Start with the clock
TOTP depends on time. If your phone or computer clock is off, the authenticator may generate a valid code for the wrong 30-second window. Turn on automatic time sync and try again with a fresh code.
Check the account entry
Many people have several similar entries in an authenticator app. A code for a personal email account will not unlock the work account, even if both use the same provider.
Check the token
When you enter a Base32 token manually, remove spaces, line breaks, and labels. If you reset 2FA in the service settings, the old token will no longer generate accepted codes.
Compare with an online generator
Use the same secret in an online TOTP generator and compare the result with your app during the same refresh window. Matching codes suggest the generator logic is fine. Different codes point to token, time, or settings differences.
Bottom line
A rejected 2FA code usually has a practical cause: time drift, wrong account, copied token errors, or an outdated secret. Work through those checks before resetting the whole account.