Fun fact about authenticators like Google Authenticator and Authenticator Plus: they have their own internal clocks that can get out of sync with the server you’re logging into. Most of the time they don’t drift far enough to cause problems, but AWS is very, very particular about your clock being in sync with theirs.

If you find that AWS rejects your one time codes but the rest of your accounts work just fine, it’s probably a clock sync issue. In Google Authenticator the sync function is easy to find under ‘Time correction for codes’ in the menu. In Authenticator Plus it’s hidden behind ‘Others’ -> Sync with Google. Try that before you waste a morning trying to figure out how one and only one of your accounts got corrupted ;)