Authentication method

Question

Authentication method

Sailendra Kumar Reddy Challa 0

"I assigned the OATH token to a user. The user entered the correct code from the disabled hardware, but authentication failed, and they received the error message: 'The verification code entered is incorrect. Please try again.'"

Sidney Murciano 5 Reputation points

2025-04-25T08:58:29.48+00:00
Hi Sailendra,

Hope my message finds you well!

Here are a few steps to troubleshoot and (try to) resolve this issue:

Check Token Status:

Verify the Token is Active: Even though the hardware token is disabled, it could still be assigned to the user in the system, causing issues. Make sure the OATH (One-Time Authentication) token assigned to the user is active and not disabled or expired.

Reassign Token: If the token was disabled, try reassigning a new one or re-enabling the current token to see if it resolves the issue.

Verify Time Synchronization:

Time Drift: Hardware tokens typically rely on time-based algorithms (e.g., TOTP - Time-based One-Time Password), so if there is a time drift between the token and the authentication server, the code may be rejected. Ensure that the time on the user’s device and the server is synchronized correctly.

Check Server and User Device Clocks: Both should have accurate time, ideally synchronized to a time server.

Token Resynchronization:

If you’re using an OATH token that is out of sync with the system, you might need to resynchronize the token. This can be done through your identity provider’s admin portal or by issuing a new token if necessary.

Test with a New Token:

If possible, issue a new token (whether hardware or software-based) and assign it to the user. This can help rule out if the original token was the issue.

Clear Cached Credentials:

Have the user clear any cached credentials or stored authentication data on their device or browser. Sometimes, cached tokens or credentials may interfere with the new authentication request.

Check Authentication Logs:

Review the authentication logs for more details on why the code was rejected. The logs might show if there were issues with token validation or if there was an error with the OATH token configuration.Here are a few steps to troubleshoot and resolve this issue:

Check Token Status:

Verify the Token is Active: Even though the hardware token is disabled, it could still be assigned to the user in the system, causing issues. Make sure the OATH (One-Time Authentication) token assigned to the user is active and not disabled or expired.

Reassign Token: If the token was disabled, try reassigning a new one or re-enabling the current token to see if it resolves the issue.

Verify Time Synchronization:

Time Drift: Hardware tokens typically rely on time-based algorithms (e.g., TOTP - Time-based One-Time Password), so if there is a time drift between the token and the authentication server, the code may be rejected. Ensure that the time on the user’s device and the server is synchronized correctly.

Check Server and User Device Clocks: Both should have accurate time, ideally synchronized to a time server.

Token Resynchronization:

If you’re using an OATH token that is out of sync with the system, you might need to resynchronize the token. This can be done through your identity provider’s admin portal or by issuing a new token if necessary.

Test with a New Token:

If possible, issue a new token (whether hardware or software-based) and assign it to the user. This can help rule out if the original token was the issue.

Clear Cached Credentials:

Have the user clear any cached credentials or stored authentication data on their device or browser. Sometimes, cached tokens or credentials may interfere with the new authentication request.

Check Authentication Logs:

Review the authentication logs for more details on why the code was rejected. The logs might show if there were issues with token validation or if there was an error with the OATH token configuration.
Sanoop M 4,310 Reputation points Moderator

2025-04-29T09:45:32.02+00:00

Hello @Sailendra Kumar Reddy Challa,

I am following up to check whether if you had a chance to review my below answer where I have updated you to check few settings if it is properly configured.

Please let me know if you have any queries.
Sanoop M 4,310 Reputation points Moderator

2025-05-05T02:03:15.1433333+00:00

Hello @Sailendra Kumar Reddy Challa,

Since we didn't receive your response on my below answer, I am following up to check whether if you had a chance to review my below answer where I have updated you to check few settings if it is properly configured.

Please let me know if you have any queries.

1 answer

Your answer

Sanoop M 4,310 Reputation points Moderator

2025-04-29T09:45:32.02+00:00

Hello @Sailendra Kumar Reddy Challa,

I am following up to check whether if you had a chance to review my below answer where I have updated you to check few settings if it is properly configured.

Please let me know if you have any queries.
Sanoop M 4,310 Reputation points Moderator

2025-05-05T02:03:15.1433333+00:00

Hello @Sailendra Kumar Reddy Challa,

Since we didn't receive your response on my below answer, I am following up to check whether if you had a chance to review my below answer where I have updated you to check few settings if it is properly configured.

Please let me know if you have any queries.

Answer 1

Hello @Sailendra Kumar Reddy Challa,

In addition to the information provided by @Sidney Murciano , could you please share us the error message screenshot.

Could you please let us know why the user tried to enter the correct code from the disabled hardware.

Please let us know if the Hardware OATH token settings is disabled tenant wide for all the users or for some specific users.

Please make sure if the below steps are configured correctly.

To enable hardware OATH tokens in the Microsoft Entra admin center:

1.Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.

2.Browse to Entra ID > Authentication methods > Hardware OATH tokens (Preview).

3.Select Enable, choose which groups of users to include in the policy, and select Save.

Screenshot of how to enable hardware OATH tokens in the Microsoft Entra admin center.

We recommend that you migrate to the Authentication methods policy to manage hardware OATH tokens. If you enable OATH tokens in the legacy MFA policy, browse to the policy in the Microsoft Entra admin center as an Authentication Policy Administrator: Entra ID > Multifactor authentication > Additional cloud-based multifactor authentication settings. Clear the checkbox for Verification code from mobile app or hardware token.

Please let me know if you have any queries.

Share via

Authentication method

1 answer

Your answer