If you're new to two-factor authentication, seeing your code change every 30 seconds can be confusing โ or even alarming. Is something wrong? Is someone accessing your account? No. This is exactly how it's supposed to work, and it's a fundamental part of what makes 2FA secure.
In This Guide
Why Codes Change Every 30 Seconds
The whole point of two-factor authentication is that each code can only be used once and only for a very short window. If codes never changed, an attacker who intercepted one code could use it indefinitely. If they changed every hour, an intercepted code would still be valid for up to 60 minutes โ enough time for an attack.
30 seconds is the standard window defined in RFC 6238 (the TOTP standard). It's short enough that intercepted codes are almost useless, but long enough that you can read and type the code before it expires.
How TOTP Actually Works
TOTP stands for Time-based One-Time Password. When you set up 2FA, you and the service exchange a secret key โ this is the string of letters and numbers (or QR code) you scan. This secret key never changes.
Your authenticator app then takes two inputs: the secret key and the current time (rounded to the nearest 30-second period). It runs these through a cryptographic hash function (HMAC-SHA1) and produces a 6-digit number. The server does the exact same calculation simultaneously. If your number matches the server's number, you're authenticated.
Because both sides know the secret key and use the same clock, they always produce the same code for the same 30-second window โ without ever sending the code over a network. This is why TOTP works even when your phone has no internet connection.
The Countdown Timer
The ring or progress bar around your code in the authenticator app counts down the remaining time in the current 30-second window. When it reaches zero, a new code is generated for the next window.
Most authentication servers accept codes from the current and previous window (ยฑ1 period) to account for slight clock differences and network delays. So even if your code just changed, the old one might still work for a few more seconds.
You can see this in action with a browser-based 2FA tool โ paste your secret key and watch the code change in sync with the timer, with no network requests involved.
When to Worry
The code changing is normal. What's not normal:
Codes that don't match what the service expects โ this is usually a clock sync issue on your device, not a security problem. See our guide on fixing 2FA sync problems.
Codes that change at irregular intervals โ if your codes seem to change at random rather than every 30 seconds, your app may be buggy or your device clock has significant drift. Try reinstalling the app or syncing your clock.
Being prompted for 2FA when you didn't try to log in โ this could indicate someone is trying to access your account with your password. Change your password immediately and check your account's recent activity.
Practical Tips
Watch the timer before you start typing. If there are fewer than 5 seconds left, wait for the code to refresh โ you'll have a full 30 seconds with the new code. Copy the code by tapping it in your authenticator app rather than typing it manually, which reduces errors and is faster. If you're entering codes on a desktop computer frequently, a browser-based generator keeps the code visible without switching between devices.