ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Symantec VIP error "4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP."

book

Article ID: 222352

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Validation with a Symantec VIP token fails with error 4923: The OTP you provided is within the Sync window, but outside the Look Ahead Window. This operation requires a second consecutive OTP. authenticateUser status code 604A OTP out of sync

Cause

Symantec VIP credential IDs are synchronized with the VIP cloud per the credential security settings within an organization's VIP Manager

  • If the device clock drifts slightly ahead or behind, VIP services accept the security code credential ID.
  • If the system clock drifts outside of the validation window but remains within auto sync window, VIP services will resync itself with the credential ID and accept the security code. 
  • If the system clock drifts outside both the validation and auto sync windows but remains within manual sync window,  VIP service responds with an 'invalid OTP'. Error 4923 or 12 is seen in the logs. To resolve, the user can resync their credential by using 2 successful and consecutive security codes (may require 2 login attempts).
  • If the system clock drifts outside the manual sync window, validation will consistently fail with an 'invalid OTP' 49b5 or 12 error and the credential must be replaced or reinstalled. 

 

Resolution

Resetting the credential requires a resynchronization of the credential with 2 consecutive, unique security codes: 

  • The credential can be reset by the end-user through the My VIP/Self-Service Portal, VIP Credential test, or by your organization's helpdesk using the reset link on the credential assigned to the user in VIP Manager.
  • If the error occurs during a validation flow, a second validation attempt using the next consecutive security code can be used. The second attempt will result in an 'invalid security code', but the credential ID will be resynchronized and the error will not be seen during the next login. 
  • Authorized VIP Administrators can adjust the credential security setting levels within their VIP Manager portal
  • For custom apps, logic can be added to present the user with 2 additional security code fields and calling the Synchonize or CheckOTP web API.

Important: Resynchronization should be performed only after the system time has been corrected. Frequent 4923 or 49b5 errors can be an indicator of a drifting system clock.

Attachments