Why does my 2FA code change every 30 seconds?

TOTP codes are designed to change every 30 seconds for security. A code that never expires would be vulnerable to interception and replay attacks.

What happens if I enter a code just as it changes?

Most services accept the previous code for a brief grace period to account for network delays. If your code just changed, try entering the new code immediately.

Can I make the 2FA code last longer?

No. The 30-second window is set by the TOTP standard (RFC 6238). Some services use 60-second windows, but 30 seconds is the default and cannot be changed by the user.

Why Does My Authenticator Code Keep Changing Every 30 Seconds?

If you're new to two-factor authentication, seeing your code change every 30 seconds can be confusing — or even alarming. Is something wrong? Is someone accessing your account? No. This is exactly how it's supposed to work, and it's a fundamental part of what makes 2FA secure.

Why Codes Change Every 30 Seconds

The whole point of two-factor authentication is that each code can only be used once and only for a very short window. If codes never changed, an attacker who intercepted one code could use it indefinitely. If they changed every hour, an intercepted code would still be valid for up to 60 minutes — enough time for an attack.

30 seconds is the standard window defined in RFC 6238 (the TOTP standard). It's short enough that intercepted codes are almost useless, but long enough that you can read and type the code before it expires.

How TOTP Actually Works

TOTP stands for Time-based One-Time Password. When you set up 2FA, you and the service exchange a secret key — this is the string of letters and numbers (or QR code) you scan. This secret key never changes.

Your authenticator app then takes two inputs: the secret key and the current time (rounded to the nearest 30-second period). It runs these through a cryptographic hash function (HMAC-SHA1) and produces a 6-digit number. The server does the exact same calculation simultaneously. If your number matches the server's number, you're authenticated.

Because both sides know the secret key and use the same clock, they always produce the same code for the same 30-second window — without ever sending the code over a network. This is why TOTP works even when your phone has no internet connection.

The Countdown Timer

The ring or progress bar around your code in the authenticator app counts down the remaining time in the current 30-second window. When it reaches zero, a new code is generated for the next window.

Most authentication servers accept codes from the current and previous window (±1 period) to account for slight clock differences and network delays. So even if your code just changed, the old one might still work for a few more seconds.

You can see this in action with a browser-based 2FA tool — paste your secret key and watch the code change in sync with the timer, with no network requests involved.

When to Worry

The code changing is normal. What's not normal:

Codes that don't match what the service expects — this is usually a clock sync issue on your device, not a security problem. See our guide on fixing 2FA sync problems.

Codes that change at irregular intervals — if your codes seem to change at random rather than every 30 seconds, your app may be buggy or your device clock has significant drift. Try reinstalling the app or syncing your clock.

Being prompted for 2FA when you didn't try to log in — this could indicate someone is trying to access your account with your password. Change your password immediately and check your account's recent activity.

Practical Tips

Watch the timer before you start typing. If there are fewer than 5 seconds left, wait for the code to refresh — you'll have a full 30 seconds with the new code. Copy the code by tapping it in your authenticator app rather than typing it manually, which reduces errors and is faster. If you're entering codes on a desktop computer frequently, a browser-based generator keeps the code visible without switching between devices.

The Design Behind Rotating Codes

The reason your 2FA code keeps changing is by design — it is the entire point of Time-based One-Time Passwords (TOTP). Each code is only valid for a specific 30-second window, calculated using your secret key and the current time. Once that window closes, the code is mathematically invalid and a new one is generated. This time-limited nature is what makes TOTP codes so much more secure than a static password: even if an attacker captures your code by watching over your shoulder or intercepting a network request, the code is useless within 30 seconds.

The 30-second interval is defined in RFC 6238, the TOTP standard. Most services use exactly 30 seconds, though some allow a tolerance window of one period before and after (90 seconds total) to account for clock drift between your device and the server. This is why you can sometimes enter a code that appears to have expired and it still works — the server is accepting codes from the adjacent time windows.

Why Codes Are Different on Every Device

If you have the same account set up in two different authenticator apps, both will show the same code at the same time — because TOTP is deterministic. The code is calculated purely from two inputs: your secret key (the same on both devices) and the current Unix time (the same everywhere in UTC). If two apps show different codes for the same account, it means one of them has clock drift or has a different secret key stored (for example, if you enrolled twice and got a different QR code each time).

What to Do If Your Code Expires Before You Can Enter It

Simply wait for the next code to generate (up to 30 seconds) and enter it immediately. Most login forms accept codes from the current and immediately preceding time window, giving you up to 60 seconds in practice. If you consistently run out of time, check that your internet connection and form submission are not unusually slow. Some users with motor difficulties or slow typing find it helpful to watch the progress bar in their authenticator app and start entering the code at the beginning of a new cycle rather than near the end, maximising available time.

Frequently Asked Questions

Can I make my 2FA codes last longer than 30 seconds? No — the 30-second window is determined by the server, not your app. You cannot extend it on your end. Some services use 60-second windows, but this is set by the service provider, not configurable by the user.

Why does my authenticator app show a countdown timer? The countdown timer shows how many seconds remain in the current 30-second window. When it reaches zero, a new code is generated. Use the timer to time your entry — if only a few seconds remain, wait for the next code to avoid rushing.

Is it a security problem if someone sees my 2FA code on screen? Only if they can use it within the remaining valid window and they also know your password. In practice, a brief glance at your code by someone nearby is very low risk, but you should be aware of shoulder surfing in public places and shield your screen when entering 2FA codes on sensitive accounts.