Knowledge Base > Article [0038]

Sync SafeID token

Time drift is a general problem among clock devices. Your time-based SafeID token may suffer from this problem as well.

As you know, the authentication happens between token and DualShield (machine), the time on token is not identical to the time on server. What is the degree of the tolerance? you may ask.

Well, the secret lies in Token Policy (Administration -> Polices)

For SafeID time-based token, the default values for auto, check, manual sync are 30, 60, 120 respectively.

Please note the unit for them is window, rather than second or minute. How long does a window last? it depends. Please check your token product info.

For SafeID time-based token, it is 60 seconds = 1 minute.

Assume your token and DualShield server have a time difference =10 (<30), during the authentication, our server will do auto sync for this token. after sync, the token(not physical, but a virtual copy in DualShield system) will have a similar time as the server. As you can imagine, even if the physical token has 1 time drift every day, our system will do auto sync as long as it is used with 30 days. The end user sees nothing when auto sync happens.

Now let us say the time difference =40 (>30, but < 60), it is out of auto sync, but lands in the check sync range. During the authentication, the end user will see a warning message saying the token is out of sync, but still give you a chance for authentication (you need to provide some contiguous OTPs). After that, the token will be synchronized.

What if time difference = 70 (>60, but < 120), well, the authentication will fail with the error "Incorrect credentials". However you can still ask the admin to do a manual sync in DMC or you can do it yourself in Self Service if applicable.

In worst case, the time difference = 130 (>120),  sorry it might be the time to recycle the token. Well, actually the admin can modify the sync values to make your time drifted token land in one of the ranges, but keep in mind a big value will increase the computational burden on authentication server.

If there are many tokens having the sync problem, then it is highly possible that your machine where DualShield is running on has a incorrect date/time. Please configure an Internet time server for it.