eToken Pass resync failed

Hello all,
we installed PrivacyIDEA 3.7.3 on Ubuntu 18.04.6 LTS. It works fine with TOTP, Google-Authenticator, RADIUS, and some VPN in our test-environment.

Now we are testing the use of a hardware-token, eToken Pass. The import of aladdin-xml for a few test-tokens was successful, the token type is “hotp”

But if we resync token with the input of two consecutive hash-values it always responds “resync failed”.

After changing the sync window to “999999” the following is showing up in the debug-log:

[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:186] Entering checkOtp with arguments (<privacyidea.lib.tokens.HMAC.HmacOtp object at 0x7f43bc090da0>, ‘129923’, 999999) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:153] OTP range counter: 1 - 1000000
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:186] Entering decrypt with arguments (…) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:186] Entering aes_cbc_decrypt with arguments (…) and keywords {}
[2022-09-22 11:56:12,733][1743][139929312982784][DEBUG][privacyidea.lib.crypto:200] Exiting aes_cbc_decrypt with result HIDDEN
[2022-09-22 11:56:12,734][1743][139929312982784][DEBUG][privacyidea.lib.crypto:200] Exiting decrypt with result HIDDEN
[2022-09-22 11:56:15,827][1743][139929312982784][DEBUG][privacyidea.lib.tokens.HMAC:198] Exiting checkOtp with result 358927
[2022-09-22 11:56:15,828][1743][139929312982784][DEBUG][privacyidea.lib.tokens.hotptoken:591] exit. Failed to verify second otp: nextOtp: ‘402893’ != otp2: ‘192992’ ret: False
[2022-09-22 11:56:15,828][1743][139929312982784][DEBUG][privacyidea.lib.tokens.hotptoken:198] Exiting resync with result False

Does anyone have an approach to troubleshooting?
Thanks in advance

Expert knowledge: In roughly 2012 there have been a couple of etoken Pass, that used a quirky keylength of 192 bit. This would not comply to any standard.

Thank you for your quick answer, cornelinux.
When importing the aladdin-xml there is a pgp public key shown up, which is of kind “RSA2048”. I assume, the keylength is also 2048 bit.
The etoken-pass has a production date 07/18/2022.
This is really strange to me.

Do you have an excerpt from the XML file?
If the tokens are that new, the file might also have changed. Why did you parchase these, anyways?

yes of course, here is an excerpt:

<?xml version="1.0" encoding="utf-8" ?>
<Token serial="AB123456">
<ProductName>eTPass 6.20</ProductName>
<Application ConnectorID="{abcdef12-3456-abcd-ef12-3456abcdef12}">

We bought this just to test how to handle an alternative authentication method. We think that not everyone wants to use their cell phone, but a separate token.

I personally would recommand buying other hardware tokens!

How long is the seed?

64 chars x 16 bit = 1.024 bit

64 Chars in Hex is 32byte = 256Bit.

So this looks like a SHA256.

Now you need to check if this is HOTP or TOTP.
…and in case of TOTP what is the time step.

Thank you for your patience, cornelinux. After I have imported the XML, the token type “hotp” appears in PI under “token detail”. I can’t change the token type via PI-surface.


If I press the button of the eToken several times, the same 6-digit number appears for 30s, and then another. The packaging in which the tokens were delivered says “token bundle etoken pass time”

In addition to the XML, another file (alpine.dat) was supplied by the vendor, which contains more information:

# ===== SafeWord Authenticator Records $Version: 100$ =====
dn: sccAuthenticatorId=AB123456
objectclass: sccCompatibleToken
sccAuthenticatorId: AB123456
sccTokenType: eToken-PASS-TS
sccTokenData: sccKey=abcdef123456abcdef123456abcdef123456abcdef123456abcdef123456abcd;sccMode=T;sccPwLen=6;sccTick=30;sccPrTime=2022/07/07 11:11:11;crypto=HmacSHA256;sccVer=6.2;
sccSignature: FG0---some base64 stuff ---n2T=

However, I cannot import this file into PI.
Is it possible to change the token type, or manually create a hardware token in PI?

Maybe this one works for you:

It is old. But basically you either

a) need to change the import file or
b) could change the data in the database

(It is old, because I did not know that anyone would buy etoken pass if it is not really, really, really necessary. Obviously you have quite a budget! :wink: