ValidEmailChecker

Why am I locked out after multiple failed login attempts?

Last updated May 20, 2026Account & security

If Valid Email Checker is telling you the account is temporarily locked, you almost certainly hit the 2FA-verification lockout. Our verify-2fa-totp and verify-2fa-email-code functions both count failed attempts in user_2fa_settings.failed_attempts. After 5 consecutive wrong codes, locked_until is set to 15 minutes in the future and any further verification attempt is short-circuited with a locked response (errorType: 'locked') until that timestamp passes. The first successful code after the lock expires resets the counter back to zero.

What triggers the count

  • Six-digit TOTP codes that fail validation (wrong number, expired window).
  • Email 2FA codes that no longer match or have lapsed.
  • Backup codes that do not match the stored hashed set.

Note that this lock is on the 2FA layer, not the password layer. A wrong password puts you back on the sign-in form without incrementing the 2FA failed_attempts counter. The counter only ticks when you successfully passed the password and are now failing the second factor.

What to do when you see the lock message

  1. Wait. The lock message itself tells you how many minutes are left ("Account temporarily locked. Please try again in 12 minutes."). Once the timer expires, you can try again with a fresh code.
  2. Check your phone clock if you use TOTP. Authenticator codes are time-derived — a clock that's drifted by more than 30 seconds will generate codes our server rejects. Most phones sync time over the network automatically; if yours doesn't, force a sync from Settings.
  3. Try a backup code. The 10-character backup codes work on the same input field as the 6-digit code. A successful backup code clears the lockout immediately.
  4. Contact support. If you have neither a working authenticator nor backup codes, email support@validemailchecker.com from your account address. Identity verification, then we clear the lock and disable 2FA so you can re-set-up.

What does NOT bypass the lock

  • Resetting your password. The 2FA layer is separate — a fresh password still has to pass the second factor before anything works.
  • Signing in from a different IP or device. The lock is per-account in user_2fa_settings, not per-IP.
  • Closing and reopening the browser. State lives server-side; tab refreshes do not help.
Sustained failures are themselves a signal
If the lock keeps triggering and you know your codes are correct, something is wrong: a stale authenticator entry, a broken phone clock, or — worst case — someone else trying your password and failing 2FA. Check the active sessions list and report any suspicious sign-in after you regain access.

Related questions

How do I enable two-factor authentication (2FA) on my account?
I lost access to my authenticator app — how do I get back in?
Where do I find my 2FA backup codes again after the initial setup?
Why was my password reset email never delivered?
Back to all FAQs

Still stuck? Email support