Compass note
Most sign-in problems on the Industrial Alliance My Client Space portal trace to one of four causes: a forgotten password, a lost or out-of-sync authenticator, a browser whose stored cookies have gone stale, or an account that has been temporarily rate-limited after too many failed attempts. Working through each cause in order resolves the majority of cases without a phone call. The flow below is structured so a reader can scan it top to bottom and stop at the first match.
The password-reset walk-through
If the password is the problem, the self-service flow inside My Client Space resolves the issue in about eight minutes start to finish. The headline steps are simple: open the sign-in page, choose Forgot password, enter the registered email address, follow the recovery link, choose a new password, confirm with the second factor and sign in. The detail behind those steps matters because each one has a small failure mode that catches a portion of customers.
- Open the sign-in page. Navigate to the Industrial Alliance customer-portal sign-in screen and click Forgot password underneath the password field. The link opens the recovery form on the same domain — confirm the hostname before entering any data.
- Enter the registered email address. The portal sends a one-time recovery link to that address. The link expires after thirty minutes; if the email arrives later than that, request a new link.
- Open the recovery email and follow the link. The link opens a password-reset form on the official portal domain. If the email was forwarded between accounts, the link still works for the original recipient because the token is bound to the address, not to the device.
- Choose a new password. The portal requires at least twelve characters, mixed case, at least one digit and at least one symbol. Avoid reusing a password from any other site — password reuse is the main vector for credential-stuffing attacks against financial portals.
- Confirm with the second factor. Approve the change with the second factor configured on the account. That can be a TOTP code from an authenticator application, a one-time code over SMS, or a printed recovery code.
- Sign in with the new password. Return to the sign-in page, enter the email address and the new password, and complete the second-factor prompt once more. Active sessions on other devices terminate automatically when a password reset completes.
When the password is correct but the sign-in still fails
The most common cause of a stuck sign-in even when the password is correct is a stale browser cookie or a session token that the portal no longer recognises. Clear cookies for the carrier’s domain, close every tab pointed at the portal, and try again from a fresh tab. The fix takes thirty seconds and resolves a surprising portion of failed sign-ins.
The next most common cause is a clock-skew problem on the device that hosts the authenticator application. TOTP codes are time-sensitive: the algorithm assumes the device clock is within a small window of true time. A phone whose clock is several minutes off will produce codes that the portal rejects, even when the customer types them correctly. Re-enable automatic time synchronisation on the device and try the next code.
A third cause, less common but worth checking, is a corporate VPN whose exit point looks like a high-risk geography to the portal’s fraud-watch routine. The session may complete authentication and then be challenged again by a step-up MFA prompt that fails silently. Disconnect the VPN and try the sign-in from a residential network.
Recovering from a lost authenticator
The recovery flow for a lost or destroyed authenticator depends on whether the customer kept the printed recovery codes that were issued when MFA was first enabled. Each code is single-use, and there are usually ten in a set. The codes are deliberately stored offline by design — a printed sheet inside a household safe, a slip behind a bookmark in a paper diary, a copy in a password manager that is independently protected. Any of those storage locations counts; an unencrypted text file on the desktop does not.
If the recovery codes have been lost as well, the only remaining path is identity reverification through a customer-service agent. The agent will confirm policy details, ask for an answer to a security question and place a callback to the registered phone number on file. That flow is intentionally slower than self-service because it carries higher fraud risk; expect the call to take twenty to thirty minutes end to end.
Error-message reference
The table below lists the most common error messages a customer sees during sign-in, the underlying cause and the fix that resolves each one. Reading the table top to bottom is the fastest way to map a confusing message to a concrete next step.
| Error message | Likely cause | Fix |
|---|---|---|
| “Sign-in unsuccessful, please try again” | Wrong password or stale cookie | Reset password or clear cookies for the portal domain |
| “Verification code is invalid” | TOTP clock skew on the device hosting the authenticator | Re-enable automatic time sync on the device and try the next code |
| “Account temporarily locked” | Too many failed attempts within a short window | Wait thirty minutes or call customer service to release the rate limit |
| “Session expired, please sign in again” | Idle timeout reached after twenty minutes | Sign in again on the same device; no further action needed |
| “This browser is not supported” | Outdated browser version or missing JavaScript runtime | Update to a current major-version release of Chrome, Firefox, Safari or Edge |
| “Recovery code already used” | Recovery codes are single-use and the code has been consumed | Use a different code from the printed set, or call the reverification line |
Browser compatibility
The portal targets current major-version releases of Chrome, Firefox, Safari and Edge. It expects modern TLS, current JavaScript engines and a window width of at least eight hundred pixels. Older browsers may load the page but fail at the second-factor prompt because the cryptographic primitives expected by the MFA flow are not available in the older runtime. Mobile Safari and mobile Chrome are supported on current iOS and Android. The carrier intentionally does not support stock Android browsers from older devices because the underlying TLS stack on those platforms is no longer maintained.
The advisor branch — you may be in the wrong place
Brokers and licensed advisors authenticate through a different portal. The ia insurance advisor portal sits on a separate URL, supports hardware-key authentication and applies stricter session rules because each broker handles multiple client files in a working day. A customer-side credential never grants advisor-side access, even if the same person is both an Industrial Alliance customer and a licensed advisor for the carrier. Advisors who arrive on this page should follow the link to the advisor portal reference, which lays out the workbench and the contracting flow.
Frequently asked questions
My password works but the sign-in still fails — what is going on?
The most common cause is a stale browser cookie or a session token that the portal no longer recognises. Clear cookies for the carrier’s domain in the browser, close every tab pointed at the portal, and try again from a fresh tab. If the failure persists, the next likely cause is a clock-skew problem on a device that hosts the authenticator application — TOTP codes are time-sensitive and a phone whose clock is several minutes off will produce codes that the portal rejects.
I lost my phone and the authenticator app — how do I recover MFA?
The recovery flow uses the printed recovery codes that were issued when MFA was enabled. Each code is single-use and there are usually ten in a set. If the recovery codes have been lost as well, the only remaining path is identity reverification with a customer-service agent who can confirm policy details, an answer to a security question and a callback to the registered phone number. That call is intentionally slower than the self-service flow because it carries higher fraud risk.
Which browsers are supported by the My Client Space portal?
Current major-version releases of Chrome, Firefox, Safari and Edge are supported. The portal expects modern TLS, current JavaScript engines and a window width of at least eight hundred pixels. Older browsers may load the page but fail at the second-factor prompt because the cryptographic primitives expected by the MFA flow are not available. Mobile Safari and mobile Chrome are supported on current iOS and Android versions; older Android tablets running stock browsers from before 2018 are not.
I’m a broker, not a customer — am I in the right place?
No. Brokers and licensed advisors authenticate through the iA insurance advisor portal, which is part of the broader iA extranet. The advisor sign-in is on a separate URL, supports hardware-key authentication and applies stricter session rules because each broker handles multiple client files. Customer-side credentials never grant advisor-side access, even if the same person is both an Industrial Alliance customer and a licensed advisor for the carrier.
I keep getting locked out after a few failed attempts — can I unlock myself?
Yes, after a cool-down. The portal applies a temporary lock on the account after a small number of failed attempts in a short window — usually five attempts within ten minutes. The lock releases automatically after thirty minutes. If a customer needs immediate access, the customer-service phone line can verify identity and release the lock; the agent will not bypass MFA, only the rate-limit timer.
For broader Canadian consumer guidance on financial-services account security and fraud prevention, see the Financial Consumer Agency of Canada.