Troubleshooting

2FA Code Expired Before You Could Enter It? Here's the Fix

2026-03-11 ยท 5 min read ยท Steven Adams ยท Last reviewed: March 2026

You open your authenticator app, see a code, switch to the login page โ€” and by the time you type it in, the code has changed. This is one of the most common 2FA frustrations, and it has a simple explanation and several easy fixes.

In This Guide

  1. Why 2FA Codes Expire So Fast
  2. Fix 1: Watch the Timer and Wait
  3. Fix 2: Copy Instead of Type
  4. Fix 3: Use a Browser-Based Tool
  5. Fix 4: Sync Your Device Clock
  6. Fix 5: Try the Previous Code

Why 2FA Codes Expire in 30 Seconds

TOTP (Time-based One-Time Password) codes are generated using the current time as an input. Every 30 seconds, a new code is calculated from your secret key and the current Unix timestamp. The server does the same calculation and compares the two โ€” if they match within a small window, you're in.

The short expiry is intentional and a core security feature. A code that lasted 5 minutes would give an attacker much more time to intercept and use it. 30 seconds is the standard defined in RFC 6238.

Fix 1: Watch the Timer and Wait for a Fresh Code

Every authenticator app shows a countdown โ€” either a shrinking arc, a progress bar, or a number counting down from 30. If the timer is below 5 seconds when you open the app, don't rush. Wait for the timer to reset and a fresh code to appear. You'll then have a full 30 seconds to enter it.

This is the simplest fix and works for most people who are regularly running out of time.

Fix 2: Copy the Code Instead of Typing It

Typing a 6-digit code under time pressure invites errors. In most authenticator apps you can tap the code to copy it to your clipboard, then paste it into the login field. This takes under a second and eliminates mistyping.

On Google Authenticator and Authy, tap the code once to copy. On iOS, long-press the code for the copy option.

Fix 3: Use a Browser-Based Tool on the Same Device

If you're logging into a website on your computer, switching to your phone to get the code costs 5โ€“10 seconds. Using a browser-based TOTP generator like 2faco.com means your code is right there in the same browser tab โ€” paste your secret key once and the current code is always visible. Nothing leaves your device.

This is especially useful for accounts you access frequently from a desktop.

Fix 4: Sync Your Device Clock

If your device clock is even a minute off from the real time, the codes your app generates will be out of sync with what the server expects. The server checks a small window (usually ยฑ1 period = ยฑ30 seconds) but if your clock is more than that off, every code will fail.

On Android: Settings โ†’ General Management โ†’ Date and Time โ†’ enable "Automatic date and time". On iPhone: Settings โ†’ General โ†’ Date & Time โ†’ Set Automatically. On Google Authenticator specifically, there's a "Time correction for codes" option in the app settings.

Fix 5: Try the Previous Code

Most authentication servers accept a one-period grace window โ€” meaning they'll also accept the code from the previous 30-second window. If your code just changed right as you were entering it, try the code that was showing immediately before the refresh. Many people don't know this works.

This grace window exists precisely because clocks aren't perfectly synchronised across the internet and to account for slow network responses during the login process.

Summary

2FA codes expire quickly by design. The practical fixes are: wait for a fresh code before starting, copy rather than type, use a browser-based tool if you're on desktop, and make sure your device clock is synced. If none of these help, a time sync issue is the most likely culprit.

Related Articles

Why This Happens

TOTP codes are only valid for a 30-second window. If you are too slow moving from your authenticator app to the login form, the code expires before you can submit it. This is a normal consequence of how time-based one-time passwords work โ€” the short validity window is a security feature, not a flaw. Most platforms extend tolerance to one window before and after the current one (90 seconds total), but if your workflow takes longer than that, you will consistently hit this problem.

Simple Solutions

The easiest fix is to wait for a fresh code. Watch the countdown timer in your authenticator app โ€” when it resets to 30 seconds, you have the maximum available time to complete your entry. Do not copy a code with only a few seconds remaining. If your authenticator app and login form are both on the same device, use a password manager that autofills both your password and TOTP code simultaneously (1Password and Bitwarden Premium both support this) โ€” this reduces the steps and time needed to complete login. If you are on mobile, keeping your authenticator app in your recent apps makes switching faster.

If It Happens Consistently Despite Timing

If you are entering codes promptly but they are consistently rejected as expired, the problem is likely clock drift on your device rather than timing. Your authenticator app calculates codes based on your device's system clock โ€” if this clock is even a minute or two off from UTC, the codes you generate will not match what the server expects. Fix this by enabling automatic time synchronization in your device's date and time settings, and if you use Google Authenticator on Android, use its built-in time sync option (three-dot menu โ†’ Time correction for codes โ†’ Sync now).

Frequently Asked Questions

Is there a way to pause the 30-second timer? No โ€” the timer is determined by the server's clock, not your app. You cannot pause or extend it. The best strategy is to always wait for a fresh code at the start of a new 30-second window before beginning the login process.

Does the platform lock my account if I enter expired codes repeatedly? Most platforms implement rate limiting or temporary lockouts after multiple failed login attempts, regardless of whether the failure was due to an expired code or a wrong code. If you are locked out, wait for the lockout period (usually 15โ€“30 minutes) before trying again.

My code expired and now the account says "too many attempts." What do I do? Wait for the lockout period to expire โ€” typically 15 to 60 minutes depending on the service. Do not keep trying, as this usually resets the lockout timer. Once unlocked, wait for a fresh 30-second code window before attempting login again.