A user is able to successfully authenticate using a Symantec VIP soft token 6-digit code even after the code has refreshed on their device. The expired code remains valid for several minutes, potentially allowing for unauthorized reuse.

• Symantec VIP Service
• VIP Manager
• VIP Soft Tokens (Mobile/Desktop)
• VIP H/W Tokens

This behavior is typically caused by the Validation Settings in the VIP Manager Credential Security Settings. This window exists to account for clock drift between the user's local device and the VIP backend, but if set too high, it extends the validity period of a code beyond its display time.

To restrict the time window for code validity, adjust the policy settings in VIP Manager:

1. Log in to the VIP Manager console.
2. Navigate to the Account tab.
3. Select Credential security settings from the left-hand menu.
4. Locate the HOTP Time based section.
5. Click Change settings.
6. Select the option to Set Manually.
7. Adjust the window to the minimum required for your environment to ensure security while still allowing for minor time drift.
   • Note: Each step typically represents 30 seconds.
8. A high value (e.g., 10 steps) allows codes to be used for up to 5 minutes after they expire.
9. Reduce the window to the minimum required for your environment to ensure security while still allowing for minor time drift.
10. Click Save Changes.

Note: The article is also applicable for the H/W tokens and to update the settings look for HOTP Event Based at step 4 above.