You open your authenticator app, see a code, switch to the login page โ and by the time you type it in, the code has changed. This is one of the most common 2FA frustrations, and it has a simple explanation and several easy fixes.
In This Guide
Why 2FA Codes Expire in 30 Seconds
TOTP (Time-based One-Time Password) codes are generated using the current time as an input. Every 30 seconds, a new code is calculated from your secret key and the current Unix timestamp. The server does the same calculation and compares the two โ if they match within a small window, you're in.
The short expiry is intentional and a core security feature. A code that lasted 5 minutes would give an attacker much more time to intercept and use it. 30 seconds is the standard defined in RFC 6238.
Fix 1: Watch the Timer and Wait for a Fresh Code
Every authenticator app shows a countdown โ either a shrinking arc, a progress bar, or a number counting down from 30. If the timer is below 5 seconds when you open the app, don't rush. Wait for the timer to reset and a fresh code to appear. You'll then have a full 30 seconds to enter it.
This is the simplest fix and works for most people who are regularly running out of time.
Fix 2: Copy the Code Instead of Typing It
Typing a 6-digit code under time pressure invites errors. In most authenticator apps you can tap the code to copy it to your clipboard, then paste it into the login field. This takes under a second and eliminates mistyping.
On Google Authenticator and Authy, tap the code once to copy. On iOS, long-press the code for the copy option.
Fix 3: Use a Browser-Based Tool on the Same Device
If you're logging into a website on your computer, switching to your phone to get the code costs 5โ10 seconds. Using a browser-based TOTP generator like 2faco.com means your code is right there in the same browser tab โ paste your secret key once and the current code is always visible. Nothing leaves your device.
This is especially useful for accounts you access frequently from a desktop.
Fix 4: Sync Your Device Clock
If your device clock is even a minute off from the real time, the codes your app generates will be out of sync with what the server expects. The server checks a small window (usually ยฑ1 period = ยฑ30 seconds) but if your clock is more than that off, every code will fail.
On Android: Settings โ General Management โ Date and Time โ enable "Automatic date and time". On iPhone: Settings โ General โ Date & Time โ Set Automatically. On Google Authenticator specifically, there's a "Time correction for codes" option in the app settings.
Fix 5: Try the Previous Code
Most authentication servers accept a one-period grace window โ meaning they'll also accept the code from the previous 30-second window. If your code just changed right as you were entering it, try the code that was showing immediately before the refresh. Many people don't know this works.
This grace window exists precisely because clocks aren't perfectly synchronised across the internet and to account for slow network responses during the login process.
Summary
2FA codes expire quickly by design. The practical fixes are: wait for a fresh code before starting, copy rather than type, use a browser-based tool if you're on desktop, and make sure your device clock is synced. If none of these help, a time sync issue is the most likely culprit.