Troubleshoot Multi-Factor Authentication Issues

User issues

If you do not have your mobile device or your mobile device is turned off

If you have lost your device, you can finish authentication using the recovery code provided when you first signed up.

  1. Enter your email and password to log in, and click the Use the recovery code link.

  2. Enter your recovery code.

If you no longer have your recovery code, you will not be able to log in. Contact your system administrator for help accessing your account.

If you forget your password

If you have forgotten your password, click the Don't remember your password? link located underneath the email and password fields. Then, enter your email address to receive an email containing a link you can use to reset your password.

If your transaction expires

When logging in via MFA, there is a five-minute maximum between providing your first and second factors. You can see how much time has elapsed since you logged in using the first factor by checking the timestamp on the messages provided.

If more than five minutes have elapsed, you will need to log in again and obtain a new code or notification.

If you are requesting SMS messages, make sure you are not exceeding rate limits.

If you need to remove or delete MFA from a user in your tenant

If you need to remove, delete, or reset MFA for a user, you should reset MFA.

If you did not receive an SMS message

If you did not receive your six-digit code via SMS, check that the phone number you provided is correct. If it is, make sure you have a cellular signal.

If you still are not receiving the messages, check with your service provider to confirm that messages are not getting blocked.

SMS message rate limits

If you attempt to send more than ten SMS messages to your device within one hour, you will see an error message about a rate limit exception.

When you exceed your messaging limit, you'll need to wait at least an hour after your request for your first message before requesting another. You will receive an additional attempt after the passage of each additional hour.

Rejected codes

If the 6-digit code in the Guardian or the Google Authenticator app is being rejected for sign in (often with the message Incorrect Code), first check that you are selecting the right application from the list in your authenticator app. If you've verified that you're selecting the correct application, make sure that your mobile device's clock settings are correct. One-time passwords are generated using Coordinated Universal Time (UTC), so your device's time must be correct for your code to work.

To check your clock settings:

  • Android Devices - Go to Settings > Date & Time. Make sure that the box next to Automatic is checked. To turn it off, go to Settings > Date & Time. Tap the box next to Automatic to un-check it.

  • iOS Devices - Go to Settings > General > Date & Time. Enable Set Automatically. If this setting was already enabled, you can disable it for a moment, then re-enable.

For questions or issues specifically regarding Duo, see Duo's documentation.

If you see the error "We cannot connect to real time channel"

If MFA doesn't execute properly and you see a "We cannot connect to real time channel" error, this is likely a Guardian-related problem. You can resolve it by forcing the Guardian hosted page to use HTTP polling instead of a WebSocket to monitor the MFA approval process.

  1. Go to Dashboard > Security > Multi-factor Auth.

  2. Enable the Customize MFA toggle.

  3. Find this line:

    { if stateCheckingMechanism %}stateCheckingMechanism: ...{% endif }
    
    Replace it with:
    stateCheckingMechanism: "polling"