This help page explains the resync feature for hardware tokens enrolled in ​Akamai MFA​.

Hardware tokens generate one-time passcodes that ​Akamai MFA​ validates using a shared secret and an expected position in the code sequence:

• TOTP tokens generate codes based on time steps (intervals).
• HOTP tokens generate codes based on an incrementing counter.

If a token gets out of sync, usually due to a time drift or repeated button presses, valid codes may no longer fall within the normal validation range, causing authentication failures. Resync lets ​Akamai MFA​ realign with the user’s token.

Resync hardware tokens in ​Akamai MFA​

The following solutions can help you recover hardware tokens that are out of sync.

Baseline resync

During authentication, if the hardware token isn’t in sync, ​Akamai MFA​ checks a small range of possible valid codes around the expected value.

• If a valid code is found within the allowed range, ​Akamai MFA​ asks the user to enter the next code to resync their token.
• If the token is too far out of sync and no adjacent valid code is found, the user’s code is rejected and authentication fails. To recover hardware tokens that are in this state, you can use the extended resync feature.

Baseline resync is always active and available for all hardware tokens enrolled by your organization.

Extended resync

Extended resync lets you recover tokens that are significantly out of sync, without replacing the token. This feature enables a larger search range for valid codes next time the user tries to authenticate using the hardware token. To start extended recovery for a hardware token, find the hardware token on the Devices page and click Resync . This makes the hardware token eligible for extended resync for up to two days. If the user that the token is assigned to successfully completes the resync within that time, the token is taken out of extended resync mode and can be used again to authenticate in ​Akamai MFA​.

When to use extended resync

• A user reports that valid token codes are being rejected.
• The token has drifted too far for baseline resync to recover.

Troubleshooting

If resync doesn’t resolve the issue or the hardware token falls out of sync frequently, consider the following:

• As a TOTP hardware token’s battery begins to fail, the device clock may drift more rapidly, making the device unreliable. If the token requires regular resyncs to work, ​Akamai​ recommends replacing the hardware token.
• If a HOTP hardware token has been pressed an excessive amount of times since the last successful authentication, and resync attempts fail, its counter may be outside of the extended resync range. HOTP tokens that are in this state are unrecoverable.