HOTP token seems out of sync


I have enrolled the Windows Credential Provider on my Windows 10 machine and set it up to use HOTP during remote desktop sessions. This worked for some time without any problems, but since a few weeks it more and more starts rejecting my HOTP tokens. It takes me at least 4-5 new tokens before the token is accepted, and when it is not I either get the message that the OTP-token is invalid or that the token is a previous token. It seems that it somehow got out of sync. Testing the current token in the PrivacyIdea web GUI also rejects the token. My authenticator is the Android app ‘Authenticator Pro’ and it has no issues with any other token it has to provide to other services. I checked my date/time on all involved devices and they are all in sync.

Any thoughts?


I found the expected token number on the server vs the token number on my phone. They are indeed out of sync, but I also get an idea as to why. Because I want to be certain that I can always login to my RDP PC (as it is my main management computer for our network) and I don’t want to be locked out if the PrivacyIdea is not working (for any reason), I have setup the offline file on my PC. Once the offline file has to be refilled, the token number on the server increments with the number of refilled offline tokens in my local offline file. In my case I setup 5 in the offline_threshold registry setting. So once my offline file is refilled, the server increments the expected token number by 5. Somehow the offline file is not used if the PC has a working connection to the PrivacyIdea server, so my phone code number is behind for about 5 codes, because the server expects the code to be 5 numbers ahead!

Can I resolve this situation, as I need to have offline codes, but also be able to login when the server is available?

Intended behaviour.

Read carefully 11. Machines — privacyIDEA 3.8 documentation

If this is the intended behaviour, then that implies that whenever offline tokens are used, you are unable to login if the computer is connected to the PrivacyIdea server before all tokens in the offline file are consumed. I.e. a laptop with 5 newly distributed offline tokens has been disconnected from the network, you login once at home, the next day you connect to the network and now the PrivacyIdea server is 4 tokens ahead of your phone authenticator… This makes it difficult to use, suppose I did not count how many offline codes I used, then I don’t know exactly how many tokens I must skip on my phone before it is accepted by the server. It would be more practical if whenever offline tokens are used, they are consumed first regardless of a connection to the PrivacyIdea server before the server starts authenticating tokens. Currently the PrivacyIdea server takes precedence…


An offline OTP token is supposed to not be used in an online scenario. An authentication against privacyIDEA must not work! Otherwise this would be a huge attack vector.