Is it a probleme to change with sql timeshift and timewindow in tokeninfo table?

Hello, we are in the process of migrating to privacyidea. We installed a 3.10.2 and as our users are migrated from old to new vpn we discovered that some users can’t login anymore after a few days.
After browsing the community forums I found similar problems but with no solution.

We have autoresync enabled and some users have a timeshift value of -150 but the timewindow value is 120 so they can’t connect anymore. If we resync the token from the interface the timeshift value is reset to a correct value (around 0).

I though from reading that enabling a really wide autoresync value (like 1000) could resolve the problem but it’s not. I set it to a low value of 60s.
Most of the tokens were set with a timewindow of 120s so I wanted to enlarge it to 180s and eventually reset the token that are already past boundaries.

Am I misunderstanding or not ?

Thanks for your help.

It the timeshift drifts away far you really have a problem during authentication.

However, users, who enter the TOTP value very late, can also of course push the timeshif out of boundaries.

Autosync does not simply increase the timewindow. With autosync the user has to know, what he is doing. The user will have to enter one TOTP value. Auth will fail. Then the user will have to enter the next OTP value and privacyIDEA will try to sync the token with these two consecutive values.

Yes, you can set timeshift to 0 in the database.
You can also set the timewindow to any arbitrary value (int) in the database.

From your explanation, I think maybe I should disable the “automatic resync during authentication” in the global preferences. I will reread “the fucking manual”

Thank you for your answers.