The time shift records any misalignment between the time recorded on the authenticator and the time recorded on the server each time a user authenticates. This ensures that if either clock drifts from the correct time, a shift within a certain range will be tolerated by OneSpan Authentication Server. The user will still be able to authenticate. If the time drift goes beyond the allowable time window between user authentication requests, the authenticator record has to be reset (to allow the recalculation of the time drift).

The time window may be 5 steps in either direction.

This means that 11 OTP values would be considered valid, i.e. the OTP for that exact time, and the OTP values for the 5 previous and the 5 subsequent time steps. If the provided OTP is for a different time step, the time shift for that authenticator is recorded. The next time the user authenticates, the expected OTP will be calculated based on that time shift.

The current number of uses of the authenticator application, according to the authenticator. This can get out of sync with the number of uses recorded by OneSpan Authentication Server when:

• Authentication failed for reasons other than incorrect OTP values.
• The authenticator has been used without an effective authentication happening (for example, children have been playing with it).
• The authenticator is being used to authenticator to two separate systems.

The purpose of this setting is similar to that of the last time shift setting. It allows OneSpan Authentication Server to track any shifts between the event count recorded by itself and the authenticator.