If you are seeing an "Invalid authentication code" or "Verification code incorrect" error when trying to log in, you are not alone. Two-factor authentication (2FA) code errors are among the most common account access issues, and in the vast majority of cases, they can be resolved quickly without contacting support.
This guide covers every known reason why 2FA codes fail and provides step-by-step solutions for each scenario. Whether you are using Google Authenticator, Authy, Microsoft Authenticator, or any other TOTP app, these fixes apply universally.
How TOTP Codes Work (And Why They Can Fail)
Time-based one-time passwords (TOTP) work by combining two inputs: a secret key shared between your device and the service, and the current time. Both your authenticator app and the server independently calculate the same 6-digit code using these inputs. If the code your app shows matches what the server expects, access is granted.
This means that if either the time or the secret key is different between your app and the server, the codes will not match โ resulting in an "invalid code" error.
Most Common Reasons 2FA Codes Fail
1. Device Clock Is Out of Sync
This is the single most common cause of invalid 2FA codes. TOTP depends on your device's clock being accurate to within a few seconds of the actual time. If your phone's clock has drifted โ even by 30 seconds โ the code your app generates may already be expired or not yet valid from the server's perspective.
How to fix it:
- Open your phone's Settings โ Date & Time
- Enable "Set time automatically" or "Use network-provided time"
- If already enabled, toggle it off and back on to force a resync
- Restart your phone after making the change
- In Google Authenticator: go to Settings โ Time correction for codes โ Sync now
2. Code Has Already Expired
Each TOTP code is valid for only 30 seconds. If you see a code with only a few seconds remaining on the countdown timer and try to enter it, the server may have already rotated to the next code by the time your request arrives. Network latency can make this worse.
How to fix it:
- Wait for a fresh code to appear (full 30-second window)
- Type the code quickly or use copy-paste if your app supports it
- Most services accept the previous code for a short grace period, but do not rely on this
3. Wrong Account Selected in the App
If you have multiple accounts in your authenticator app (for example, separate entries for Google, GitHub, and Discord), it is easy to accidentally read the code from the wrong entry. Each entry generates completely independent codes.
How to fix it:
- Carefully verify the account name and email shown next to the code
- Rename entries in your authenticator app for clarity (e.g., "GitHub โ work" vs. "GitHub โ personal")
4. Secret Key Was Entered Incorrectly
If you manually typed a secret key instead of scanning a QR code, even a single wrong character will cause every code to be invalid. Base32-encoded secrets contain letters AโZ and digits 2โ7. Common mistakes include confusing the letter O with zero (0), or the letter I with the number 1.
How to fix it:
- If you still have the original QR code or secret key, delete the entry and re-add it
- Use our browser-based 2FA generator to verify that a secret key produces valid codes
- When possible, always scan the QR code rather than typing the key manually
5. 2FA Was Reset on the Service Side
If 2FA was disabled and re-enabled on your account (by you or by a support agent), the old secret key stored in your authenticator app is no longer valid. The service generated a new secret key, but your app still has the old one.
How to fix it:
- Delete the old entry from your authenticator app
- Go to the service's security settings and set up 2FA again with the new QR code
- Save the new backup codes
6. Using the Wrong Authenticator App
Some users accidentally set up accounts in different authenticator apps. If you enabled 2FA using Authy but are checking Google Authenticator (or vice versa), the code will not be there.
7. Server-Side Issues
In rare cases, the service itself may have a time synchronization issue or a temporary bug. This is uncommon with major platforms but can occur with self-hosted services or smaller websites.
Step-by-Step Fix Checklist
- Sync your device time (Settings โ Date & Time โ Automatic)
- Wait for a fresh code with full 30-second validity
- Verify you are reading the correct account entry
- If manually entered, verify the secret key matches exactly
- Try on a different device if possible
- If all else fails, use a backup code to log in and reconfigure 2FA
When to Contact Support
If you have exhausted all the fixes above and your codes still do not work, you may need to contact the service's support team. Before doing so, gather:
- The email address associated with the account
- Any backup codes you may have saved
- Proof of identity (the service may request ID verification)
How to Prevent Invalid Code Issues
- Keep automatic time enabled โ Never manually set your phone's clock
- Save backup codes โ Store them in a password manager or secure offline location
- Use QR scanning โ Avoid manual secret key entry when possible
- Label your accounts clearly โ Rename authenticator entries to avoid confusion
- Register multiple 2FA methods โ Use a hardware key as a backup when available
Related Troubleshooting Guides
- Google Authenticator Not Working
- 2FA Code Expired Before Entering
- 2FA Codes Out of Sync
- Lost Phone โ Can't Access 2FA
Final Thoughts
Invalid 2FA codes are almost always caused by device clock drift, expired codes, or mismatched secret keys. By systematically working through the fixes in this guide, most users can resolve the problem in under two minutes. The key takeaway: always keep automatic time enabled and save your backup codes when setting up 2FA.