SA Server 4.0 and 5.2/IDConfirm 1000 using Time based IDProve tokens All server O/S's.
With time-based IDProve (Easy v3) unconnected tokens, the time window for authenticating with OTPs is 30 seconds. Every 30 seconds, the OTP changes. The clock is set in the token at perso, and cannot be adjusted after that. On the server side, SA Server must be configured with an NTP (network time protocol) server for accurate time. Each time the token authenticates to SA Server, the server adjusts for the drift of the token. If a token is not used often, the amount of drift can surpass the threshold of the calculation of OTP's on the server side, and the token becomes de-synchronized. If re-sync option in the SA Server User Portal fails to re-sync the token, follow these instructions:
Log into the SA Server/IDConfirm 1000 Admin Portal. Choose Manage Policies>View all Time Based Policies. You should see the policy as shown below. In the Time Based Policy Information; change the Manual Sync Window to 200, Update, then try to re-sync the tokens at issue. After tokens are re-sync'd, change the setting back to default. If you continue to have this issue, or have users that only authenticate occasionally, set the Authentication Window to 5, and Manual Sync Window to 100.
To understand the meaning of the different fields please look at this FAQ: "What are the meaning of the fields in the time-based policy"