Wrong otp value

I configured TOTP to run with LDAP proxy authentication.Everything was working wel until two days ago. One of the users was unable to authenticate and got this error (see below):
[2020-03-10 08:30:39,961][31771][139844622030592][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] DATA: {‘info’: ‘wrong otp value’, ‘realm’: u’com1’, ‘tokentype’: None, ‘success’: False, ‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’: ‘127.0.0.1’, ‘user’: u’ellen’, ‘resolver’: u’COM1’, ‘action_detail’: ‘’, ‘action’: ‘POST /validate/check’, ‘serial’: None}

Those are the TOTP token settings:
Default Time Step: 30
Time Window: 180
Default time shift: 0
Hash: sha1

The only thing i noticed was that the timeshift was 300. I solved this issue with removing the token and enrolling a new one
[2020-03-10 08:50:58,308][31771][139844571674368][ERROR][privacyidea.lib.auditmodules.sqlaudit:241] DATA: {‘info’: ‘matching 1 tokens’, ‘realm’: u’com1’, ‘tokentype’: u’totp’, ‘success’: True, ‘privacyidea_server’: ‘127.0.0.1’, ‘client_user_agent’: None, ‘client’: ‘127.0.0.1’, ‘user’: u’ellen’, ‘resolver’: u’COM1’, ‘action_detail’: ‘’, ‘action’: ‘POST /validate/check’, ‘serial’: u’TOTP004116E1’}

The TOTP token could get slowly out of sync by user laziness or clock time drift.
If then the clock get reset, the token is out of sync and you need to manually resync.

Hi cornel,

Thank you for the answer. Is there any way to avoid this, because this happened also to another user?

  1. Keep accurate time on PI server and devices.
  2. Allow bigger “window”, e.g. plus/minus a minute
  3. Use other tokens.