Troubleshooting MFA sign-in

The multi-factor authentication (MFA) account sign-in process involves entering a numeric code generated by an authenticator app on your mobile phone, as well as your username and password. The following tips will help you troubleshoot an MFA sign-in issue.

Note: If sign-in keeps failing, do not keep trying. After several sign-in attempts, your account will be locked. Once it's locked, you will have to check your email for unlock instructions (or you can reset your password) before you can try again.

Activating MFA

If your administrator has turned on enforced MFA, you will be required to activate MFA even if you previously signed in without it. Follow the step-by-step instructions in Using multi-factor authentication (MFA).

Fixing sign-in or activation errors

If you keep encountering errors when entering the security code from your authenticator app, make sure the time is accurate on your mobile device, or the time-based security code will not validate.

Also, if the time on your authenticator app is not synced correctly, the MFA activation or sign-in attempt may be unsuccessful. If you are using Google Authenticator:

  1. From Google Authenticator, navigate to the main menu.
  2. Click Settings.
  3. Click Time correction for codes.
  4. Click Sync now.

On the next screen, the app will confirm that the time has been synced, and you can now sign in. This change will only affect the internal time of your authenticator app and will not change your device’s date and time settings.

Signing in without your mobile device

If your mobile device stops working or is destroyed, lost, or stolen, you can use your one-time recovery MFA token instead of the code generated by the authenticator app. You may have saved the recovery token to a password manager or an encrypted notes app.

The recovery token is a fallback authentication method, and is not something you typically use. The recovery token can only be used once.

The recovery token for an MFA enabled account

MFA-new-recovery-code.png

IT Glue will not disable MFA after you sign in, so if you need to sign in again without your mobile device, you have two options:

  1. You can generate a new recovery token and store it in a secure place for later use.
  2. You can disable MFA only if MFA is not enforced on your IT Glue account. Enforced MFA is when all users of the account are required to enable MFA. If MFA is enforced, you will be forced to set up MFA at your next sign in.

If you don't do one of these two options, and then you sign out of your account, you won't be able to sign in again.

Replacing your mobile device / resetting MFA

If you need to replace your mobile device for any reason, you must first reset MFA. After your MFA is reset, you can add the new device.

You have a recovery token Sign in and reset your MFA by disabling and re-enabling MFA in your profile. Make sure you save the new recovery code.
You don't have a recovery token

Contact any Administrator on the account. To reset your MFA, an Administrator will need to edit your account under Account > Users and then click Reset MFA.

If you are the only Administrator on your account, see Recovering a lost MFA code for an Administrator.

Was this article helpful?
1 out of 3 found this helpful