How to Fix Mastodon ‘Two-Factor Code Invalid’ on Login

You enter your password and then type the six-digit code from your authenticator app. Mastodon rejects it with a “Two-factor code invalid” error. This usually happens because your device clock is out of sync with Mastodon’s server clock. Time-based one-time passwords TOTP rely on accurate time synchronization between your authenticator app and the service. This article explains why the error occurs and provides the exact steps to fix it on both mobile and desktop authenticator apps.

Why Mastodon Rejects a Valid Two-Factor Code

Mastodon uses Time-based One-Time Password TOTP algorithm for two-factor authentication. This algorithm generates a new six-digit code every 30 seconds based on the current Unix timestamp and a secret key shared between Mastodon and your authenticator app.

Both your device and Mastodon’s server must agree on the current time within a small tolerance window typically plus or minus 30 seconds. If your device clock drifts by even a few seconds, the generated code will fall outside that window. Mastodon then rejects it as invalid even though the code is mathematically correct for your device’s time.

Common causes of clock drift include:

• Manual time zone changes when traveling
• Device battery drain that resets the internal clock
• Network time protocol NTP updates failing on some networks
• Authenticator app installed on a secondary device with unsynced time

Steps to Fix the Two-Factor Code Invalid Error

Method 1: Sync Your Device Clock

1. Enable automatic date and time on your phone
   On Android, go to Settings > System > Date & time. Turn on “Use network-provided time” and “Use network-provided time zone.” On iOS, go to Settings > General > Date & Time. Turn on “Set Automatically.” This forces the device to pull the correct time from your carrier or an NTP server.
2. Restart your device
   Power off the phone completely, wait 10 seconds, and turn it back on. This forces a fresh NTP sync and clears any temporary clock glitches.
3. Generate a new code after the restart
   Open your authenticator app, wait for the next 30-second interval, and type the new code on the Mastodon login page.

Method 2: Resync the Authenticator App

1. Open your authenticator app
   Most apps have a resync or time correction feature. For Google Authenticator on Android, tap the three-dot menu > Settings > Time correction for codes > Sync now. On iOS, Google Authenticator syncs automatically with the device clock, so follow Method 1 instead.
2. For Microsoft Authenticator
   Open the app, tap the three-line menu > Settings > Account sync. Toggle “Account sync” off and on again. Then tap “Time sync” if available.
3. For Authy
   Open Authy, tap your profile icon > Settings > Time correction. Select “Sync now.” Authy will adjust its internal clock to match your device.

Method 3: Use a Backup Code or Recovery Code

1. Find your Mastodon backup codes
   When you first enabled two-factor authentication, Mastodon provided a set of single-use backup codes. Check your email inbox for the message from Mastodon with the subject “Your two-factor authentication backup codes.” If you saved them in a password manager, retrieve them from there.
2. Enter a backup code on the login page
   On the Mastodon login screen where the two-factor code is requested, type one of the backup codes instead of the TOTP code. Each code works only once.
3. Regenerate backup codes after login
   Once logged in, go to Preferences > Account > Two-factor authentication. Click “Regenerate backup codes” and store the new codes securely.

Method 4: Clear Browser Cookies and Cache

1. Open your browser’s settings
   In Chrome, click the three-dot menu > Settings > Privacy and security > Clear browsing data. In Firefox, click the three-line menu > Settings > Privacy & Security > Cookies and Site Data > Clear Data.
2. Select cookies and cached images
   Check “Cookies and other site data” and “Cached images and files.” Set the time range to “All time.” Click “Clear data.”
3. Restart the browser and try logging in again
   Close the browser completely, reopen it, navigate to your Mastodon instance, and attempt login with a fresh TOTP code.

If Mastodon Still Shows the Error After the Main Fix

Two-Factor Code Invalid on Every Attempt

If you have tried all clock sync methods and the error persists, the secret key in your authenticator app may be corrupted. Remove the Mastodon entry from your authenticator app. Then log in to Mastodon using a backup code as described in Method 3. Go to Preferences > Account > Two-factor authentication. Disable two-factor authentication completely, then re-enable it. Scan the new QR code with your authenticator app.

Code Rejected Only on One Specific Browser or Device

This indicates a browser-specific issue rather than a time sync problem. Try logging in using an incognito or private browsing window. If the code works there, clear the browser’s cookies and cache as shown in Method 4. If the problem only happens on a mobile app, uninstall and reinstall the Mastodon app for your instance.

Authenticator App Generates Codes That Expire Before You Type Them

Some authenticator apps have a short code window. If the code changes while you are typing, wait for the next 30-second interval and type the code within the first 15 seconds. Alternatively, switch to an authenticator app that shows a countdown timer such as Google Authenticator or Authy.

Item	Synchronized Clock	Drifted Clock
Device time accuracy	Within 1 second of NTP time	More than 30 seconds off
Code acceptance rate	99% on first attempt	0% on any attempt
Fix required	None	Enable auto time sync or resync authenticator app

After syncing your device clock and resyncing your authenticator app, the “Two-factor code invalid” error on Mastodon login should be resolved. If you still cannot log in, use a backup code to regain access and then reconfigure two-factor authentication from scratch. Always store your backup codes in a password manager before you need them.