You enter your Mastodon username and password, then type the six-digit code from your authenticator app. Instead of entering your home timeline, the login page reloads and asks for the two-factor code again. This cycle, known as the two-factor login loop, can lock you out of your account for hours or days. The problem usually occurs because of a browser session cookie conflict, a time synchronization error on your authenticator device, or a server-side session misconfiguration. This article explains why the loop happens and provides three reliable methods to break the cycle and regain access to your Mastodon account.
Key Takeaways: Breaking the Mastodon Two-Factor Login Loop
- Clear browser cookies and cache: Removes corrupted session data that forces repeated two-factor prompts.
- Resync your authenticator app time: Corrects time drift on apps like Google Authenticator or Authy that generate invalid codes.
- Use a recovery code: Bypasses the two-factor prompt entirely and allows you to reconfigure two-factor settings from your account preferences.
Why the Two-Factor Login Loop Occurs on Mastodon
Mastodon uses a standard session-based authentication system. When you log in successfully, the server creates a session token stored in your browser as a cookie. Two-factor authentication adds a second verification step after password entry. If the session token is missing, expired, or corrupted, the server cannot confirm that you completed the two-factor step. It then redirects you back to the two-factor input page instead of granting access.
Three common root causes trigger this loop:
Corrupted Browser Session Cookies
Your browser stores a session cookie after password entry. If that cookie becomes corrupted due to a browser crash, extension interference, or manual cookie editing, the server treats your two-factor code submission as a fresh login attempt. The server asks for the code again, creating the loop.
Authenticator App Clock Drift
Time-based one-time password (TOTP) codes rely on the clock on your device. If your phone or computer clock drifts by more than 30 seconds from Mastodon’s server time, the generated code will be invalid. Mastodon rejects the code and reloads the prompt. This is especially common after daylight saving time changes or if the device has not synced its time automatically for a while.
Server-Side Session Configuration
Some Mastodon instances have aggressive session timeout settings or use reverse proxy configurations that strip session headers. This can cause the server to lose your session state between the password step and the two-factor step. The result is a loop that affects all users on the same instance, not just one account.
Steps to Fix the Mastodon Two-Factor Login Loop
Try these methods in order. Start with the simplest fix that does not require account recovery.
Method 1: Clear Browser Cookies and Cache for the Mastodon Instance
- Open your browser’s clear browsing data window
In Chrome, press Ctrl+Shift+Delete. In Firefox, press Ctrl+Shift+Delete. In Edge, press Ctrl+Shift+Delete. In Safari, go to Safari > Clear History. - Set the time range to All time
Select All time or everything to ensure old session data is removed. If you choose a shorter range, the corrupted cookie may remain. - Check Cookies and other site data and Cached images and files
Uncheck other options unless you want to remove passwords or autofill data. - Click Clear data
Wait for the browser to finish. Close and reopen the browser completely. - Navigate to your Mastodon instance and log in again
Enter your username and password. When the two-factor prompt appears, open your authenticator app and enter the current code. The login should proceed to your home timeline.
Method 2: Resync Your Authenticator App Time
- Check your device’s system time
On iPhone, go to Settings > General > Date & Time and enable Set Automatically. On Android, go to Settings > System > Date & Time and enable Use network-provided time. On Windows, right-click the clock in the taskbar and select Adjust date/time, then toggle Set time automatically to On. - Force a time sync on your device
Toggle the automatic time setting off and on again. This forces the device to query the network time server immediately. - Resync Google Authenticator
Open Google Authenticator, tap the three-dot menu, select Settings, and choose Time correction for codes. Tap Sync now. The app will adjust its internal clock offset. - Resync Authy
Open Authy, tap your account name, select Settings, and tap Time Correction. Tap Sync to update the time offset. - Attempt to log in again
Go to your Mastodon instance login page and try again. The newly synced code should match the server’s expected value.
Method 3: Use a Mastodon Recovery Code
- Locate your Mastodon recovery codes
When you first enabled two-factor authentication, Mastodon displayed a list of single-use recovery codes. Check your password manager, email inbox for the instance’s confirmation email, or a printed copy you saved. Each code is a long alphanumeric string. - Enter a recovery code at the two-factor prompt
Type one of the recovery codes exactly as shown, including any hyphens or spaces. Mastodon accepts the code and logs you in without needing the authenticator app. - Disable and re-enable two-factor authentication
After logging in, go to Preferences > Account > Two-factor Authentication. Click Disable to turn off two-factor. Then click Enable to set it up fresh. This clears any corrupted server-side session state tied to the old authenticator configuration. - Generate new recovery codes
During the re-enable process, Mastodon will present a new set of recovery codes. Save them in a secure location immediately.
If Mastodon Still Has Issues After the Main Fix
Login Loop Persists After Clearing Cookies
If the loop continues after clearing cookies, a browser extension may be interfering. Try logging in from a private or incognito window. In Chrome, press Ctrl+Shift+N. In Firefox, press Ctrl+Shift+P. If the login succeeds in private mode, disable extensions one by one to identify the culprit. Ad blockers, privacy extensions, and session managers are common causes.
No Recovery Codes Available
If you cannot find your recovery codes and the authenticator app is not working, contact your Mastodon instance administrator. Provide your account username and the email address associated with the account. The admin can disable two-factor authentication from the server backend using the Mastodon admin panel. This is a manual process and may take a few hours depending on the admin’s availability.
Instance-Wide Login Loop Affecting Multiple Users
If other users on the same instance report the same two-factor login loop, the problem is server-side. The instance admin should check the reverse proxy configuration, session cookie settings, and the Mastodon version. Upgrading to the latest Mastodon release often fixes session-related bugs. The admin can also temporarily disable two-factor enforcement from the admin settings to allow users to log in and reconfigure their authenticator apps.
| Item | Clearing Browser Cookies | Recovery Code Method |
|---|---|---|
| Best for | Corrupted session data on a single device | Lost authenticator access or time sync failure |
| Requires | Browser access to the instance login page | A previously saved recovery code |
| Time to complete | 2 to 5 minutes | 5 to 10 minutes |
| Risk of data loss | None | None if recovery codes are saved |
| Effectiveness | High for cookie-related loops | High for all loop types |
You can now break the Mastodon two-factor login loop by clearing your browser cookies, resyncing your authenticator app, or using a recovery code. After regaining access, consider saving your recovery codes in a password manager and setting up a second authenticator app as a backup. For future prevention, keep your device clock synchronized and avoid clearing only partial browser data when troubleshooting login issues.