Symantec VIP error "4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP."
search cancel

Symantec VIP error "4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP."

book

Article ID: 222352

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Validation with a Symantec VIP token fails with error 4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP. authenticateUser status code 604A OTP out of sync

Environment

VIP Service

Cause

Symantec VIP credential IDs are synchronized with the VIP cloud per the credential security settings within an organization's VIP Manager. The following is an explanation of the security code validity period and the impact of adjusting the credential security code settings in VIP Manager. 

For time-based Credential IDs (mobile, desktop, and most hard tokens):

  • If the time drifts slightly ahead or behind, VIP services recognize a slight security code/time mismatch and accepts the security code.
  • If the time drifts outside of the validation window but remains within auto sync window, VIP services recognize a broader security code/time mismatch and automatically re-syncs the code to the time.
  • If the time drifts outside both the validation and auto-sync windows but remains within the manual sync window,  VIP services recognize a wide security code/time mismatch and returns Error 4923 (or Error 12 in the logs). The user must enter 2 consecutive security codes. VIP Services then re-syncs the code to the time (may require 2-3 login attempts).
  • If the time drifts outside the manual sync window, VIP services recognize an unacceptable security code/time mismatch and returns error invalid OTP 49b5 (or Error 12 in the logs). The credential must be replaced or reinstalled if multiple tests fail at vip.symantec.com.

 

Resolution

  • Ensure timely delivery of the security code to the VIP Cloud by resolving any latency between your application client and the VIP Enterprise Gateway, VIP Web Services, and/or the LDAP connections.
  • Resync the credential by entering 2 consecutive security codes as they appear on the VIP credential. This can be done in real-time using one of the following methods:
    • If available, the end-user can access your organization's My VIP or Self-Service Portal.
    • The end-user can access the VIP Credential page and clicking the test button. or by your organization's helpdesk using the reset link on the credential assigned to the user in VIP Manager.
    • A VIP administrator can reset the credential in VIP Manager. 
    • If the error occurs during a validation attempt, the user can try again using the next consecutive security code. The second attempt will result in an 'invalid security code', but the credential ID should be resynchronized for the next login attempt.  
    • For custom apps, the Synchonize or CheckOTP VIP web service APIs can be used to resync from within your application. 
    • Authorized VIP Administrators can adjust the credential security setting levels within their VIP Manager portal

 

Important: Correct the time on the device before performing a resync from a VIP mobile or desktop app. Frequent 4923 or 49b5 errors can indicate a drifting system clock.

Powered by Wolken Software