You enter your 2FA code and get "Invalid verification code" โ even though it looks correct. This is one of the most frustrating 2FA problems, and almost always has a simple fix.
In This Guide
Fix 1: Sync Your Device Clock (Most Common Fix)
TOTP codes are time-based. If your phone's clock is even 30โ60 seconds out of sync, every code you generate will be invalid.
Android: Settings โ General management โ Date and time โ enable Automatic date and time
iPhone: Settings โ General โ Date & Time โ enable Set Automatically
Fix 2: Wait for the Next Code
TOTP codes expire every 30 seconds. If you enter a code in the final second of its cycle, the server may reject it as too old. Simply wait for the next code and enter it immediately.
Fix 3: Type the Code Manually
Auto-fill or copy-paste can sometimes introduce hidden characters or spaces. Type the 6-digit code manually, digit by digit.
Fix 4: Confirm You're Using the Right Account
If you have multiple accounts in your authenticator app, it's easy to accidentally use the code for the wrong one. Verify the issuer name and account label match the service you're logging into.
Fix 5: Remove All Spaces
Some services require the code as 6 continuous digits (e.g. 123456), while others accept it with a space (e.g. 123 456). If one format fails, try the other.
Fix 6: Reconfigure the Authenticator
If codes are consistently wrong despite a synced clock, the secret key may have been set up incorrectly. Go to the service's security settings, disable 2FA, and re-enable it scanning a fresh QR code.
Fix 7: Use a Backup Code
If you still cannot log in, use one of your saved backup codes. Most services provide 8โ10 backup codes when you first enable 2FA. After using a backup code, consider reconfiguring your authenticator.
Understanding TOTP Time Sensitivity
Time-based one-time passwords (TOTP) depend critically on the synchronization between your device's clock and the server's clock. The TOTP algorithm divides time into 30-second intervals. Both your authenticator app and the server calculate which interval you are in, and both generate the same code for that interval. If your device's clock is off by even 30 seconds, you will be generating codes for the wrong time window.
Most servers implement a tolerance window that accepts codes from the immediately preceding and following intervals (effectively a 90-second window). However, if your clock drift exceeds this tolerance, every code you generate will be rejected.
Platform-Specific Time Sync Instructions
Android
- Open Settings โ System โ Date & Time
- Enable "Use network-provided time" and "Use network-provided time zone"
- In Google Authenticator: tap โฎ โ Settings โ Time correction for codes โ Sync now
- Restart your phone
iPhone
- Open Settings โ General โ Date & Time
- Enable "Set Automatically"
- If already enabled, toggle it off, wait 10 seconds, then toggle it back on
- Restart your iPhone
Advanced Troubleshooting
Multiple Authenticator Apps
If you have installed more than one authenticator app (e.g., Google Authenticator, Authy, and Microsoft Authenticator), ensure you are checking the correct app. It is possible you registered the account in a different app than the one you are currently checking.
VPN and Location Issues
Some services enforce geographic restrictions. If you are using a VPN that makes it appear you are logging in from an unusual location, the service may reject valid 2FA codes as a security precaution. Try disabling your VPN temporarily.
Browser Cache and Cookies
Stale session data in your browser can sometimes interfere with 2FA verification. Try clearing your browser cache or using an incognito/private browsing window.
Verify Your TOTP Setup
You can verify that your secret key generates correct codes using our browser-based 2FA code generator. This runs entirely in your browser with no data sent to any server, making it safe to test your setup.
Prevention Checklist
- Keep automatic time enabled on all devices
- Save backup codes for every service in a secure password manager
- Label entries clearly in your authenticator app to avoid confusion
- Scan QR codes instead of manually typing secret keys
- Register multiple 2FA methods where supported
- Periodically verify your setup by logging out and logging back in
Still Locked Out?
If none of these fixes work, contact the service's support team. You will typically need to verify your identity using your account email, recovery phone number, or government ID.