Does the app or website you are trying to log into using 2FA code provided by your authenticator app (such as Google Authenticator, Microsoft Authenticator or Authy) keep showing “expired or invalid 2FA code” even though you entered the correct code as displayed in the authenticator app? This post is intended to help you resolve the problem.
2FA, which stands for Two-Factor Authentication, is a modern secure login option that has been implemented in most web applications and games today to provide better account security for users. While the 2FA login option is usually optional in most websites and applications, it is highly recommended that you use it to better protect your account.
Expired or Invalid 2FA Code from Microsoft or Google Authenticator
If the app or website you are trying to log into keeps returning an error message that says “invalid, incorrect, or expired 2FA code, please try again” and you are sure that you entered the exact code as shown in the authenticator app, try the following suggested solutions to resolve the problem.
Check the date and time of your device
In majority of the cases, expired or invalid 2FA code issues (despite entering the correct code displayed in the authenticator app) is mainly caused by the date and time of the device on which the authenticator application (Google or Microsoft Authenticator) is installed not being in-sync with the date and time of the app’s or website’s server.
Check that the date and time of your phone where you use the authenticator app from is in-sync with the official time. Go to the date and time settings of your device (iOS or Android) and make sure it is “automatically” in-sync with a network-provided time (not manually).
Since 2FA code authentication is very time sensitive (as it changes every few seconds), even a difference of a few seconds may cause the 2FA code to be invalid or expire. It’s best to sync the date and time of your device with one of the official time providers.
If the app or website you are trying to sign into belongs to you (such as your own WordPress site), you may also want to check if the server time is correctly in-sync with the official time and the time on your phone where you use the authenticator app.
Once the date and time is in-sync, retry logging in the app or website with the 2FA code provided by your authenticator app again and see if the problem persists.
Note that if you entered the incorrect 2FA code for an excessive number of times, you may be blocked by the app’s or website’s login system, preventing you from retrying for a certain time period (lockout period). If you have been locked out by the app, try again after an hour or so.
Use the recovery code
If you lose access to your phone or the authenticator app, the only way you can login to your two-factor authentication protected account is to use the recovery code provided to you when you first set up the 2FA authentication.
When you first set up 2FA on a website or app using Google Authenticator or Microsoft Authenticator app, you will be provided a set of recovery codes.
These recovery codes, sometimes also known as backup codes, are a set of unique 2FA codes you can use to login to your account in case if you lose access to your authenticator app. That’s why it is utterly important to keep the recovery codes in a safe place (preferably a place you can remember).
If you are encountering expired or invalid 2FA code of if you no longer have access to the authenticator app, you can use the recovery code to log into your account again.
Reset the Two-Factor Authentication of your account
Once you have successfully logged into your account using the recovery code, try disabling and re-enabling the two-factor authentication for your account. Doing so will require you to reset the 2FA again. You will also be provided with a new set of recovery codes.
If you don’t even remember where you keep the recovery codes, the only way left is to contact the support of the app or website you are trying to log into and see if they can help. In most cases, if they can verify that you are the actual owner of the account, they may be able to help you regain access to the account.