We use TOTP for MFA in AWS. Twice now I've had the situation where my token has had the wrong time and the workaround is to enter two successive tokens one minute apart to resync my token with AWS. I didn't RTFA, but I'm assuming it's at least _possible_ to implement an "oh crap!" fallback like this.