.AspNetCore.Identity.EntityFrameworkCore/UserStore.cs b/src/Microsoft.AspNetCore.Identity.EntityFrameworkCore/UserStore.cs
index ddedc15c3b..87cf6d2579 100644
--- a/src/Microsoft.AspNetCore.Identity.EntityFrameworkCore/UserStore.cs
+++ b/src/Microsoft.AspNetCore.Identity.EntityFrameworkCore/UserStore.cs
@@ -1247,6 +1247,10 @@ namespace Microsoft.AspNetCore.Identity.EntityFrameworkCore
             {
                 throw new ArgumentNullException(nameof(user));
             }
+            if (stamp == null)
+            {
+                throw new ArgumentNullException(nameof(stamp));
+            }
             user.SecurityStamp = stamp;
             return TaskCache.CompletedTask;
         }
diff --git a/src/Microsoft.AspNetCore.Identity/IdentityErrorDescriber.cs b/src/Microsoft.AspNetCore.Identity/IdentityErrorDescriber.cs
index 54c024c79e..914e82e5ea 100644
--- a/src/Microsoft.AspNetCore.Identity/IdentityErrorDescriber.cs
+++ b/src/Microsoft.AspNetCore.Identity/IdentityErrorDescriber.cs
@@ -14,7 +14,7 @@ namespace Microsoft.AspNetCore.Identity
         /// <summary>
         /// Returns the default <see cref="IdentityError"/>.
         /// </summary>
-        /// <returns>The default <see cref="IdentityError"/>,</returns>
+        /// <returns>The default <see cref="IdentityError"/>.</returns>
         public virtual IdentityError DefaultError()
         {
             return new IdentityError
diff --git a/src/Microsoft.AspNetCore.Identity/Properties/Resources.Designer.cs b/src/Microsoft.AspNetCore.Identity/Properties/Resources.Designer.cs
index 0029258790..fa00dea7f6 100644
--- a/src/Microsoft.AspNetCore.Identity/Properties/Resources.Designer.cs
+++ b/src/Microsoft.AspNetCore.Identity/Properties/Resources.Designer.cs
@@ -250,6 +250,22 @@ namespace Microsoft.AspNetCore.Identity
             return string.Format(CultureInfo.CurrentCulture, GetString("NoTokenProvider"), p0);
         }
 
+        /// <summary>
+        /// User security stamp cannot be null.
+        /// </summary>
+        internal static string NullSecurityStamp
+        {
+            get { return GetString("NullSecurityStamp"); }
+        }
+
+        /// <summary>
+        /// User security stamp cannot be null.
+        /// </summary>
+        internal static string FormatNullSecurityStamp()
+        {
+            return GetString("NullSecurityStamp");
+        }
+
         /// <summary>
         /// Incorrect password.
         /// </summary>
diff --git a/src/Microsoft.AspNetCore.Identity/Resources.resx b/src/Microsoft.AspNetCore.Identity/Resources.resx
index 85e16fc30d..3e0512b167 100644
--- a/src/Microsoft.AspNetCore.Identity/Resources.resx
+++ b/src/Microsoft.AspNetCore.Identity/Resources.resx
@@ -177,6 +177,10 @@
     <value>No IUserTokenProvider named '{0}' is registered.</value>
     <comment>Error when there is no IUserTokenProvider</comment>
   </data>
+  <data name="NullSecurityStamp" xml:space="preserve">
+    <value>User security stamp cannot be null.</value>
+    <comment>Error when a user's security stamp is null.</comment>
+  </data>
   <data name="PasswordMismatch" xml:space="preserve">
     <value>Incorrect password.</value>
     <comment>Error when a password doesn't match</comment>
diff --git a/src/Microsoft.AspNetCore.Identity/UserManager.cs b/src/Microsoft.AspNetCore.Identity/UserManager.cs
index d3eff1b91d..ffd67bd867 100644
--- a/src/Microsoft.AspNetCore.Identity/UserManager.cs
+++ b/src/Microsoft.AspNetCore.Identity/UserManager.cs
@@ -2236,6 +2236,14 @@ namespace Microsoft.AspNetCore.Identity
 
         private async Task<IdentityResult> ValidateUserInternal(TUser user)
         {
+            if (SupportsUserSecurityStamp)
+            {
+                var stamp = await GetSecurityStampAsync(user);
+                if (stamp == null)
+                {
+                    throw new InvalidOperationException(Resources.NullSecurityStamp);
+                }
+            }
             var errors = new List<IdentityError>();
             foreach (var v in UserValidators)
             {
diff --git a/test/Microsoft.AspNetCore.Identity.Test/UserManagerTest.cs b/test/Microsoft.AspNetCore.Identity.Test/UserManagerTest.cs
index 664bc14f9f..61a0e1e0ec 100644
--- a/test/Microsoft.AspNetCore.Identity.Test/UserManagerTest.cs
+++ b/test/Microsoft.AspNetCore.Identity.Test/UserManagerTest.cs
@@ -483,6 +483,42 @@ namespace Microsoft.AspNetCore.Identity.Test
             hasher.VerifyAll();
         }
 
+        [Fact]
+        public async Task CreateFailsWithNullSecurityStamp()
+        {
+            // Setup
+            var store = new Mock<IUserSecurityStampStore<TestUser>>();
+            var manager = MockHelpers.TestUserManager(store.Object);
+            var user = new TestUser { UserName = "nulldude" };
+            store.Setup(s => s.GetSecurityStampAsync(user, It.IsAny<CancellationToken>())).ReturnsAsync(null).Verifiable();
+
+            // Act
+            // Assert
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => manager.CreateAsync(user));
+            Assert.Contains(Resources.NullSecurityStamp, ex.Message);
+
+            store.VerifyAll();
+        }
+
+        [Fact]
+        public async Task UpdateFailsWithNullSecurityStamp()
+        {
+            // Setup
+            var store = new Mock<IUserSecurityStampStore<TestUser>>();
+            var manager = MockHelpers.TestUserManager(store.Object);
+            var user = new TestUser { UserName = "nulldude" };
+            store.Setup(s => s.GetSecurityStampAsync(user, It.IsAny<CancellationToken>())).ReturnsAsync(null).Verifiable();
+
+            // Act
+            // Assert
+            var ex = await Assert.ThrowsAsync<InvalidOperationException>(() => manager.UpdateAsync(user));
+            Assert.Contains(Resources.NullSecurityStamp, ex.Message);
+
+            store.VerifyAll();
+        }
+
+
+
         [Fact]
         public async Task RemoveClaimsCallsStore()
         {