Troubleshooting — Login & MFA¶
When sign-in is the problem, work through this page top-to-bottom. The basic sign-in flow is covered in Sign in & first run; this is the deeper-dive companion for when something is wrong.
Decision tree¶
graph TD
A[Cannot sign in] --> B{What error?}
B -->|"Invalid username or password"| C[Wrong creds or wrong email]
B -->|"Account locked"| D[Brute-force lockout]
B -->|"MFA code rejected"| E[Time drift or wrong device]
B -->|"Redirect loop"| F[Cookie or SSO config]
B -->|"Cannot reach sign-in page"| G[Network or DNS]
B -->|"Got in then bumped out"| H[Session / token expiry]
C --> C1[Check email; try password reset]
D --> D1[Wait 15 min; or unlock via support]
E --> E1[Check device clock; use recovery code]
F --> F1[Clear cookies; try incognito]
G --> G1[Check DNS + corporate proxy]
H --> H1[Re-sign-in; consider longer token lifetime]"Invalid username or password"¶
Symptom-to-cause table¶
| Detail | Likely cause | Fix |
|---|---|---|
| Pretty sure the password is right | Typo (CAPS LOCK, locale-specific keyboard) | Click the eye icon to reveal what you typed |
| Just changed the password | Browser autofill still using old | Open password manager, update the saved entry |
| Was working yesterday | Org admin changed your account; or your account was suspended | Confirm with org admin |
| Account uses SSO only | Forgot Password flow is disabled for SSO-only | Sign in via the SSO button instead |
| Two emails — work + personal | Wrong email used | Check the invite email for the canonical address |
| First-ever sign-in to this org | You haven't accepted the invite yet | Find the invite email; click the link; complete sign-up |
Password reset¶
- Sign-in page → Forgot Password?
- Type your email
- Cloud Digit emails a reset link (check spam; sender is
noreplyat your Cloud Digit domain) - Click within 30 minutes (single-use)
- Set a new password — must be ≥ 12 chars, with at least 1 uppercase + 1 digit + 1 special
If the reset email doesn't arrive within 2 minutes:
- Confirm email address is correct
- Check spam / junk folder
- Confirm
noreply@<your-cloud-digit-domain>is allow-listed - Your account may be SSO-only — the reset email isn't sent in that case (a different message is shown after submitting Forgot Password)
"Account locked" or rate-limited¶
Cloud Digit locks an account after 5 consecutive failed sign-ins from the same IP within 15 minutes. The lock is per-account + per-source-IP, lasts 15 minutes, and auto-clears.
If you're actually locked out:
- Wait 15 minutes then retry (most common path)
- Switch network — the lock is per-source-IP, so a different connection works
- Contact your org admin — they can force-unlock from Members → ⋯ → Unlock
- Contact Cloud Digit support — if no org admin is reachable, the support team can unlock with KYC-grade identity verification
MFA issues¶
"Code rejected"¶
| Cause | Fix |
|---|---|
| Device clock drifted | Re-sync clock (Settings → Date & time → Automatic). TOTP requires clocks within ±30 s |
| Wrong device | If you enrolled multiple devices, try the others |
| Old code | Codes rotate every 30 s — use the currently-displayed one, not one shown a moment ago |
| Wrong account in the authenticator | Many authenticators have multiple accounts; pick the one matching your Cloud Digit email |
Lost MFA device¶
If your authenticator app is gone (lost phone, factory reset, app uninstalled):
- Use a recovery code — you were shown 10 single-use recovery codes at MFA enrolment. Each works once.
- No recovery codes saved → contact org admin. They can disable MFA for your account temporarily so you can re-enrol.
- No org admin reachable → contact Cloud Digit support with KYC-grade identity proof.
After regaining access, immediately re-enrol MFA and save the new recovery codes somewhere durable (1Password / Bitwarden / printed and locked in a desk).
Adding a backup MFA device¶
User menu → Account → MFA → + Add device. Recommended for everyone — adds an extra TOTP authenticator and lets you switch devices without an admin reset.
SSO redirect loops¶
Endless redirect between Cloud Digit and your IdP usually means:
| Cause | Symptom | Fix |
|---|---|---|
| Third-party cookies blocked | Redirect loop, no error | Allow cookies for Cloud Digit + your IdP domains; or test in incognito (which often has third-party cookies enabled by default) |
SameSite=Strict policy | Redirect loop in specific browsers | Try a different browser; report to IT |
| IdP not configured for Cloud Digit | "Audience restriction not met" | Org admin: re-import SP metadata at the IdP |
| SAML cert rotated at IdP | "Signature validation failed" | Org admin: re-upload IdP metadata at Cloud Digit |
| Cloud Digit cert rotated | (rare; we communicate first) | Update SP metadata at the IdP |
For the full SSO setup checklist, see SSO / SAML / OIDC.
Cannot reach the sign-in page¶
| Symptom | Likely cause | Fix |
|---|---|---|
| Page never loads, browser spinner forever | DNS not resolving / corporate proxy blocking | nslookup <your-cloud-digit-domain>; ask IT to allow-list |
CONNECTION_TIMED_OUT | Firewall blocking outbound 443; or BGP outage | Test from another network (mobile hotspot); check Status |
ERR_SSL_PROTOCOL_ERROR | Old browser / OS without modern TLS | Update browser / OS; or use a newer machine |
| HTTP 5xx | Platform incident | Check Status; open ticket if not posted |
"Got in then bumped out"¶
Common — see Browsers, sessions & SPA quirks. Quick reference:
| Token | Default | When it expires |
|---|---|---|
| Access token | 5 min | Refreshes silently; you don't notice |
| Refresh token | 8 h | Sends you back to the IdP |
| Idle timeout | 30 min | Next click after inactivity → re-auth |
To raise these lifetimes for your org, request via support.
When to open a support ticket¶
Open a ticket when you've worked through this page and:
- The error message doesn't match anything here
- Multiple users in your org can't sign in (potential org-level config issue)
- The error mentions an internal code (e.g.
KC-AUTH-5xx) — quote it in the ticket - Your account is suspended but you don't know why
- Recovery codes don't work after device loss
- You suspect the account is compromised (sign-in from unfamiliar IP in your audit log) — this is urgent — see SIEM and consider rotating tokens immediately
What to include:
- Cloud Digit email
- Org name (or ID)
- Exact error message + timestamp + browser
- Whether the issue is reproducible in incognito (yes/no)
- Steps you've already tried
Related¶
- Sign in & first run — the normal flow
- Browsers, sessions & SPA quirks — token lifetimes
- SSO / SAML / OIDC — federation setup
- Users — for org admins managing other users' login issues
- Support — how to escalate