6.7. Manage tokens

You can now manage all your existing tokens. This includes the already described processes of enrolling and assigning tokens.

6.7.1. Unassign

If a user does not need his token anymore, the token can be unassigned from the user.

The token will not be assigned to the user anymore and the OTP PIN of the token gets cleared.

6.7.2. Remove

If a token is completely lost or is not needed anymore, the token can be removed from the token database.

Note

All entries about this token will remain in the audit trail.

6.7.3. Disable

If a user should not use the token for authenticating – maybe because he forgot the token somewhere – the token can be disabled. This is reflected by the column “active”.

In the GTK client you can disable all tokens of a user by choosing the user in the users tab, right-click and choose “disable”. All tokens that are assigned to the user are disabled.

Note

Later you can enable the token again.

6.7.4. Reset failcounter

The failcounter reflects how often the user failed to authenticate with this token.

The failcounter is increased under the following conditions. The last 6 or 8 characters are removed from the provided password. This is assumed to be the OTP value. The remaining leading characters are interpreted as the fixed OTP password/ OTP PIN. If LinOTP finds a token, which matches this OTP PIN but not the OTP values, the failcounter for this very token is increased. If LinOTP does not find a token, which matches the OTP password, the failcounters for all tokens assigned to this user are increased. If the failcounter reaches the the value of max failcounter, login with this token is not possible anymore and the failcounter will not be increased any further. If a user authenticated successfully the failcounter for this token is reset to zero.

To reset the failcounter manually, select a token in the token view, right-click [1] and choose “reset failcount”. You may also select several tokens to reset the failcounter.

6.7.5. Resync token

Event based tokens like the HOTP token work this way, that the token has a counter which is increased on every creation of every new OTP value. The LinOTP server also tracks this counter.

The LinOTP server has a “count window” defined per token. The server will try to validate the entered OTP value within this count window.

Logically the counter can run out of sync, when the new OTP values are not passed to the LinOTP server for authentication. When the user creates many new OTP values but only authenticates with the 20th OTP value while the count window on the server is only 10, then the server will not be able to find this OTP value within the count window and will fail to validate the OTP value.

The token is out of sync and needs to be resynced.

Note

You can also use the autosync function described in section System config.

To resync the token manually

  • select a token
  • choose “Resync Token”
  • and enter two consecutive OTP values.
[1]The right click works in the GTK client. In the Web UI you need to choose “reset failcounter” from the left sidebar.