Clean resync starts with the seed: confirm every device is using the same secret and that the server is set to the right algorithm and digit length. If your platform supports it, try the next few codes to let the server “catch” the client; that realigns both sides without drama. Document three rules: one person per token, one press per attempt, and no stress-testing in production. There’s a readable breakdown in the middle of this overview — [otp tokens . otp mfa](https://otp2.org/)
 that shows setup, storage, and counter windows in plain language. Store seeds in the team vault, keep bypass codes for emergencies, and practice a short rollback plan so lockouts don’t stall work.