Symantec VIP error "4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP."

book

Article ID: 222352

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Validation with a Symantec VIP token fails with error 4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP. authenticateUser status code 604A OTP out of sync

Cause

Symantec VIP credential IDs are synchronized with the VIP cloud when the credential ID is assigned to the app. If the time of the device clock drifts slightly ahead or behind, the VIP service will automatically synchronize the credential ID.

If the system clock drifts too far ahead or behind the automatic resynch window, but is within the acceptable threshold settings for a manual resynch, the VIP service responds with an 'invalid OTP'. Error 4923 is seen in the logs.

If the system clock drifts extremely ahead or behind, the credential cannot be synchronized and will fail consistently with an 'invalid OTP' error. Error 49b5 is seen in the logs.

Resolution

Resetting the credential requires a resynchronization of the credential with 2 consecutive, unique security codes: 

  • The credential can be reset by the end-user through the My VIP/Self-Service Portal, VIP Credential test, or by your organization's helpdesk using the reset link on the credential assigned to the user in VIP Manager.
  • For custom apps, logic can be added to present the user with 2 additional security code fields and calling the Synchonize or CheckOTP API.
  • If the error occurs during a validation flow, a second validation attempt using the next consecutive security code can be used. The second attempt will result in an 'invalid security code', but the credential ID will be resynchronized and the error will not be seen during the next login. 

Important: Resynchronization should be performed after the system time has been corrected. Frequent 4923 errors can be an indicator of a drifting system clock.

Attachments