My MFA code is rejected

The most common reason a 6-digit TOTP code is rejected is device clock drift. VaultPAM's tolerance is ±60 seconds.

TOTP code is rejected

1. Check your phone's time. iOS: Settings → General → Date & Time → Set Automatically must be on. Android: Settings → System → Date & time → Automatic date & time.
2. Wait for a fresh code and re-enter. Each code is valid for 30 seconds.
3. Make sure you are entering the code from the right account in your authenticator app. VaultPAM entries are labelled VaultPAM (your-org).
4. If you recently moved phones, the secret may not have migrated. Re-enrol: Profile → Security → Reset authenticator app. You will need one of your recovery codes.

Hardware key not detected

1. Re-plug the key. On macOS Safari, sometimes a browser refresh is required.
2. On Windows, Edge/Chrome need the WebAuthn API — make sure you are on a recent browser.
3. Verify the key is registered: Profile → Security → Hardware keys. If it's gone (someone removed it), re-register.

All factors lost

If you have lost access to every enrolled factor and have no recovery codes:

1. Ask an Owner or Admin in your organization to reset your MFA from Organization → Members → pick user → Reset MFA.
2. A reset requires the admin to complete their own step-up MFA (security measure).
3. After reset, you re-enrol at next sign-in.

Do NOT share your recovery codes over chat or email. Treat them like passwords.

Related articles

• Set up MFA