Synchronize a Hardware Token

About Synchronous Authentication Mode

Note: The process for synchronizing an ActivID software token is different. For more information, see Synchronize a Soft Token.

In the Synchronous authentication mode, the authentication device and the server each use the same authentication key and the same method to derive new keys. Each time the device generates a password, it derives a new key, and each time the server successfully validates a password from the device, the server derives a new key, allowing the device and the server to stay synchronized.

The following table lists what happens if a user generates passwords without sending them to the server and if the user’s authentication device has generated more passwords than the number specified as the maximum number of tries allowed:

If... Then...

For whatever reason, a user generates passwords with their device without sending them to the server.

The user’s device eventually becomes out of sync with the authentication server.

The user’s authentication device has generated more passwords than the number specified as the maximum number of tries allowed (without successfully sending the passwords to the server).

You have to help the user synchronize the device.
Note: The Synchronize options are different in the Administration Console and the Web Help Desk; the Counter field might not be available. See below for instructions on enabling the Counter field.

Clock and Counter Values

By default, the 'Clock and Counter' and 'Counter' synchronization options are disabled to avoid damage to the device data.

Note: For Soft Token v2 TOTP, the Clock synchronization option is always enabled.

When enabled, the available options depend on the type of device:

  • Counter - Soft Token v2 HOTP and Mini Token AE and OE only.
  • Clock and Counter - Mini Token AT and OT and Token v2 only.

To enable the options, edit the <INSTALL_DIR>\ActivIdentity\AAA\WebHelpDesk\whd\WEB-INF\web.xml file to add the following parameter (in bold):

<servlet>
   <servlet-name>portal</servlet-name>
   <servlet-class>com.activcard.pack.web.WHDServlet</servlet-class>
   <init-param>
   <param-name>
   EnableDeviceCounterResynchronization</param-name>
   <param-value>1</param-value>
   </init-param>
   ...
</servlet>

To disable the options again, set the value to 0.

For further information, contact HID Global technical support.

  1. Select the corresponding link for the user’s device in the Device ID column of the search results form.

  2. Select Synchronization in the device data page.

    The Synchronization help desk page is displayed:

    inset_1600080.jpg 

  3. Select the Synchronize with password option and:

    1. Ask the user to generate a password with their device.
    2. Enter the provided password in the Password field and click Synchronize.

    The following table lists what happens if the device is out of sync with the AAA Server and the server after clicking Synchronize.

    If... Then...

    The device is not too far out of sync with the AAA Server.

    The AAA Server successfully synchronizes with the device.

    The device is too far out of sync with the server.

    The user must give you the device’s current clock and/or authentication counter values.

  4. Alternatively, if the option is enabled and the device is a Mini Token AE or OE, you can also select the Synchronize with counter option and:

    1. Ask the user to provide the current counter value on their device and enter it in the Counter field.
    2. Click Synchronize.

  5. Alternatively, if the option is enabled and the device is either a Mini Token AT, OT or Token v2, you can also select the Synchronize with clock and counter option and:

    1. Ask the user to provide the current clock value on their device and enter it in the Clock field.
    2. Ask the user to provide the current counter value on their device and enter it in the Counter field.
    3. Click Synchronize.

Refer to your device’s user documentation for instructions on how to view the clock and counter values. If the you are authenticating with an ActivID USB key, retrieve the values with ActivClient User Console or Gold utilities.