Why might a 2FA SMS code be rejected as 'invalid'?

Two common causes:

1. Code expired before entered. SMS codes have a two-minute expiry window. If the SMS arrives late (telco delays are common, especially at peak times), or the user gets distracted between receiving the code and typing it in, the code may have lapsed by the time it's entered. Solution: request a new code and use it immediately.
2. Stale countdown state in the browser session. If the login page has been open for a while with the SMS code field visible, the page's internal state may be tracking an older code than the one most recently sent. Solution: refresh the page and request a new code from the refreshed state.

If neither resolves the issue:

• Check the phone number on file - if the user has changed mobile providers or numbers, the SMS may be going to an old number.
• Check signal / coverage at the user's location - weak signal can delay SMS to the point of expiry.
• Switch to authenticator app - removes the SMS dependency entirely. Quickest long-term fix for users who repeatedly hit SMS issues.

Related articles

• What MFA options does easyAML support?
• Will SMS messages to clients come from "easyAML" or can they be rebranded?
• What's the full list of training modules?
• Does China block easyAML SMS links?
• How is 2FA configured if SMS isn't suitable - Authenticator App?