My MFA code is rejected
The most common reason a 6-digit TOTP code is rejected is device clock drift. VaultPAM's tolerance is ±60 seconds.
TOTP code is rejected
- Check your phone's time. iOS: Settings → General → Date & Time → Set Automatically must be on. Android: Settings → System → Date & time → Automatic date & time.
- Wait for a fresh code and re-enter. Each code is valid for 30 seconds.
- Make sure you are entering the code from the right account in your authenticator app. VaultPAM entries are labelled
VaultPAM (your-org). - If you recently moved phones, the secret may not have migrated. Re-enrol: Profile → Security → Reset authenticator app. You will need one of your recovery codes.
Hardware key not detected
- Re-plug the key. On macOS Safari, sometimes a browser refresh is required.
- On Windows, Edge/Chrome need the WebAuthn API — make sure you are on a recent browser.
- Verify the key is registered: Profile → Security → Hardware keys. If it's gone (someone removed it), re-register.
All factors lost
If you have lost access to every enrolled factor and have no recovery codes:
- Ask an Owner or Admin in your organization to reset your MFA from Organization → Members → pick user → Reset MFA.
- A reset requires the admin to complete their own step-up MFA (security measure).
- After reset, you re-enrol at next sign-in.
Do NOT share your recovery codes over chat or email. Treat them like passwords.