Authenticator App Code Not Working? Check These 7 Causes

An authenticator code usually fails at the worst possible moment: you know the password, you can see the six-digit code, but the site says it is wrong. Before resetting the whole account, check the common causes in a calm order.

For standard TOTP accounts, the code is calculated from two things: the shared secret and the current time window. If either side is wrong, the code will not match. The BaseToolbox 2FA code generator can help you test a Base32 secret, otpauth:// URL, or QR image locally in your browser.

1. Your device time is wrong

Time drift is the classic TOTP failure. Most authenticator codes refresh every 30 seconds. If your phone or computer clock is off by even a small amount, the service may reject the code.

Turn on automatic date and time, automatic time zone, and network time sync. Then wait for the next code window before trying again. Do not keep submitting the old code while the timer is nearly finished.

2. You picked the wrong account entry

Many authenticator apps store multiple entries for the same email, service, or issuer. A work account and a personal account can look almost identical. Some services also create a new 2FA entry after every reset.

Check the issuer and account label. If you pasted an otpauth:// URL into BaseToolbox, the parsed details can show the issuer, account, period, digits, and algorithm, which makes mismatches easier to spot.

3. The old secret was replaced

If you recently reset 2FA, scanned a new QR code, migrated devices, or re-enrolled an authenticator, the old secret may no longer be valid. A TOTP code generated from the previous secret can look normal but fail every time.

Use the most recent setup QR code or manual key. Delete or rename old entries only after you confirm the new one works.

4. You copied the secret key incorrectly

Manual setup keys are usually Base32 strings. Spaces and lowercase letters are often harmless, but missing characters are not. Some setup screens wrap the key across lines or hide part of it behind a "can't scan?" link.

If the service gives an otpauth:// URL, paste the whole URL rather than only the secret. The URL can include period, digit count, algorithm, issuer, and account details.

5. The code length or algorithm is different

Most TOTP accounts use 6 digits, SHA-1, and a 30-second period, but not all of them. Some accounts use 8 digits, SHA-256, SHA-512, or a different refresh period.

If your app and the service disagree on these settings, the generated code will not match. A complete otpauth:// URL is safer than a bare secret because it carries those parameters.

6. You are using a QR code that is not TOTP

Some login systems use QR codes for push enrollment, device approval, or proprietary app pairing. Those QR codes may not contain a standard TOTP secret.

A standard authenticator QR usually decodes to an otpauth://totp/... URL. If a QR scanner cannot extract that kind of URL, it may not be usable in a generic TOTP generator.

7. The service is rate-limiting attempts

Repeated wrong 2FA attempts can trigger temporary lockouts or extra verification. If you have tried many times, stop for a moment and check the service's recovery flow. Continuing to guess can make recovery harder.

A safe debugging flow

First, fix time sync. Second, verify the account label. Third, check whether you recently reset 2FA. Fourth, test the full otpauth:// URL or QR image if you have it. Fifth, use backup codes only when you are sure the authenticator path is broken.

Do not send your 2FA secret to support chat, screenshots, or public forums. The secret is enough to generate future codes.

When to reset 2FA

Reset 2FA only after you have ruled out time drift, wrong account entries, and old secrets. If you still cannot login, use official account recovery, backup codes, passkeys, or an admin reset path provided by the service.

FAQ

Why does my authenticator code change every 30 seconds?

That is normal for TOTP. The code is tied to a time window and changes when the next window starts.

Can BaseToolbox fix my authenticator app?

No. It can generate standard TOTP codes from a secret, URL, or QR image so you can check the setup. It cannot recover an unknown secret or bypass a service.

Is it safe to test a secret in the browser?

BaseToolbox processes the secret locally in your browser. Still, treat any 2FA secret like a password and avoid using tools you do not trust.

1. Your device time is wrong

Time drift is the classic TOTP failure. Most authenticator codes refresh every 30 seconds. If your phone or computer clock is off by even a small amount, the service may reject the code.

2. You picked the wrong account entry

3. The old secret was replaced

Use the most recent setup QR code or manual key. Delete or rename old entries only after you confirm the new one works.

4. You copied the secret key incorrectly

If the service gives an otpauth:// URL, paste the whole URL rather than only the secret. The URL can include period, digit count, algorithm, issuer, and account details.

5. The code length or algorithm is different

Most TOTP accounts use 6 digits, SHA-1, and a 30-second period, but not all of them. Some accounts use 8 digits, SHA-256, SHA-512, or a different refresh period.

If your app and the service disagree on these settings, the generated code will not match. A complete otpauth:// URL is safer than a bare secret because it carries those parameters.

6. You are using a QR code that is not TOTP

Some login systems use QR codes for push enrollment, device approval, or proprietary app pairing. Those QR codes may not contain a standard TOTP secret.

A standard authenticator QR usually decodes to an otpauth://totp/... URL. If a QR scanner cannot extract that kind of URL, it may not be usable in a generic TOTP generator.

7. The service is rate-limiting attempts

A safe debugging flow

Do not send your 2FA secret to support chat, screenshots, or public forums. The secret is enough to generate future codes.

When to reset 2FA

FAQ

Why does my authenticator code change every 30 seconds?

That is normal for TOTP. The code is tied to a time window and changes when the next window starts.

Can BaseToolbox fix my authenticator app?

No. It can generate standard TOTP codes from a secret, URL, or QR image so you can check the setup. It cannot recover an unknown secret or bypass a service.

Is it safe to test a secret in the browser?

BaseToolbox processes the secret locally in your browser. Still, treat any 2FA secret like a password and avoid using tools you do not trust.

Authenticator App Code Not Working? Check These 7 Causes

1. Your device time is wrong

2. You picked the wrong account entry

3. The old secret was replaced

4. You copied the secret key incorrectly

5. The code length or algorithm is different

6. You are using a QR code that is not TOTP

7. The service is rate-limiting attempts

A safe debugging flow

When to reset 2FA

FAQ

Why does my authenticator code change every 30 seconds?

Can BaseToolbox fix my authenticator app?

Is it safe to test a secret in the browser?

Ready to try it yourself?

Authenticator App Code Not Working? Check These 7 Causes

1. Your device time is wrong

2. You picked the wrong account entry

3. The old secret was replaced

4. You copied the secret key incorrectly

5. The code length or algorithm is different

6. You are using a QR code that is not TOTP

7. The service is rate-limiting attempts

A safe debugging flow

When to reset 2FA

FAQ

Why does my authenticator code change every 30 seconds?

Can BaseToolbox fix my authenticator app?

Is it safe to test a secret in the browser?

Ready to try it yourself?