Two-factor authentication failures usually come down to one of a small set of causes: a clock that's out of sync, a delayed text message, a stale authenticator app, or a genuinely expired session. The fix depends entirely on which one you're dealing with, so the first job is figuring out which symptom you actually have.
"Invalid code" even though the code looks right
This is almost always a clock synchronization issue. Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) generate codes based on the current time, using an algorithm that requires your device's clock and the server's clock to agree within a small margin — usually 30 seconds. If your phone's clock has drifted even slightly, codes that look correct will be rejected because they're calculated for the wrong time window.
- iPhone:
Settings > General > Date & Timeand make sure "Set Automatically" is on. - Android:
Settings > System > Date & timeand confirm automatic time zone and time are both enabled. - If automatic time is already on but the clock still seems off, try toggling airplane mode on and off, which forces the phone to resync with the cellular network's time signal.
Text message codes arrive late or not at all
SMS-based codes are the least reliable method, since they depend on carrier networks that can introduce delays of anywhere from a few seconds to several minutes during high traffic periods.
- Check you have cell signal — wifi alone won't deliver an SMS unless wifi calling/texting is specifically enabled and working.
- If a code arrives but the login page has already timed out by the time it does, request a new code instead of trying to use the late one — most systems invalidate the code tied to the expired session.
- If this happens repeatedly, switch to an authenticator app instead of SMS where the service allows it — app-based codes generate instantly on-device and don't depend on carrier delivery at all.
Push notification approval never shows up
If your 2FA method is "approve this login" via a push notification (common with Microsoft Authenticator and Duo), and the notification simply doesn't appear:
- Check the app has notification permissions enabled in your phone's system settings — this gets accidentally disabled more often than people realize, especially after an OS update.
- Confirm the app isn't restricted by battery optimization settings preventing background notifications (common on some Android phones with aggressive battery-saving modes).
- Open the authenticator app directly instead of waiting for the push — most apps show a pending approval request inside the app even if the notification itself failed to display.
Tip: if you recently got a new phone, make sure you transferred your authenticator app's accounts to the new device before getting rid of the old one. Authenticator apps generate codes from a secret stored locally on the device — losing that device without transferring first means losing access until you go through account recovery.
"Too many attempts" lockout
Most systems temporarily lock 2FA attempts after several failed tries in a row, as a security measure against brute-force guessing. If you're locked out:
- Wait the specified cooldown period (often 15-30 minutes) before trying again, rather than repeatedly retrying, which can sometimes extend the lockout.
- Double check you're not accidentally trying an old, already-used code from a previous login attempt — most systems reject reused codes outright, which looks identical to a wrong code.
Lost access to your 2FA device entirely
If your phone is lost, broken, or you no longer have the authenticator app set up, most services offer backup codes generated at setup time — check if you saved those somewhere (a password manager, printed copy) when you first enabled 2FA. If you don't have backup codes, you'll need to go through the service's account recovery process, which typically involves verifying your identity through an alternate method (recovery email, phone call, or in a work setting, contacting IT directly to have 2FA temporarily reset on your account).
The bottom line
Most 2FA failures that look mysterious trace back to a clock sync issue or a notification permission quietly getting disabled — neither of which is obvious from the error message alone. Identifying which specific symptom you're seeing narrows down the fix immediately, rather than guessing.