My OTP code is rejected. What's the cause?
Your authenticator app (like Google Authenticator or Microsoft Authenticator) is almost certainly working perfectly, and your account is secure. The clock on your smartphone is simply not perfectly synced with the global time.
Here is how this system works "under the hood" and how to fix the problem in a minute.
1. The mechanics: What exactly is an OTP?
Most of the 6-digit codes you use are technically called TOTPs (Time-based One-Time Passwords).
Imagine the app on your phone and the server of the website you want to access as two secret agents. To recognize each other, they share two things:
- A secret mathematical formula (which they exchanged when you scanned the initial QR code).
- The exact time down to the second.
Every 30 seconds, both your phone and the server check the clock and use the exact time to calculate a new 6-digit code together. If the clocks show the exact same time, the phone and the server will generate the same code. You enter it, and the door opens.
2. Why it fails: The out-of-sync clock
If your phone's clock is running too fast or has fallen behind by even just 45 or 60 seconds compared to Internet time, an incorrect code is generated and the authentication fails.
Your phone will calculate the valid code for 12:01, but the server will still be waiting for the 12:00 code. Even if you are perfectly copying the numbers from the screen, the two codes will never match, and your access will be denied.
3. The Solution: How to fix it
To fix this, you simply need to tell your phone to stop using "manual" time and align itself with the precise Internet time.
- If you have an iPhone (iOS): Go to Settings > General > Date & Time. Make sure the "Set Automatically" switch is turned on.
- If you have an Android: Go to Settings > System > Date & time. Make sure the "Set time automatically" (or "Use network-provided time") option is enabled.
Once done, close the app, reopen it to let it generate a fresh code, and you will see it works on the first try!