ValidEmailChecker

Why am I asked to confirm 2FA again on a sensitive action?

Last updated May 20, 2026Account & security

Even with a valid session, some actions inside Valid Email Checker open a separate 2FA prompt before they go through. It is the same six-digit-code modal you see at sign-in, asking for your current authenticator code or an email code, this time as a step-up check at the exact moment of the privileged action. Once you enter a fresh code, the action runs and you are not prompted again until the next sensitive action.

What counts as a sensitive action

  • Saving or rotating payment processor credentials in admin settings.
  • Operations that move credits in bulk or change billing in a way that is hard to reverse.
  • Disabling 2FA itself (you have to prove you still control the second factor).
  • A small number of other admin and account-level changes that the platform classifies as high risk.

Why a fresh code on a logged-in session

Sign-in proves you held the second factor at the moment you logged in, maybe hours or days ago. Between then and now, a stolen session token would let an attacker impersonate you without ever touching your 2FA app. The step-up prompt closes that window by requiring proof of the live second factor right when the action lands. Internally, the verification happens server-side at the same moment the privileged operation runs — there is no separate "yes you passed 2FA already" cache the attacker could replay.

How the prompt picks a method

If you only have authenticator-app 2FA enabled, the prompt asks for a TOTP code. If you only have email 2FA enabled, it emails you a fresh code and asks you to paste it. If you have both enabled, the prompt defaults to authenticator with a Use Email Instead link in case your phone is unreachable. The selection lives in your Account Settings, Security tab — see how do I switch from email to authenticator 2FA for the details.

What to do if you can't pass the prompt

  • Authenticator code rejected. Make sure your phone clock is set to network time — TOTP codes drift if the clock is off. Try the next 30-second code if you mistyped.
  • Email code never arrives. Check spam and try Resend Code. Corporate spam filters occasionally delay these by a minute or two.
  • No access to either factor. Use one of your backup codes. The same code input accepts a 10-character backup code in place of the 6-digit one.
  • Locked out by repeated wrong codes. After 5 failed attempts the 2FA system locks for 15 minutes. Wait it out or contact support.
Keep the authenticator on the same device you work from
Step-up prompts are far less annoying when your phone is within arm's reach. If your workflow involves a desktop and your phone is in another room, consider an authenticator that runs on the same machine (1Password, Bitwarden, Authy desktop) so a TOTP code is one keystroke away.

Related questions

How do I enable two-factor authentication (2FA) on my account?
Where do I find my 2FA backup codes again after the initial setup?
How do I switch from email 2FA to authenticator-app 2FA?
Security settings: password, two-factor authentication, and active sessions
Back to all FAQs

Still stuck? Email support